Stay organized with collections
Save and categorize content based on your preferences.
After you
create a patch job,
you can use Cloud Monitoring to set up alerts that you can use to monitor
the patching process.
When a patch job is created, VM Manager posts the aggregate VM state
to the Cloud Monitoring API. This state is posted every minute after the
patch job is started. The posting of the state stops 15 minutes after the patch
job completes.
To monitor your patch jobs by using alerts complete the following steps:
Set up metrics in Cloud Monitoring for your patch job.
Create patch alerts.
Before you begin
If you haven't already, set up authentication.
Authentication verifies your identity for access to Google Cloud services and APIs. To run
code or samples from a local development environment, you can authenticate to
Compute Engine by selecting one of the following options:
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and
APIs, you don't need to set up authentication.
gcloud
Install the Google Cloud CLI.
After installation,
initialize the Google Cloud CLI by running the following command:
In this section, you set up tracking metrics for your patch job using Metrics Explorer.
For more detailed information about using the Metrics Explorer, see
Selecting metrics when using Metrics Explorer.
You can use Cloud Monitoring to track resources across multiple
projects. To see metrics for patch jobs that are in separate projects,
add your projects to the same monitoring workspace. For more information,
see View metrics for multiple projects
In the Google Cloud console, go to the
Cloud Monitoring > Metrics Explorer page.
In Cloud Monitoring, you can set up an alerting policy that provides
notifications of the patch state so that you can resolve these issues in a
timely manner. For more information about alerting, see Introduction to
alerting.
VM instance patch states
To create the alert for patch jobs, use the VM instance patch state as the
filter condition for the alert. The following VM instance patch states are
available:
ACKED: the OS Config agent received the patch notification, but has not
started patching yet
APPLYING_PATCHES: the OS Config agent is applying patches to the VM
DOWNLOADING_PATCHES: the OS Config agent is downloading patches to the VM
FAILED: the patch job failed
INACTIVE: the VM is not running
NO_AGENT_DETECTED: the Patch service is unable to
communicate with the OS Config agent on the VM. Ensure your VMs are properly
connected. For more information, see
Setting up VM Manager.
NOTIFIED: the OS Config agent on the VM is notified, but the patch job
has not started
PATCH_STATE_UNSPECIFIED: the state of the patch job is unknown
PENDING: the VM hasn't received a patch task as yet. This happens
because either the patch job has recently started or the VM is awaiting a
gradual rollout.
REBOOTING: the VM is rebooting
RUNNING_PRE_PATCH_STEP: the OS Config agent is running pre patch steps
RUNNING_POST_PATCH_STEP: the OS Config agent is running post patch steps
STARTED: the patch job has started on the VM
SUCCEEDED: the patch job completed successfully
SUCCEEDED_REBOOT_REQUIRED: the patch job completed successfully but a
VM reboot is required
TIMED_OUT: the patching process timed out
Example patch alert
The following example creates a patch alert that notifies you if there are more
than five failed VMs in a recent patch job.
You can create alerts by using either the Google Cloud console or the Cloud Monitoring
API. The following example uses the Google Cloud console. For detailed information about
creating an alert using the Google Cloud console, see
Creating an alerting policy.
In the Google Cloud console, go to the Monitoring page.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eVM Manager posts the aggregate VM state to the Cloud Monitoring API every minute after a patch job starts, stopping 15 minutes after completion, for monitoring purposes.\u003c/p\u003e\n"],["\u003cp\u003eCloud Monitoring allows you to track patch job resources across multiple projects by adding them to the same monitoring workspace.\u003c/p\u003e\n"],["\u003cp\u003eYou can set up alerts in Cloud Monitoring using VM instance patch states, such as \u003ccode\u003eFAILED\u003c/code\u003e, to receive notifications about the patching process and resolve issues promptly.\u003c/p\u003e\n"],["\u003cp\u003eCreating alerts involves specifying the resource type as "Patch Job," the metric as "VM instance patch state," and filtering by specific states like \u003ccode\u003eFAILED\u003c/code\u003e to trigger notifications based on the number of affected VMs.\u003c/p\u003e\n"],["\u003cp\u003eBefore using the Cloud Monitoring or the REST API, the gcloud CLI needs to be installed and initialized, including setting a default region and zone.\u003c/p\u003e\n"]]],[],null,["# Monitor patch jobs\n\nAfter you\n[create a patch job](/compute/vm-manager/docs/patch/create-patch-job),\nyou can use Cloud Monitoring to set up alerts that you can use to monitor\nthe patching process.\n\nWhen a patch job is created, VM Manager posts the aggregate VM state\nto the Cloud Monitoring API. This state is posted every minute after the\npatch job is started. The posting of the state stops 15 minutes after the patch\njob completes.\n\nTo monitor your patch jobs by using alerts complete the following steps:\n\n1. Start a patch job. See [Creating patch jobs](/compute/vm-manager/docs/patch/create-patch-job).\n2. Set up metrics in Cloud Monitoring for your patch job.\n3. Create patch alerts.\n\nBefore you begin\n----------------\n\n- If you haven't already, set up [authentication](/compute/docs/authentication). Authentication verifies your identity for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:\n\n Select the tab for how you plan to use the samples on this page: \n\n ### Console\n\n\n When you use the Google Cloud console to access Google Cloud services and\n APIs, you don't need to set up authentication.\n\n ### gcloud\n\n 1.\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n After installation,\n [initialize](/sdk/docs/initializing) the Google Cloud CLI by running the following command:\n\n ```bash\n gcloud init\n ```\n\n\n If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n | **Note:** If you installed the gcloud CLI previously, make sure you have the latest version by running `gcloud components update`.\n 2. [Set a default region and zone](/compute/docs/gcloud-compute#set_default_zone_and_region_in_your_local_client).\n\n ### REST\n\n\n To use the REST API samples on this page in a local development environment, you use the\n credentials you provide to the gcloud CLI.\n 1. [Install](/sdk/docs/install) the Google Cloud CLI. After installation, [initialize](/sdk/docs/initializing) the Google Cloud CLI by running the following command: \n\n ```bash\n gcloud init\n ```\n 2. If you're using an external identity provider (IdP), you must first [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n\n For more information, see\n [Authenticate for using REST](/docs/authentication/rest)\n in the Google Cloud authentication documentation.\n\nSet up metrics\n--------------\n\nIn this section, you set up tracking metrics for your patch job using Metrics Explorer.\nFor more detailed information about using the Metrics Explorer, see\n[Selecting metrics when using Metrics Explorer](/monitoring/charts/metrics-selector).\n\nYou can use Cloud Monitoring to track resources across multiple\nprojects. To see metrics for patch jobs that are in separate projects,\nadd your projects to the same monitoring workspace. For more information,\nsee [View metrics for multiple projects](/monitoring/settings/multiple-projects)\n\n1. In the Google Cloud console, go to the\n **Cloud Monitoring \\\u003e Metrics Explorer** page.\n\n [Go to the Metrics Explorer page](https://console.cloud.google.com/monitoring/metrics-explorer)\n2. In the **Select a metric** section, select **Patch Job**.\n\n3. Select the **Patch** active metric category list, and then select\n **VM instance patch state**.\n\n4. Click **Apply**.\n\n5. Review the metrics.\n\n6. Optional. Create a chart. For more information, see\n [Creating a chart with Metrics Explorer](/monitoring/charts/metrics-explorer).\n\nCreate patch alerts\n-------------------\n\nIn Cloud Monitoring, you can set up an alerting policy that provides\nnotifications of the patch state so that you can resolve these issues in a\ntimely manner. For more information about alerting, see [Introduction to\nalerting](/monitoring/alerts).\n\n### VM instance patch states\n\nTo create the alert for patch jobs, use the VM instance patch state as the\nfilter condition for the alert. The following VM instance patch states are\navailable:\n\n- `ACKED`: the OS Config agent received the patch notification, but has not started patching yet\n- `APPLYING_PATCHES`: the OS Config agent is applying patches to the VM\n- `DOWNLOADING_PATCHES`: the OS Config agent is downloading patches to the VM\n- `FAILED`: the patch job failed\n- `INACTIVE`: the VM is not running\n- `NO_AGENT_DETECTED`: the Patch service is unable to communicate with the OS Config agent on the VM. Ensure your VMs are properly connected. For more information, see [Setting up VM Manager](/compute/vm-manager/docs/setup#overview).\n- `NOTIFIED`: the OS Config agent on the VM is notified, but the patch job has not started\n- `PATCH_STATE_UNSPECIFIED`: the state of the patch job is unknown\n- `PENDING`: the VM hasn't received a patch task as yet. This happens because either the patch job has recently started or the VM is awaiting a gradual rollout.\n- `REBOOTING`: the VM is rebooting\n- `RUNNING_PRE_PATCH_STEP`: the OS Config agent is running pre patch steps\n- `RUNNING_POST_PATCH_STEP`: the OS Config agent is running post patch steps\n- `STARTED`: the patch job has started on the VM\n- `SUCCEEDED`: the patch job completed successfully\n- `SUCCEEDED_REBOOT_REQUIRED`: the patch job completed successfully but a VM reboot is required\n- `TIMED_OUT`: the patching process timed out\n\nExample patch alert\n-------------------\n\nThe following example creates a patch alert that notifies you if there are more\nthan five failed VMs in a recent patch job.\n\nYou can create alerts by using either the Google Cloud console or the Cloud Monitoring\nAPI. The following example uses the Google Cloud console. For detailed information about\ncreating an alert using the Google Cloud console, see\n[Creating an alerting policy](/monitoring/alerts/using-alerting-ui#create-policy).\n\n1. In the Google Cloud console, go to the **Monitoring** page.\n\n [Go to Monitoring](https://console.cloud.google.com/monitoring)\n2. In the Monitoring navigation pane, click **Alerting**.\n\n3. Click **Create Policy**.\n\n4. Click **Add Condition**.\n\n 1. In the **Resource type** drop-down, select **Patch Job**.\n 2. In the **Metric** drop-down, select **VM instance patch state**.\n 3. In the **Filter** field, specify `state=FAILED`.\n 4. In the **Configuration** section set `Any time series violate = 5.`\n 5. Click **Add** .\n\n5. Click **Next** to advance to the notifications section.\n\n 1. Set up notification channels.\n6. Click **Next** to advance to the documentation section.\n\n 1. Set up an alert policy name\n 2. Provide fix instructions\n7. Click **Save**.\n\nWhat's next?\n------------\n\n- Learn more about [Patch](/compute/vm-manager/docs/patch).\n- [Manage your patch jobs](/compute/vm-manager/docs/patch/manage-patch-jobs).\n- [Schedule patch jobs](/compute/vm-manager/docs/patch/schedule-patch-jobs)."]]
