Legacy ID:KA312026
- If Microsoft releases a high priority patch, it does not necessarily mean that it will be reported in the analysis job by default, since it may not be considered a security patch. By default we report the security patches only; these are the patches that Microsoft generally releases on Patch Tuesdays. The two extra options: 'Security Tools' and 'Non-security Patches' do not fall into this category of security patches.
- If you are trying to download Critical, Important, Security patches, you need to create a smart group in the Catalog, that would filter those patches. Then right-click on the smart group / Download Job.
- Looking through the Analysis Results, you can see the Severity column. This column will provide the severity level of Security Patches only, and for rest of the patches, including Service Packs it will be listed as 'Unknown'.
- To use a whitelist or blacklist option, use the full network path to the file. The local path will not be interpreted correctly by the appserver, unless the file is locally available.
- If the analysis job is run with a whitelist, you may notice that in the results the Service Packs are not filtered. This is because Service Packs do not carry the Q number (verify in Q Number column). To remove Service Packs from results, in the Patch Analysis Job options check 'Filter out service packs from results'
- If you use the option to 'Deploy All missing Patches', it's recommended to filter Service Packs from the analysis results, because it is not a good practice to deploy Service Packs with regular patches at once. This is because installing Service Packs may disqualify some of the patches as applicable.
- Once the Service Pack is installed, the successive analysis results will not show the Service Pack as 'Installed'. When it comes to Service Pack, we only report if the Service Packs is 'Missing'.
- In the environment where multiple roles perform Patch Analysis and Deployment, it's best to apply an ACL Template to all affected Roles with Everyone WindowsSoftware.Read authorization. This will ensure that if RoleA adds the new windows object to the Depot / Hotfix Repository, then RoleB will instantly have access to it. This read access is required because Hotfix Repository is considered a shared pool of patches.
- It's expected to wait on average 8 hours (24 hours in some cases) for the new Microsoft patches to show up in BladeLogic Patch Analysis, because after MS releases them, Shavlik needs to test each patch before updating XML metadata files. Here is the link to subscribe to Shavlik list for new patches updates. You will receive an email when the patches are available from Microsoft, and you will receive a separate email when patches are available from Shavlik.
http://www.shavlik.com/support/xmlsubscribe.aspx
- There are certain patches which are not made public by Microsoft. Due to this, Shavlik does not support such patches, and they would not be available BladeLogic standard patching engine. To deploy such patches, they have to be downloaded manually, added as a hotfix (or custom software object) and deployed as a normal deploy job. For more information, review the following article: /apex/KAredirectPage?Type=Solution&KA=KA320323
- Here is the list of supported Shavlik products: https://www.ivanti.com/support/supported-products
If your product of interest is on the list, but BladeLogic does not have a Filter for it, you may file a Feature Enhancement with BMC Support.
---------------------------------------------------
- Configuration for various Patch Deploy scenarios:
Install 1 patch to single server:
Go to server results, right-click on patch / deploy
Install 1 patch to all servers:
Go to Object view, right-click on patch / deploy
Install multiple patches to 1 server:
Go to server results, select patches, right-click / deploy
Install all patches on 1 server:
Go to Server View, right-click on server / 'deploy all missing patches'
Install all patches to all servers:
Check 'filter out server packs', if necessary create white or black list, and run Analysis. Right-click on Server View / 'deploy all missing patches'.
---------------------------------------------------
- Troubleshooting. Collect the following logs for different scenarios:
Patch Analysis failed:
1. CM: Patch Analysis Job log
2. Target: Agent log: <bladelogic_agent>/rscd.log
3. Target: Shavlik trace log: c:/Trace.txt
Patch Analysis successful, but incorrect results:
1. CM: Patch Analysis Job log
2. CM: Patch Analysis Job run results
3. Target: Agent log: <bladelogic_agent>/rscd.log
4. Target: Shavlik trace log: c:/Trace.txt
5. What did the Customer expect to see different
You may need to gather information from MS bulletin site about patches in question and validate the info against results and trace.txt
Patch Deploy Failed:
1. CM: Patch Deploy Log
2. Target: bldeploy log: <bladelogic_agent>/Transactions/log/bldeploy-xxx.log
3. Target: TJM log: <bladelogic_agent>/Transactions/log/bltagetjobmanager-xxx.log
4. Target: Agent log: <bladelogic_agent>/rscd.log
Once the bldeploy log is analyzed, you may find some patches completed with exit codes other then 0 (success) or 3010 (reboot needed). You need to request the following:
5. Target: c:\windows\KBxxxxxx.log (for Win2008 c:\windows\windowsupdate.log)
6. Target: Even Viewer errors at the time of patch install failure
Patch Deploy successful, but incorrect successive Analysis results:
1. Target: Verify that the system was restarted after deployment.
2. CM: Patch Deploy Log
3. Target: bldeploy log: <bladelogic_agent>/Transactions/log/bldeploy-xxx.log
4. CM: Successive Patch Analysis Job log
5. CM: Successive Patch Analysis Job run results
6. Target: Shavlik trace log: c:/Trace.txt
7. Target: c:\windows\KBxxxxxx.log (for Win2008 c:\windows\windowsupdate.log) for patch in question
For specific popup error message or failed exit code, search the RKM for possible resolution.
Related Products:
- BMC BladeLogic Server Automation Suite