Patch Management Solution

Hi,

I am trying to understand the full detailed process of how a machine gets patched.  I realize that there are white papers on the entire PM solution, but that is not what I am asking for.

What I am looking for is detailed information about how the agent does the patching when you click on the Software Update link.

Our problem is that when we click on the link, the process takes a long time (about 7 mins) before you see any activity on the screen and I am trying to troubleshoot this issue.  Servers in our environment are patched manually and it seems that WSUS does a much faster job.

Any help on this slowness issue would be greatly appreciated.

Thanks,

Scott.....

Hi Scott,

I'm pretty sure when you start the update cycle manually (or even when its triggered automatically), the first action performed is a 'system assessment scan' which can take a few minutes. This is probably to verify patch applicability since the last automatic scan for the patches ready to be installed.

Combine this with a small refresh delay of the agent's software update page and I think you're there ;)

If I remember correctly, you can even see this assessment scan running when you check the agent logs once the update cycle link is clicked.

 

kr,

Dawi_x

Isn't there a way to stop that system assessment scan?

Where are the Patching logs kept?  This should tell me what's happening every step of the way and I should be able to follow along with the process by refreshing them, correct?

Thanks for your quick response,

Scott.....

Yes you are correct, you should be able to follow the process when reviewing the logs. The log files are clear text and it can be cumbersome to read them just like that.They are located on a W7/2008R2 machine below C:\ProgramData\Symantec\Symantec Agent\Logs.

if you have a client available in front of you, my suggestion is to register the diagnostics dll located in the agents installation folder: "regsvr32 aexagentdiagnostics.dll" (elevated if UAC used). Don't forget to unregister (using /u) when finished if this is a production end user client. Once registered you can right-click the agent icon and select diagnostics window, here you will find a more structured log viewer for the agent.

Another option is to use the RAAD v2 tool or the Symantec Management Agent Diagnstics Tool. Both can be downloaded from connect and are used for remote client troubleshooting (including log viewing).

In my knowledge I don't think you can skip the assessment scan. It's probably also not a good idea to do so, because its there to make sure no patch is to be installed (and errors out) which might be installed in another way (eg. manually in windows) since the last automatic assessment scan (by default every 4 hours).

kr, dawi_x

Another useful tool is to find the ...diagnostics... msi in the Symantec Installation Manager directory on the NS and install it on the client. Then you can see the Altiris log in real time.

To get more detail you can enable verbose logging:

HKEY_LOCAL_MACHINE\SOFTWARE\ALTIRIS\EXPRESS\EVENT LOGGING\LOGFILE

Add a new DWord named Severity with value hexadecimal FF (decimal 255)

HKEY_LOCAL_MACHINE\SOFTWARE\ALTIRIS\ALTIRIS AGENT\INVENTORYRULEAGENT

Add a new DWord named VerboseLogging with value 8.

Andy's right on this one.

ALso, when using the Symantec Management Agent Diagnostics tool, you can also enable/disable verbose logging and enable/disable NSE event capture through the GUI (if you don't want to mess in the clients' registries :))

kr, dawi_x

Thanks again for the responses. To be clear, I am looking for a way to speed up patching - not for one machine, but for all machines. For example, it looks like the pmimport was originally set for all patches and when those were turned off, no one told the system to delete the old stuff. So it looks like there were scans going on for patches we aren't prepared to install yet. Perhaps there are other settings to speed up patching?

If you turn on the verbose logging on one machine you cansee what is taking the time.

Assessment is made on patches you downloaded, if you don't want to report on all vulnerabilties and only check patches you choosed then go to

task/System jobs and tasks/software/patch management/import patch data for Windows

You can check Delete previously downloaded data for... that are now excluded, then chose the softwares you care about in vendors and software, choose languages then click save.  Run this task and it should purge unwanted assessment checks.

The process is the following when you click on start software update cycle
- Validate patch detection rules (applicable, compliant)
- Compare uncompliant patch with update schedules policies (each patch can have a different configured behavior)
- Execute remediations according to policies
- Report result
- reboot
- Report reboot completed

 

In addition to ericg2; please review KM: HOWTO79448, for it simplifies the Patch process completely and provides additional Knowledge Management Article links on how to troubleshoot each step.

You may also review the Symantec Connect Article: ZeroDayPatch: Patch Automation Tool for PMS 7.1 SP2. While this process is not officially supported; I have heard good things from the community.

However, the only caveat that I can think of; ensure the environment is running smoothly without any SQL deadlocks or performance issues, for this could burden the environment.