The Zurich release has arrived! Interested in new features and functionalities? Click here for more

Is anyone maintaining Patches related information in CMDB?

Go to solution
Suggy
Giga Sage

‎11-01-2023 01:15 AM - edited ‎11-01-2023 05:45 AM

Around 6 years back one of the customer asked us to retrieve the patches related information using Discovery product.

That time had came across this article - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0695180

 

Even today its the same situation. Its surprising that ServiceNow still has not considered this in OOTB Discovery and asking us to build customization if required. And this is a very much important information for any Infra team and unfortunatley this is not covered in ANY of the discovery products I have come across till now.

 

Question - Is anyone maintaining patches related information in CMDB? If yes, pelase do share some light on this.

I also see a table 'cmdb_ci_patches'. Just wanted to hear from those who have been successfully maintaing patching information.

 

Even CSDM talks about that but there is no OOB solution/guidance on this.

Suggy_0-1698826486878.png

 

0 Helpfuls
  • 3,327 Views
1 ACCEPTED SOLUTION

Go to solution
Fabian Kunzke
Kilo Sage
Kilo Sage
In response to Suggy

‎11-07-2023 04:32 AM

Hey,

 

yes, this is what i was referring to.

To answer your second part, a short excurse on how the discovery of software generally works (not including file based discovery) for windows machines. This is done by just reading the contents of the install registry. All software listed there will be inventorized (Note: not all software on a server/computer will be registered there). This is all done through WMI probe commands (you can find these in the discovery probe "Windows - Installed Software). This may not retrieve a full list of all patches installed.

 

Alternatively you can always extend the ootb pattern and add a powershell command to retrieve installed patches in detail: powershell - How to get all details from Installed Updates Window - Stack Overflow

 

Hope this helps,

Regards

Fabian

View solution in original post

9 REPLIES 9

Go to solution
Fabian Kunzke
Kilo Sage
Kilo Sage
In response to karenkolek-fraz

‎12-19-2023 05:03 AM - edited ‎12-19-2023 05:04 AM

(1) I am not familiar with that feature, so i don't know tbh.
(2) Yes. Dynamic Ci Groups are limited to 10.000 CIs at once. However, the process of adding CIs may take a bit to complete (so don't panic if you cannot see all of the in the change immediately).

0 Helpfuls

Go to solution
Suggy
Giga Sage

‎11-06-2023 08:28 PM

Hi @Fabian Kunzke thank you so much for detailed response.

 

You are referring the below in Discovery console right?

Suggy_0-1699328792188.png

If yes, then if I remove all the above, which types of patches will be inventorized? (Bug fix/Feature/Security patches?)

 

PS - I few of my previous engagements, the Infra team was asking they want to track all the patches realted info for each and every device. Honesty I did not go in deep and ask which type of patches and what was their use cases. (It was as part of CMDB project, we never had Secops implementations).

 

 

0 Helpfuls

Go to solution
Fabian Kunzke
Kilo Sage
Kilo Sage
In response to Suggy

‎11-07-2023 04:32 AM

Hey,

 

yes, this is what i was referring to.

To answer your second part, a short excurse on how the discovery of software generally works (not including file based discovery) for windows machines. This is done by just reading the contents of the install registry. All software listed there will be inventorized (Note: not all software on a server/computer will be registered there). This is all done through WMI probe commands (you can find these in the discovery probe "Windows - Installed Software). This may not retrieve a full list of all patches installed.

 

Alternatively you can always extend the ootb pattern and add a powershell command to retrieve installed patches in detail: powershell - How to get all details from Installed Updates Window - Stack Overflow

 

Hope this helps,

Regards

Fabian

Go to solution
quoccsc
Tera Contributor

‎11-21-2023 08:30 AM

Hi Suggy,

 

I think your question is how to maintaining both patches and patching activities.

 

Patching is an activity, and it is typically implemented with a change request. When you raise a change request to patch a CI, you can use Conflict Detection to check if your change window is fit within the Maintenance schedule applied to that CI.

 

Patches are software to be installed typically on a Computer/Server. Discovery tools can detect the installed patches after you performed the patching activity and add them to CMDB.

 

So it is important to understand the difference between patching and patches to avoid unnecessary customizations such as adding new field to CMDB for Patching schedule.

 

The cmdb_ci_patches table has a Configuration Item field and a Maintenance schedule field. I think we can use this table as a reference table to plan for patching activities, but to be honest I have not used it yet.

0 Helpfuls

Go to solution
Suggy
Giga Sage
In response to quoccsc

‎11-21-2023 09:28 AM

Hi @quoccsc My question was about how to track the patches applied on the devices.

0 Helpfuls