Video Screencast Help

Adding Patch Trending to Your Symantec Management Platform Step by Step Guide

Created: 12 Nov 2013 • Updated: 26 Nov 2013 | 32 comments
Language Translations
Ludovic Ferre's picture
+2 2 Votes
Login to vote

Table of content:

Introduction:

If you look around Connect for Patch Trending you will find a number of downloads, articles or even blog post. These are the result of a customer driven process that allowed the tool set to grow organically to something sizable.

This document aims to be the only place you need to go through to get up and running with the tool.

Top

Unpacking:

The installation pack is available from the Site Builder download page, but here is a quick link (at version 15):

https://www-secure.symantec.com/connect/sites/default/files/Patch Trending Package.zip.

Unpack the package into a location of your choice:

1_unpack.png

Top

Installing:

Note! If your SMP is _not_ installed using the default drive and path you'll need to customise the installation directory - see below for the details.

Open an elevated command prompt and go to your package directory to run "install.bat".

The installation process will:

  • Copy SiteBuilder-v14.exe to the destination folder
  • Copy SiteBuilder-v14.exe to SiteBuilder.exe in the destination folder
  • Copy site-layout.txt to the destination folder
  • Copy web.config to the destination folder
  • Import 5 items into the SMP database

The destination folder by default is: "C:\Program Files\Altiris\Notification Server\Web\PatchTrending\". This allow you to navigate to the generated site via the link http://localhost/altiris/ns/patchtrending/.

2_install.png

Top

Console items:

The SMP console will now have the following items at the root of the "Job and Task" folder:

  • Run SiteBuilder (Patch Trending)
  • RunOnce SiteBuilder (Install SQL code)
  • TRENDING Compliance by computer
  • TRENDING Compliance by update
  • TRENDING Inactive computer

3_SMP-console.png

Top

Run once:

The SiteBuilder executable contains all the required stored procedure to trend compliance by update, compliance by computer and inactive computers. To add the procedures into the db (or rest them) the site builder must be invoked with the command line option "/install".

This is done by running the task "RunOnce SiteBuilder (Install SQL code)".

4_RunOnce.png

Top

Scheduling:

Next you need to schedule the 4 remaining tasks to run daily. The trending tasks (that run the SQL) are best run at the end of the day (so you collect and display data for the day on which the collection is done) and the Site Builder task must run once the trending task completed.

5_DailySchedule.png

Here is an sample scheduling table:

Task Name Schedule
TRENDING Compliance by computer
Daily 23:45
TRENDING Compliance by update Daily 23:49
TRENDING Inactive computer Daily 23:53
Run SiteBuilder (Patch Trending) Daily 23:57

Top

Custom destination:

If your Notification Server directory is not under the default drive and path you need to take a few additional steps from the above process to install the toolkit.

On the command line and before running install.bat you must set the installation directory in this manner:

set installdir="<desired destination folder>"

For example:

set installdir="C:\Program Files\Altiris\Patch Trending"

or

set installdir="D:\Altiris\Notification Server\Web\Patch Trending"

2_install_custom.png

Once the items are imported in the SMP console, you need to modify the 2 tasks that run site builder with your custom path:

6_CustomSiteBuilder.png

Top

Conclusion:

With the data collection and site builder scheduled to run you should be able to see some results after a couple of nightly execution (the first night should build up the site with empty graphs and the second night will bring in the data required to draw lines).

Here is the link you'll need to use to access the site builder landing page:

http://<your_smp_name>/altiris/ns/patchtrending

Note that if you have configured the IIS to listen to a different port the port number will have to follow the smp host name or fqdn, with a colon delimiter (i.e. http://<your_server>:8080 if you have changed the default port to 8080).

Top

References:

[1] {CWoc} Patch Trending SiteBuilder
[2] {CWoC} Patch Trending: Adding Patch Compliance Trending Capacity ...
[3] {CWoC} Patch Trending Stored Procedures
[4] {CWoC} Patch Trending: Adding a Compliance by Computer module
[5] {CWoC} Patch Trending: Inactive Computer Trending Report

Comments 32 CommentsJump to latest comment

Ludovic Ferre's picture

I am trying to update the article with additional information, but it's not workring for now.

In the mean time here is the extra data I wanted to put in:

Installing:

Note! If your SMP is _not_ installed using the default drive and path you'll need to customise the installation directory - see below for the details.

Open an elevated command prompt and go to your package directory to run "install.bat".

The installation process will:

  • ...

The destination folder by default is: "C:\Program Files\Altiris\Notification Server\Web\PatchTrending\". This allow you to navigate to the generated site via the link http://localhost/altiris/ns/patchtrending/.

Conclusion:

With the data collection and site builder scheduled to run you should be able to see some results after a couple of nightly execution (the first night should build up the site with empty graphs and the second night will bring in the data required to draw lines).

Here is the link you'll need to use to access the site builder landing page:

http://<your_smp_name>/altiris/ns/patchtrending

Note that if you have configured the IIS to listen to a different port the port number will have to follow the smp host name or fqdn, with a colon delimiter (i.e. http://<your_server>:8080 if you have changed the default port to 8080).

I am currently off-net, on a retreat of some kind. I'll be back real soon, and you sure will hear from me then ;-).

Ludovic FERRÉ
Principal Remote Product Specialist
Symantec

0
Login to vote
JeanWilson's picture

Thank you for sharing this, very valuable to business to show patch trending

0
Login to vote
burndtjammer's picture

Thank you. Could be useful for when management decides to come around and ask us what we do. In truth, it is our job to make sure they don't know what we do for if they do we may be doing a poor job of it.

+1
Login to vote
vinayak patil's picture

Hi ,This is good article for  patch managment.

Can you help me with document for patching of  Symantec Notification server  itself ?

 

Regards 

Vinayak Patil

0
Login to vote
Ludovic Ferre's picture

Hello Vinayak,

You can manage the SMP and other servers via Patch Management, no problems. Just make sure you get some Server licenses first ;).

I am currently off-net, on a retreat of some kind. I'll be back real soon, and you sure will hear from me then ;-).

Ludovic FERRÉ
Principal Remote Product Specialist
Symantec

0
Login to vote
phoward74's picture

When I run the "RunOnce Sitebuilder (Install SQL code)" Task, it fails with a Return Code : -1.  It only runs for about 3 seconds, and in the Log Viewer there is no errors.  It states completed.  Is this a false error, or did it really not run?

0
Login to vote
Ludovic Ferre's picture

Hello phoward74,

-1 indicate an error in all cases.

Can you change the task so it captures the output? This will allow you to check the ouput.

Alternatively you can run "site-builder.exe /install" from the command line (as Administrator) and send me the output here.

I am currently off-net, on a retreat of some kind. I'll be back real soon, and you sure will hear from me then ;-).

Ludovic FERRÉ
Principal Remote Product Specialist
Symantec

0
Login to vote
phoward74's picture

C:\Windows\system32>REM Move to the running folder - by default we run under /Altiris/NS/PatchTrending
C:\Windows\system32>cd "C:\Program Files\Altiris\Notification Server\Web\PatchTrending\"
C:\Program Files\Altiris\Notification Server\Web\PatchTrending>SiteBuilder.exe /install
Dropping spTrendPatchComplianceByUpdate... Failed to construct DatabaseContext object. Connection to database failed

0
Login to vote
Ludovic Ferre's picture

Hum... can you check that the task runs under a privileged account (the appid)?

There's no reason for the task context ot to have access to the DB, or the connection to not work.

I am currently off-net, on a retreat of some kind. I'll be back real soon, and you sure will hear from me then ;-).

Ludovic FERRÉ
Principal Remote Product Specialist
Symantec

0
Login to vote
phoward74's picture

I was in the NS and ran than from the service account we have set that is a Symantec Admin.  I tried from my account which is also a Symantec Admin with the same results.  The service account has access to the SQL DB, but mine does not.

0
Login to vote
Ludovic Ferre's picture

Alright. It sounds like your setup is a little specific. Do you use a SA acocunt to access the DB? It's rather strange, because I get the database context from the built-in provider...

I am currently off-net, on a retreat of some kind. I'll be back real soon, and you sure will hear from me then ;-).

Ludovic FERRÉ
Principal Remote Product Specialist
Symantec

0
Login to vote
phoward74's picture



The Service Acct is an SA and we use it to access the DB.  When we set everything up, we the account SA and didnt change it.  If that needs to be changed to owner we can.

0
Login to vote
Ludovic Ferre's picture

Hello again phoward74,

I am double checking this. In the mean time what you should to is insert the SQL procedures manually (from the management studio).

They are available in a download:

https://www-secure.symantec.com/connect/downloads/cwoc-patch-trending-stored-procedures

This should get you past Step 1. Once the procedures are in place they should work without problem in the SQL tasks.

However I foresee that the sitebuilder will most likely have the same issues connecting to the database... so you'll be able to get grid based report in your console, but not the full site yet.

But we can work on that whilst data is collected on your server (it takes a few days before the charts get really interesting).

I am currently off-net, on a retreat of some kind. I'll be back real soon, and you sure will hear from me then ;-).

Ludovic FERRÉ
Principal Remote Product Specialist
Symantec

0
Login to vote
phoward74's picture

Done...Did you want me to try and run the "Run Sitebuilder (Patch Trending)" Task?

0
Login to vote
Ludovic Ferre's picture

Yes, you can try. I still doubt it'll work, but we shall see.

PS: did you schedule the data gathering procedures? The tasks that will run the stored procedures against the SQL database.

I am currently off-net, on a retreat of some kind. I'll be back real soon, and you sure will hear from me then ;-).

Ludovic FERRÉ
Principal Remote Product Specialist
Symantec

0
Login to vote
phoward74's picture

Yes, I started the 3 tasks and the sitebuilder to run this evening.  I will update tomorrow with results.

+1
Login to vote
phoward74's picture

C:\Windows\system32>REM Move to the running folder - by default we run under /Altiris/NS/PatchTrending
C:\Windows\system32>cd "C:\Program Files\Altiris\Notification Server\Web\PatchTrending\"
C:\Program Files\Altiris\Notification Server\Web\PatchTrending>SiteBuilder.exe
We cannot execute anything as the prerequisite table TREND_WindowsCompliance_ByUpdate is missing.

0
Login to vote
Ludovic Ferre's picture

Hello PHoward,

It looks like you have not installed the stored procedures into the database, or may be not into the Symantec_CMDB as previously indicated [1].

What do the data gathering task look like? If they worked then we have an issue with sitebuilder not getting to the right database, else it's just a matter of putting the procedures in the right location ;).

PS: If you need hands on help (this is kind of dragging now) please contact me via direct message and we'll work something out.

[1] https://www-secure.symantec.com/connect/articles/adding-patch-trending-your-symantec-management-platform-step-step-guide#comment-9819721

I am currently off-net, on a retreat of some kind. I'll be back real soon, and you sure will hear from me then ;-).

Ludovic FERRÉ
Principal Remote Product Specialist
Symantec

0
Login to vote
cparkITSPartners's picture

This is so awesome...

Any way to change the targetted computers?  Meaning I only want to see the windows 7 endpoints?

0
Login to vote
Ludovic Ferre's picture

Hello cpark,

Thanks for your feedback. It's much appreciated :D.

You sure can change the 'target'. There is an optional parameter named @collection in the trending SQL. Just use the filter guid you want and your patch trending will work for the desired set of computers.

Note that we do work with a filter - not a target there.

I am currently off-net, on a retreat of some kind. I'll be back real soon, and you sure will hear from me then ;-).

Ludovic FERRÉ
Principal Remote Product Specialist
Symantec

0
Login to vote
cparkITSPartners's picture

Thanks, will try today.

0
Login to vote
cparkITSPartners's picture

Ludovic, just to be clear, I need to modify the:

spTrendPatchCompliancebyComputer

And modify the @collectionguid as uniqueidentifier ?

 

Do I need to modify the other Trend SP's?

 

Thanks

0
Login to vote
Ludovic Ferre's picture

You are almost there but not quite ;-).

There's no need to modify the stored procedure. Rather you should modify the SQL task that runs daily on the SMP to add the collection guid.

Here is what the task SQL task should look like now:

exec spTrendPatchCompliancebyComputer

And what you want it to look like:

exec spTrendPatchCompliancebyComputer @collectionguid = '<your collection guid>'

Just make sure the same scope is used in the Compliance by Update procedure as well, so we gather data consistantly.

I am currently off-net, on a retreat of some kind. I'll be back real soon, and you sure will hear from me then ;-).

Ludovic FERRÉ
Principal Remote Product Specialist
Symantec

0
Login to vote
dgott20's picture

What did you do to resolve the issue that PHoward was having?  I'm having the same problem.

0
Login to vote
Ludovic Ferre's picture

Hello Dgott20,

The probl;em phoward was having related to the security mechanism in place on the tool that check the running account is member of the Symantec Administrator role.

For some strange reason this check fails when running from the Taskon his (and probably your) server. I did a build that removed this check, but he still had issues running from the Task inside the SMP, then because the acocunt couldn't access the database for some more odd reasons.

We ended up running the task from the Windows Scheduler has both he and I couldn't invest too much time looking into this.

I'll fish out the new build for you and will post it here later on today.

I am currently off-net, on a retreat of some kind. I'll be back real soon, and you sure will hear from me then ;-).

Ludovic FERRÉ
Principal Remote Product Specialist
Symantec

0
Login to vote
dgott20's picture

I looked in the logs on the SQL server and I'm seeing a "Login failed for user 'DOMAIN\SERVERNAME$'"  I have redacted the actual domain and server name but why is it trying to login with the local system account to the DB?  Our SQL is off box, shouldn't it be attempting to connect using the Altiris application credentials we have configured?

0
Login to vote
Ludovic Ferre's picture

I have seen those problems with the credentials being used in R7, but that was for the Task Services.

This was because the R7 release introduce a secure package credential store that was not there before, and part of the agents where not able to read this and would fall back to the computer domain account.

Can you confirm that you are on R7? Did you install the agent pointfix for R7 that solves the package access credential problems (7.1_SP2_MP1.1_V7_PF3366024)?

It seems unrelated, but we'll see!

I am currently off-net, on a retreat of some kind. I'll be back real soon, and you sure will hear from me then ;-).

Ludovic FERRÉ
Principal Remote Product Specialist
Symantec

0
Login to vote
Ludovic Ferre's picture

Here is version 15b for test purposes:

https://www-secure.symantec.com/connect/sites/default/files/SiteBuilder-v15b.zip

Can you check if this helps at all?

I am currently off-net, on a retreat of some kind. I'll be back real soon, and you sure will hear from me then ;-).

Ludovic FERRÉ
Principal Remote Product Specialist
Symantec

0
Login to vote
dgott20's picture

It doesn't, it gives the error :

C:\Windows\system32>REM Move to the running folder - by default we run under /Altiris/NS/PatchTrending
C:\Windows\system32>cd "F:\Program Files\Altiris\Patch Trending\"
C:\Windows\system32>"F:\Program Files\Altiris\Patch Trending\SiteBuilder-v15b.exe"
We cannot execute anything as the prerequisite table TREND_WindowsCompliance_ByUpdate is missing.

 

I can however run the sitebuilder.exe from a command prompt on the server and that does work.  I'll set up a scheduled task similar to what PHoward had to do.  Thanks for your help!

+1
Login to vote
Tomasz Wozniak's picture

Hi Ludovic,

I am trying to make it up and running, first in lab then in production.

Here is the feedback from my installation.

  • Install.bat does not detect installdir path and does not create a new folder. I cannot say why, I disabled echo and still nothing.

I created the folder manually

  • If you have a non standard location cd command without /d switch does not work in RunOnce SiteBuilder (Install SQL code) task.

I added /d swith and run the task again with success. My code is as follows:

REM Move to the running folder - by default we run under /Altiris/NS/PatchTrending
cd /d "e:\Program Files\Altiris\Notification Server\Web\PatchTrending\"
SiteBuilder.exe /install
 

  •  It fails to import the last item on the list. I do not know why.

AeXImportExport being run with command line:/import Patch Compliance trends
Failed to import folder [Patch Compliance trends]. The folder must have thisFolder.xml file in it.

So I imported it using the context menu into Jobs and Task view.

 

patch compliance trends.PNG

HTTP Error 403.14 - Forbidden

The Web server is configured to not list the contents of this directory.

  • Resetting IIS would not make any harm too.

 

Apart from that great work.

Thumb up from me !

Tomasz

 

0
Login to vote
Tomasz Wozniak's picture

Hi Ludovic,

After successful implementation in the lab I installed it in the production. However I have the following questions

  1. The data is collected but the main page http://localhost/altiris/ns/patchtrending/ does not draw the Compliance by Computer and Inactive Computers charts ?

    When I replace manually the index.html file with the index.html from the lab the all 4 charts are displayed, the two bottom graphs are still empty.

    After running the 'Run SiteBuilder (Patch Trending)' the file is overwritten and again only the two top charts 'Installed versus Applicable' and Compliance are rendered.
     

  2. Our Patching world is divided between clients and servers. Their have different policies. Is it possible to displaytwo separate sites for 2 diffrent filters, that is compliance for servers and compliance for clients ?
     
  3. The context menu righ click action for bulletin is not populated. Not sure what I am doing wrong. I checked it 3 times.

Many thanks in adance.

Tomasz

0
Login to vote
Tomasz Wozniak's picture

Hi Ludovic,

The charts finally started populating data after a couple of days. I gave up on the custom right click action.

Everyone likes the patch trending portal here.

Thanks,

Tomasz

0
Login to vote