查询更新管理日志Query Update Management logs

除了在部署更新管理期间提供的详细信息以外,你还可以搜索 Log Analytics 工作区中存储的日志。In addition to the details that are provided during Update Management deployment, you can search the logs stored in your Log Analytics workspace. 若要从自动化帐户中搜索日志,请选择“更新管理”,并打开与部署关联的 Log Analytics 工作区。To search the logs from your Automation account, select Update management and open the Log Analytics workspace associated with your deployment.

还可以自定义日志查询,或者从不同的客户端使用日志查询。You can also customize the log queries or use them from different clients. 请参阅 Log Analytics 搜索 API 文档See Log Analytics search API documentation.

查询更新记录Query update records

更新管理收集 Windows 和 Linux VM 的记录,以及显示在日志搜索结果中的数据类型。Update Management collects records for Windows and Linux VMs and the data types that appear in log search results. 以下部分将介绍这些记录。The following sections describe those records.

查询所需的更新Query required updates

一条 RequiredUpdate 类型的记录会被创建,以表示计算机所需的更新。A record with a type of RequiredUpdate is created that represents updates required by a machine. 这些记录的属性在下表中列出:These records have the properties in the following table:

属性Property 说明Description
ComputerComputer 报告计算机的完全限定域名。Fully-qualified domain name of reporting machine.
KBIDKBID Windows 更新的知识库文章 ID。Knowledge base article ID for the Windows update.
ManagementGroupNameManagementGroupName Log Analytics 工作区的名称。Name of the Log Analytics workspace.
产品Product 该更新所适用的产品。The products for which the update is applicable for.
PublishDatePublishDate 该更新可供从 Windows 更新下载和安装的日期。The date the update is ready to be downloaded and installed from Windows Update.
服务器Server
SourceHealthServiceIdSourceHealthServiceId 表示 Log Analytics Windows 代理 ID 的唯一标识符。Unique identifier representing the Log Analytics Windows agent ID.
SourceSystemSourceSystem OperationsManagerOperationsManager
TenantIdTenantId 表示组织的 Azure Active Directory 实例的唯一标识符。Unique identifier representing your organizations instance of Azure Active Directory.
TimeGeneratedTimeGenerated 创建记录的日期和时间。Date and time that the record was created.
类型Type UpdateUpdate
UpdateClassificationUpdateClassification 指示可应用的更新类型。Indicates the type of updates that can be applied. 对于 Windows:For Windows:
关键更新Critical updates
安全更新Security updates
更新汇总Update rollups
功能包Feature packs
服务包Service packs
定义更新Definition updates
工具Tools
更新。Updates. 对于 Linux:For Linux:
关键和安全更新Critical and security updates
其他Other
UpdateSeverityUpdateSeverity 漏洞的严重性分级。Severity rating for the vulnerability. 值为:Values are:
严重Critical
重要说明Important
Moderate
Low
UpdateTitleUpdateTitle 更新的标题。The title of the update.

查询更新记录Query Update record

一条 Update 类型的记录会被创建,以表示计算机的可用更新及其在计算机上的安装状态。A record with a type of Update is created that represents updates available and their installation status for a machine. 这些记录的属性在下表中列出:These records have the properties in the following table:

属性Property 说明Description
ApprovalSourceApprovalSource 仅适用于 Windows 操作系统。Applies to Windows operating system only. 记录的批准来源。Source of approval for the record. 值为 Microsoft Update。The value is Microsoft Update.
已批准Approved 如果记录已获批准,则为 True,否则为 False。True if the record is approved, or False otherwise.
分类Classification 批准分类。Approval classification. 值为 Updates。The value is Updates.
ComputerComputer 报告计算机的完全限定域名。Fully-qualified domain name of reporting machine.
ComputerEnvironmentComputerEnvironment 环境。Environment. 可能的值为 Azure 或 Non-Azure。Possible values are Azure or Non-Azure.
MSRCBulletinIDMSRCBulletinID 安全公告 ID 号。Security bulletin ID number.
MSRCSeverityMSRCSeverity 漏洞的严重性分级。Severity rating for the vulnerability. 值为:Values are:
严重Critical
重要Important
中等Moderate
Low
KBIDKBID Windows 更新的知识库文章 ID。Knowledge base article ID for the Windows update.
ManagementGroupNameManagementGroupName Log Analytics 工作区的名称。Name of the Log Analytics workspace.
UpdateIDUpdateID 软件更新的唯一标识符。Unique identifier of the software update.
RevisionNumberRevisionNumber 特定更新修订版的修订号。The revision number of a specific revision of an update.
可选Optional 如果记录是可选的,则为 True,否则为 False。True if the record is optional, or False otherwise.
RebootBehaviorRebootBehavior 安装/卸载更新后的重启行为。The reboot behavior after installing/uninstalling an update.
_ResourceId_ResourceId 与记录关联的资源的唯一标识符。Unique identifier for the resource associated with the record.
类型Type 记录类型。Record type. 值为 Update。The value is Update.
VMUUIDVMUUID 虚拟机的唯一标识符。Unique identifier for the virtual machine.
MGMG 管理组或 Log Analytics 工作区的唯一标识符。Unique identifier for the management group or Log Analytics workspace.
TenantIdTenantId 表示组织的 Azure Active Directory 实例的唯一标识符。Unique identifier representing your organization's instance of Azure Active Directory.
SourceSystemSourceSystem 记录的源系统。The source system for the record. 该值为 OperationsManagerThe value is OperationsManager.
TimeGeneratedTimeGenerated 创建记录的日期和时间。Date and time of record creation.
SourceComputerIdSourceComputerId 表示源计算机的唯一标识符。Unique identifier representing the source computer.
标题Title 更新的标题。The title of the update.
PublishedDate (UTC)PublishedDate (UTC) 该更新可供从 Windows 更新下载和安装的日期。The date when the update is ready to be downloaded and installed from Windows Update.
UpdateStateUpdateState 该更新的当前状态。The current state of the update.
产品Product 该更新所适用的产品。The products for which the update is applicable.
SubscriptionIdSubscriptionId Azure 订阅的唯一标识符。Unique identifier for the Azure subscription.
ResourceGroupResourceGroup 资源所属的资源组的名称。Name of the resource group to which the resource belongs.
ResourceProviderResourceProvider 资源提供程序。The resource provider.
资源Resource 资源的名称。Name of the resource.
ResourceTypeResourceType 资源类型。The resource type.

查询更新代理记录Query Update Agent record

一条 UpdateAgent 类型的记录会被创建,以提供计算机上的更新代理的详细信息。A record with a type of UpdateAgent is created that provides details of the update agent on the machine. 这些记录的属性在下表中列出:These records have the properties in the following table:

属性Property 说明Description
AgeofOldestMissingRequiredUpdateAgeofOldestMissingRequiredUpdate
AutomaticUpdateEnabledAutomaticUpdateEnabled
ComputerComputer 报告计算机的完全限定域名。Fully-qualified domain name of reporting machine.
DaySinceLastUpdateBucketDaySinceLastUpdateBucket
ManagementGroupNameManagementGroupName Log Analytics 工作区的名称。Name of the Log Analytics workspace.
OSVersionOSVersion 操作系统的版本。The version of the operating system.
服务器Server
SourceHealthServiceIdSourceHealthServiceId 表示 Log Analytics Windows 代理 ID 的唯一标识符。Unique identifier representing the Log Analytics Windows agent ID.
SourceSystemSourceSystem 记录的源系统。The source system for the record. 该值为 OperationsManagerThe value is OperationsManager.
TenantIdTenantId 表示组织的 Azure Active Directory 实例的唯一标识符。Unique identifier representing your organization's instance of Azure Active Directory.
TimeGeneratedTimeGenerated 创建记录的日期和时间。Date and time of record creation.
类型Type 记录类型。Record type. 值为 Update。The value is Update.
WindowsUpdateAgentVersionWindowsUpdateAgentVersion Windows 更新代理的版本。Version of the Windows Update agent.
WSUSServerWSUSServer 如果 Windows 更新代理出现问题,则会显示错误以帮助进行故障排除。Errors if the Windows Update agent has a problem, to assist with troubleshooting.

查询更新部署状态记录Query Update Deployment Status record

一条 UpdateRunProgress 类型的记录会被创建,以便按计算机提供计划部署的更新部署状态。A record with a type of UpdateRunProgress is created that provides update deployment status of a scheduled deployment by machine. 这些记录的属性在下表中列出:These records have the properties in the following table:

属性Property 说明Description
ComputerComputer 报告计算机的完全限定域名。Fully-qualified domain name of reporting machine.
ComputerEnvironmentComputerEnvironment 环境。Environment. 值为 Azure 或 Non-Azure。Values are Azure or Non-Azure.
CorrelationIdCorrelationId 用于该更新的 Runbook 作业运行的唯一标识符。Unique identifier of the runbook job run for the update.
EndTimeEndTime 结束同步过程的时间。The time when the synchronization process ended.
ErrorResultErrorResult 无法安装更新时生成的 Windows 更新错误代码。Windows Update error code generated if an update fails to install.
InstallationStatusInstallationStatus 客户端计算机上可能的更新安装状态:The possible installation states of an update on the client computer,
NotStarted - 作业尚未触发。NotStarted - job not triggered yet.
FailedToStart - 无法在计算机上启动作业。FailedToStart - unable to start the job on machine.
Failed - 作业已启动,但失败并发生异常。Failed - job started but failed with an exception.
InProgress - 作业正在进行。InProgress - job in progress.
MaintenanceWindowExceeded - 执行尚未完成,但已达到维护时段间隔。MaintenanceWindowExceeded - if execution was remaining but maintenance window interval reached.
Succeeded - 作业成功。Succeeded - job succeeded.
InstallFailed - 无法成功安装更新。InstallFailed - update failed to install successfully.
NotIncluded
Excluded
KBIDKBID Windows 更新的知识库文章 ID。Knowledge base article ID for the Windows update.
ManagementGroupNameManagementGroupName Log Analytics 工作区的名称。Name of the Log Analytics workspace.
OSTypeOSType 操作系统的类型。Type of operating system. 值为 Windows 或 Linux。Values are Windows or Linux.
产品Product 该更新所适用的产品。The products for which the update is applicable.
资源Resource 资源的名称。Name of the resource.
ResourceIdResourceId 与记录关联的资源的唯一标识符。Unique identifier for the resource associated with the record.
ResourceProviderResourceProvider 资源提供程序。The resource provider.
ResourceTypeResourceType 资源类型。Resource type.
SourceComputerIdSourceComputerId 表示源计算机的唯一标识符。Unique identifier representing the source computer.
SourceSystemSourceSystem 记录的源系统。Source system for the record. 该值为 OperationsManagerThe value is OperationsManager.
StartTimeStartTime 计划要安装更新的时间。Time when the update is scheduled to be installed.
SubscriptionIdSubscriptionId Azure 订阅的唯一标识符。Unique identifier for the Azure subscription.
SucceededOnRetrySucceededOnRetry 该值指示是否首次尝试执行更新时失败,以及当前操作是否为重试。Value indicating if the update execution failed on the first attempt and the current operation is a retry attempt.
TimeGeneratedTimeGenerated 创建记录的日期和时间。Date and time of record creation.
标题Title 更新的标题。The title of the update.
类型Type 更新的类型。The type of update. 该值为 UpdateRunProgressThe value is UpdateRunProgress.
UpdateIdUpdateId 软件更新的唯一标识符。Unique identifier of the software update.
VMUUIDVMUUID 虚拟机的唯一标识符。Unique identifier for the virtual machine.
ResourceIdResourceId 与记录关联的资源的唯一标识符。Unique identifier for the resource associated with the record.

查询更新摘要记录Query Update Summary record

一条 UpdateSummary 类型的记录会被创建,以便按计算机提供更新摘要。A record with a type of UpdateSummary is created that provides update summary by machine. 这些记录的属性在下表中列出:These records have the properties in the following table:

属性Property 说明Description
ComputerComputer 报告计算机的完全限定域名。Fully-qualified domain name of reporting machine.
ComputerEnvironmentComputerEnvironment 环境。Environment. 值为 Azure 或 Non-Azure。Values are Azure or Non-Azure.
CriticalUpdatesMissingCriticalUpdatesMissing 缺少的适用关键更新数。Number of applicable critical updates that are missing.
ManagementGroupNameManagementGroupName Log Analytics 工作区的名称。Name of the Log Analytics workspace.
NETRuntimeVersionNETRuntimeVersion 在 Windows 计算机上安装的 .NET Framework 版本。Version of .NET Framework installed on the Windows computer.
OldestMissingSecurityUpdateBucketOldestMissingSecurityUpdateBucket 最早的缺失安全桶的说明符。Specifier of the oldest missing security bucket. 值为:Values are:
值小于 30 天表示最近Recent if value is less than 30 days
30 天前30 days ago
60 天前60 days ago
90 天前90 days ago
120 天前120 days ago
150 天前150 days ago
180 天前180 days ago
值大于 180 天表示较早。Older when value is greater than 180 days.
OldestMissingSecurityUpdateInDaysOldestMissingSecurityUpdateInDays 检测为适用更新的最早更新的未安装总天数。Total number of days for the oldest update detected as applicable that has not been installed.
OsVersionOsVersion 操作系统的版本。The version of the operating system.
OtherUpdatesMissingOtherUpdatesMissing 检测到的缺失更新计数。Count of detected updates missing.
资源Resource 记录的资源名称。Name of the resource for the record.
ResourceGroupResourceGroup 包含该资源的资源组的名称。Name of the resource group containing the resource.
ResourceIdResourceId 与记录关联的资源的唯一标识符。Unique identifier for the resource associated with the record.
ResourceProviderResourceProvider 资源提供程序。The resource provider.
ResourceTypeResourceType 资源类型。Resource type.
RestartPendingRestartPending 如果正在等待重启,则为 True,否则为 False。True if a restart is pending, or False otherwise.
SecurityUpdatesMissingSecurityUpdatesMissing 适用的缺失安全更新计数。Count of missing security updates that are applicable.
SourceComputerIdSourceComputerId 虚拟机的唯一标识符。Unique identifier for the virtual machine.
SourceSystemSourceSystem 记录的源系统。Source system for the record. 该值为 OpsManagerThe value is OpsManager.
SubscriptionIdSubscriptionId Azure 订阅的唯一标识符。Unique identifier for the Azure subscription.
TimeGeneratedTimeGenerated 创建记录的日期和时间。Date and time of record creation.
TotalUpdatesMissingTotalUpdatesMissing 适用的缺失更新总数。Total number of missing updates that are applicable.
类型Type 记录类型。Record type. 该值为 UpdateSummaryThe value is UpdateSummary.
VMUUIDVMUUID 虚拟机的唯一标识符。Unique identifier for the virtual machine.
WindowsUpdateAgentVersionWindowsUpdateAgentVersion Windows 更新代理的版本。Version of the Windows Update agent.
WindowsUpdateSettingWindowsUpdateSetting Windows 更新代理的状态。Status of the Windows Update agent. 可能的值包括:Possible values are:
Scheduled installation
Notify before installation
Error returned from unhealthy WUA agent
WSUSServerWSUSServer 如果 Windows 更新代理出现问题,则会显示错误以帮助进行故障排除。Errors if the Windows Update agent has a problem, to assist with troubleshooting.
_ResourceId_ResourceId 与记录关联的资源的唯一标识符。Unique identifier for the resource associated with the record.

示例查询Sample queries

以下部分提供了为更新管理收集的更新记录的示例日志查询。The following sections provide sample log queries for update records that are collected for Update Management.

确认是否为非 Azure 计算机启用了更新管理Confirm that non-Azure machines are enabled for Update Management

若要确认直接连接的计算机是否正在与 Azure Monitor 日志通信,请运行以下日志搜索之一。To confirm that directly connected machines are communicating with Azure Monitor logs, run one of the following log searches.

LinuxLinux

Heartbeat
| where OSType == "Linux" | summarize arg_max(TimeGenerated, *) by SourceComputerId | top 500000 by Computer asc | render table

WindowsWindows

Heartbeat
| where OSType == "Windows" | summarize arg_max(TimeGenerated, *) by SourceComputerId | top 500000 by Computer asc | render table

在 Windows 计算机上,可以通过查看以下信息来验证代理与 Azure Monitor 日志的连接:On a Windows computer, you can review the following information to verify agent connectivity with Azure Monitor logs:

  1. 在控制面板中,打开 Microsoft Monitoring AgentIn Control Panel, open Microsoft Monitoring Agent. 在“Azure Log Analytics”选项卡上,代理会显示以下消息:“Microsoft Monitoring Agent 已成功连接到 Log Analytics。”On the Azure Log Analytics tab, the agent displays the following message: The Microsoft Monitoring Agent has successfully connected to Log Analytics.

  2. 打开“Windows 事件日志”。Open the Windows Event Log. 转到“应用程序和服务日志\Operations Manager”,搜索来自“服务连接器”源的事件 ID 3000 和事件 ID 5002。 Go to Application and Services Logs\Operations Manager and search for Event ID 3000 and Event ID 5002 from the source Service Connector. 这些事件指示计算机已注册到 Log Analytics 工作区并且正在接收配置。These events indicate that the computer has registered with the Log Analytics workspace and is receiving configuration.

如果代理无法与 Azure Monitor 日志通信且已配置为通过防火墙或代理服务器与 Internet 通信,请确认是否正确配置了防火墙或代理服务器。If the agent can't communicate with Azure Monitor logs and the agent is configured to communicate with the internet through a firewall or proxy server, confirm the firewall or proxy server is properly configured. 若要了解如何验证防火墙或代理服务器是否已正确配置,请参阅 Windows 代理的网络配置Linux 代理的网络配置To learn how to verify the firewall or proxy server is properly configured, see Network configuration for Windows agent or Network configuration for Linux agent.

备注

如果 Linux 系统配置为与代理或 Log Analytics 网关通信,并且你要启用更新管理,请使用以下命令更新 proxy.conf 权限,以向 omiuser 组授予对文件的读取权限:If your Linux systems are configured to communicate with a proxy or Log Analytics Gateway and you're enabling Update Management, update the proxy.conf permissions to grant the omiuser group read permission on the file by using the following commands:

sudo chown omsagent:omiusers /etc/opt/microsoft/omsagent/proxy.conf sudo chmod 644 /etc/opt/microsoft/omsagent/proxy.conf

执行评估后,新添加的 Linux 代理会显示状态“已更新”。Newly added Linux agents show a status of Updated after an assessment has been performed. 此过程可能需要长达 6 小时的时间。This process can take up to 6 hours.

单个 Azure VM 评估查询 (Windows)Single Azure VM Assessment queries (Windows)

将 VMUUID 值替换为要查询的虚拟机的 VM GUID。Replace the VMUUID value with the VM GUID of the virtual machine you're querying. 在 Azure Monitor 日志中运行以下查询可找到应使用的 VMUUID:Update | where Computer == "<machine name>" | summarize by Computer, VMUUIDYou can find the VMUUID that should be used by running the following query in Azure Monitor logs: Update | where Computer == "<machine name>" | summarize by Computer, VMUUID

缺少更新摘要Missing updates summary

Update
| where TimeGenerated>ago(14h) and OSType!="Linux" and (Optional==false or Classification has "Critical" or Classification has "Security") and VMUUID=~"b08d5afa-1471-4b52-bd95-a44fea6e4ca8"
| summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification, Approved) by Computer, SourceComputerId, UpdateID
| where UpdateState=~"Needed" and Approved!=false
| summarize by UpdateID, Classification
| summarize allUpdatesCount=count(), criticalUpdatesCount=countif(Classification has "Critical"), securityUpdatesCount=countif(Classification has "Security"), otherUpdatesCount=countif(Classification !has "Critical" and Classification !has "Security")

缺少更新列表Missing updates list

Update
| where TimeGenerated>ago(14h) and OSType!="Linux" and (Optional==false or Classification has "Critical" or Classification has "Security") and VMUUID=~"8bf1ccc6-b6d3-4a0b-a643-23f346dfdf82"
| summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification, Title, KBID, PublishedDate, Approved) by Computer, SourceComputerId, UpdateID
| where UpdateState=~"Needed" and Approved!=false
| project-away UpdateState, Approved, TimeGenerated
| summarize computersCount=dcount(SourceComputerId, 2), displayName=any(Title), publishedDate=min(PublishedDate), ClassificationWeight=max(iff(Classification has "Critical", 4, iff(Classification has "Security", 2, 1))) by id=strcat(UpdateID, "_", KBID), classification=Classification, InformationId=strcat("KB", KBID), InformationUrl=iff(isnotempty(KBID), strcat("https://support.microsoft.com/kb/", KBID), ""), osType=2
| sort by ClassificationWeight desc, computersCount desc, displayName asc
| extend informationLink=(iff(isnotempty(InformationId) and isnotempty(InformationUrl), toobject(strcat('{ "uri": "', InformationUrl, '", "text": "', InformationId, '", "target": "blank" }')), toobject('')))
| project-away ClassificationWeight, InformationId, InformationUrl

单个 Azure VM 评估查询 (Linux)Single Azure VM assessment queries (Linux)

对于某些 Linux 发行版,来自 Azure 资源管理器的 VMUUID 值与 Azure Monitor 日志中存储的 VMUUID 值存在字节序不匹配情况。For some Linux distros, there is an endianness mismatch with the VMUUID value that comes from Azure Resource Manager and what is stored in Azure Monitor logs. 以下查询可检查任一字节序的匹配情况。The following query checks for a match on either endianness. 使用 GUID 的 big-endian 和 little-endian 格式替换 VMUUID 值可正常地返回结果。Replace the VMUUID values with the big-endian and little-endian format of the GUID to properly return the results. 在 Azure Monitor 日志中运行以下查询可找到应使用的 VMUUID:Update | where Computer == "<machine name>" | summarize by Computer, VMUUIDYou can find the VMUUID that should be used by running the following query in Azure Monitor logs: Update | where Computer == "<machine name>" | summarize by Computer, VMUUID

缺少更新摘要Missing updates summary

Update
| where TimeGenerated>ago(5h) and OSType=="Linux" and (VMUUID=~"625686a0-6d08-4810-aae9-a089e68d4911" or VMUUID=~"a0865662-086d-1048-aae9-a089e68d4911")
| summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification) by Computer, SourceComputerId, Product, ProductArch
| where UpdateState=~"Needed"
| summarize by Product, ProductArch, Classification
| summarize allUpdatesCount=count(), criticalUpdatesCount=countif(Classification has "Critical"), securityUpdatesCount=countif(Classification has "Security"), otherUpdatesCount=countif(Classification !has "Critical" and Classification !has "Security")

缺少更新列表Missing updates list

Update
| where TimeGenerated>ago(5h) and OSType=="Linux" and (VMUUID=~"625686a0-6d08-4810-aae9-a089e68d4911" or VMUUID=~"a0865662-086d-1048-aae9-a089e68d4911")
| summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification, BulletinUrl, BulletinID) by Computer, SourceComputerId, Product, ProductArch
| where UpdateState=~"Needed"
| project-away UpdateState, TimeGenerated
| summarize computersCount=dcount(SourceComputerId, 2), ClassificationWeight=max(iff(Classification has "Critical", 4, iff(Classification has "Security", 2, 1))) by id=strcat(Product, "_", ProductArch), displayName=Product, productArch=ProductArch, classification=Classification, InformationId=BulletinID, InformationUrl=tostring(split(BulletinUrl, ";", 0)[0]), osType=1
| sort by ClassificationWeight desc, computersCount desc, displayName asc
| extend informationLink=(iff(isnotempty(InformationId) and isnotempty(InformationUrl), toobject(strcat('{ "uri": "', InformationUrl, '", "text": "', InformationId, '", "target": "blank" }')), toobject('')))
| project-away ClassificationWeight, InformationId, InformationUrl

多 VM 评估查询Multi-VM assessment queries

计算机摘要Computers summary

Heartbeat
| where TimeGenerated>ago(12h) and OSType=~"Windows" and notempty(Computer)
| summarize arg_max(TimeGenerated, Solutions) by SourceComputerId
| where Solutions has "updates"
| distinct SourceComputerId
| join kind=leftouter
(
    Update
    | where TimeGenerated>ago(14h) and OSType!="Linux"
    | summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Approved, Optional, Classification) by SourceComputerId, UpdateID
    | distinct SourceComputerId, Classification, UpdateState, Approved, Optional
    | summarize WorstMissingUpdateSeverity=max(iff(UpdateState=~"Needed" and (Optional==false or Classification has "Critical" or Classification has "Security") and Approved!=false, iff(Classification has "Critical", 4, iff(Classification has "Security", 2, 1)), 0)) by SourceComputerId
)
on SourceComputerId
| extend WorstMissingUpdateSeverity=coalesce(WorstMissingUpdateSeverity, -1)
| summarize computersBySeverity=count() by WorstMissingUpdateSeverity
| union (Heartbeat
| where TimeGenerated>ago(12h) and OSType=="Linux" and notempty(Computer)
| summarize arg_max(TimeGenerated, Solutions) by SourceComputerId
| where Solutions has "updates"
| distinct SourceComputerId
| join kind=leftouter
(
    Update
    | where TimeGenerated>ago(5h) and OSType=="Linux"
    | summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification) by SourceComputerId, Product, ProductArch
    | distinct SourceComputerId, Classification, UpdateState
    | summarize WorstMissingUpdateSeverity=max(iff(UpdateState=~"Needed", iff(Classification has "Critical", 4, iff(Classification has "Security", 2, 1)), 0)) by SourceComputerId
)
on SourceComputerId
| extend WorstMissingUpdateSeverity=coalesce(WorstMissingUpdateSeverity, -1)
| summarize computersBySeverity=count() by WorstMissingUpdateSeverity)
| summarize assessedComputersCount=sumif(computersBySeverity, WorstMissingUpdateSeverity>-1), notAssessedComputersCount=sumif(computersBySeverity, WorstMissingUpdateSeverity==-1), computersNeedCriticalUpdatesCount=sumif(computersBySeverity, WorstMissingUpdateSeverity==4), computersNeedSecurityUpdatesCount=sumif(computersBySeverity, WorstMissingUpdateSeverity==2), computersNeedOtherUpdatesCount=sumif(computersBySeverity, WorstMissingUpdateSeverity==1), upToDateComputersCount=sumif(computersBySeverity, WorstMissingUpdateSeverity==0)
| summarize assessedComputersCount=sum(assessedComputersCount), computersNeedCriticalUpdatesCount=sum(computersNeedCriticalUpdatesCount),  computersNeedSecurityUpdatesCount=sum(computersNeedSecurityUpdatesCount), computersNeedOtherUpdatesCount=sum(computersNeedOtherUpdatesCount), upToDateComputersCount=sum(upToDateComputersCount), notAssessedComputersCount=sum(notAssessedComputersCount)
| extend allComputersCount=assessedComputersCount+notAssessedComputersCount

缺少更新摘要Missing updates summary

Update
| where TimeGenerated>ago(5h) and OSType=="Linux" and SourceComputerId in ((Heartbeat
| where TimeGenerated>ago(12h) and OSType=="Linux" and notempty(Computer)
| summarize arg_max(TimeGenerated, Solutions) by SourceComputerId
| where Solutions has "updates"
| distinct SourceComputerId))
| summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification) by Computer, SourceComputerId, Product, ProductArch
| where UpdateState=~"Needed"
| summarize by Product, ProductArch, Classification
| union (Update
| where TimeGenerated>ago(14h) and OSType!="Linux" and (Optional==false or Classification has "Critical" or Classification has "Security") and SourceComputerId in ((Heartbeat
| where TimeGenerated>ago(12h) and OSType=~"Windows" and notempty(Computer)
| summarize arg_max(TimeGenerated, Solutions) by SourceComputerId
| where Solutions has "updates"
| distinct SourceComputerId))
| summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification, Approved) by Computer, SourceComputerId, UpdateID
| where UpdateState=~"Needed" and Approved!=false
| summarize by UpdateID, Classification )
| summarize allUpdatesCount=count(), criticalUpdatesCount=countif(Classification has "Critical"), securityUpdatesCount=countif(Classification has "Security"), otherUpdatesCount=countif(Classification !has "Critical" and Classification !has "Security")

计算机列表Computers list

Heartbeat
| where TimeGenerated>ago(12h) and OSType=="Linux" and notempty(Computer)
| summarize arg_max(TimeGenerated, Solutions, Computer, ResourceId, ComputerEnvironment, VMUUID) by SourceComputerId
| where Solutions has "updates"
| extend vmuuId=VMUUID, azureResourceId=ResourceId, osType=1, environment=iff(ComputerEnvironment=~"Azure", 1, 2), scopedToUpdatesSolution=true, lastUpdateAgentSeenTime=""
| join kind=leftouter
(
    Update
    | where TimeGenerated>ago(5h) and OSType=="Linux" and SourceComputerId in ((Heartbeat
    | where TimeGenerated>ago(12h) and OSType=="Linux" and notempty(Computer)
    | summarize arg_max(TimeGenerated, Solutions) by SourceComputerId
    | where Solutions has "updates"
    | distinct SourceComputerId))
    | summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification, Product, Computer, ComputerEnvironment) by SourceComputerId, Product, ProductArch
    | summarize Computer=any(Computer), ComputerEnvironment=any(ComputerEnvironment), missingCriticalUpdatesCount=countif(Classification has "Critical" and UpdateState=~"Needed"), missingSecurityUpdatesCount=countif(Classification has "Security" and UpdateState=~"Needed"), missingOtherUpdatesCount=countif(Classification !has "Critical" and Classification !has "Security" and UpdateState=~"Needed"), lastAssessedTime=max(TimeGenerated), lastUpdateAgentSeenTime="" by SourceComputerId
    | extend compliance=iff(missingCriticalUpdatesCount > 0 or missingSecurityUpdatesCount > 0, 2, 1)
    | extend ComplianceOrder=iff(missingCriticalUpdatesCount > 0 or missingSecurityUpdatesCount > 0 or missingOtherUpdatesCount > 0, 1, 3)
)
on SourceComputerId
| project id=SourceComputerId, displayName=Computer, sourceComputerId=SourceComputerId, scopedToUpdatesSolution=true, missingCriticalUpdatesCount=coalesce(missingCriticalUpdatesCount, -1), missingSecurityUpdatesCount=coalesce(missingSecurityUpdatesCount, -1), missingOtherUpdatesCount=coalesce(missingOtherUpdatesCount, -1), compliance=coalesce(compliance, 4), lastAssessedTime, lastUpdateAgentSeenTime, osType=1, environment=iff(ComputerEnvironment=~"Azure", 1, 2), ComplianceOrder=coalesce(ComplianceOrder, 2)
| union(Heartbeat
| where TimeGenerated>ago(12h) and OSType=~"Windows" and notempty(Computer)
| summarize arg_max(TimeGenerated, Solutions, Computer, ResourceId, ComputerEnvironment, VMUUID) by SourceComputerId
| where Solutions has "updates"
| extend vmuuId=VMUUID, azureResourceId=ResourceId, osType=2, environment=iff(ComputerEnvironment=~"Azure", 1, 2), scopedToUpdatesSolution=true, lastUpdateAgentSeenTime=""
| join kind=leftouter
(
    Update
    | where TimeGenerated>ago(14h) and OSType!="Linux" and SourceComputerId in ((Heartbeat
    | where TimeGenerated>ago(12h) and OSType=~"Windows" and notempty(Computer)
    | summarize arg_max(TimeGenerated, Solutions) by SourceComputerId
    | where Solutions has "updates"
    | distinct SourceComputerId))
    | summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification, Title, Optional, Approved, Computer, ComputerEnvironment) by Computer, SourceComputerId, UpdateID
    | summarize Computer=any(Computer), ComputerEnvironment=any(ComputerEnvironment), missingCriticalUpdatesCount=countif(Classification has "Critical" and UpdateState=~"Needed" and Approved!=false), missingSecurityUpdatesCount=countif(Classification has "Security" and UpdateState=~"Needed" and Approved!=false), missingOtherUpdatesCount=countif(Classification !has "Critical" and Classification !has "Security" and UpdateState=~"Needed" and Optional==false and Approved!=false), lastAssessedTime=max(TimeGenerated), lastUpdateAgentSeenTime="" by SourceComputerId
    | extend compliance=iff(missingCriticalUpdatesCount > 0 or missingSecurityUpdatesCount > 0, 2, 1)
    | extend ComplianceOrder=iff(missingCriticalUpdatesCount > 0 or missingSecurityUpdatesCount > 0 or missingOtherUpdatesCount > 0, 1, 3)
)
on SourceComputerId
| project id=SourceComputerId, displayName=Computer, sourceComputerId=SourceComputerId, scopedToUpdatesSolution=true, missingCriticalUpdatesCount=coalesce(missingCriticalUpdatesCount, -1), missingSecurityUpdatesCount=coalesce(missingSecurityUpdatesCount, -1), missingOtherUpdatesCount=coalesce(missingOtherUpdatesCount, -1), compliance=coalesce(compliance, 4), lastAssessedTime, lastUpdateAgentSeenTime, osType=2, environment=iff(ComputerEnvironment=~"Azure", 1, 2), ComplianceOrder=coalesce(ComplianceOrder, 2) )
| order by ComplianceOrder asc, missingCriticalUpdatesCount desc, missingSecurityUpdatesCount desc, missingOtherUpdatesCount desc, displayName asc
| project-away ComplianceOrder

缺少更新列表Missing updates list

Update
| where TimeGenerated>ago(5h) and OSType=="Linux" and SourceComputerId in ((Heartbeat
| where TimeGenerated>ago(12h) and OSType=="Linux" and notempty(Computer)
| summarize arg_max(TimeGenerated, Solutions) by SourceComputerId
| where Solutions has "updates"
| distinct SourceComputerId))
| summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification, BulletinUrl, BulletinID) by SourceComputerId, Product, ProductArch
| where UpdateState=~"Needed"
| project-away UpdateState, TimeGenerated
| summarize computersCount=dcount(SourceComputerId, 2), ClassificationWeight=max(iff(Classification has "Critical", 4, iff(Classification has "Security", 2, 1))) by id=strcat(Product, "_", ProductArch), displayName=Product, productArch=ProductArch, classification=Classification, InformationId=BulletinID, InformationUrl=tostring(split(BulletinUrl, ";", 0)[0]), osType=1
| union(Update
| where TimeGenerated>ago(14h) and OSType!="Linux" and (Optional==false or Classification has "Critical" or Classification has "Security") and SourceComputerId in ((Heartbeat
| where TimeGenerated>ago(12h) and OSType=~"Windows" and notempty(Computer)
| summarize arg_max(TimeGenerated, Solutions) by SourceComputerId
| where Solutions has "updates"
| distinct SourceComputerId))
| summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification, Title, KBID, PublishedDate, Approved) by Computer, SourceComputerId, UpdateID
| where UpdateState=~"Needed" and Approved!=false
| project-away UpdateState, Approved, TimeGenerated
| summarize computersCount=dcount(SourceComputerId, 2), displayName=any(Title), publishedDate=min(PublishedDate), ClassificationWeight=max(iff(Classification has "Critical", 4, iff(Classification has "Security", 2, 1))) by id=strcat(UpdateID, "_", KBID), classification=Classification, InformationId=strcat("KB", KBID), InformationUrl=iff(isnotempty(KBID), strcat("https://support.microsoft.com/kb/", KBID), ""), osType=2)
| sort by ClassificationWeight desc, computersCount desc, displayName asc
| extend informationLink=(iff(isnotempty(InformationId) and isnotempty(InformationUrl), toobject(strcat('{ "uri": "', InformationUrl, '", "text": "', InformationId, '", "target": "blank" }')), toobject('')))
| project-away ClassificationWeight, InformationId, InformationUrl

后续步骤Next steps