Blog

How to get OMS alerts in SCOM

 

During recent events and customer contacts I got a lot of question regarding integrating SCOM with OMS. Also recently with my webinar with Savision it popped up several times. This question actually makes sense because SCOM has already a lot investments in it + is mostly the start of your ITIL process… But how do you actually get alerts in SCOM from OMS? Well by using OMS and Azure Automation of course!

printscreen-0439

Step 1 Define what you want to forward to SCOM by defining a scenario and a search query

The scenario is key in this stage of the process. You need to define what you are looking for. Alerting in OMS is quite different than SCOM for example. In OMS you need to ask yourself “How many time did X happen in Y time” instead of “If this then that” kind of monitoring in SCOM.

This is very important to find the right search query. In this scenario I’m going to demonstrate the following scenario:

I want to have an alert in SCOM when there are 5 password attempts in the last hour on the administrator account

It’s possible to solve this issue with SCOM but hey we are going to use OMS + Azure automation right?

Step 2 get all the building blocks linked together:

The following high level steps need to be in place for this to work. For the purpose of preparing links are provided:

 

Step 3 Create the Azure Automation runbook

Open the azure portal by going to portal.azure.com and select the subscription where your workspace is configured in.

Select the Automation Accounts logo:

printscreen-0451

Make sure you select the correct Automation Account

printscreen-0452

Now you get an overview of all the runbooks which are configured in your automation account. Select Runbooks in the middle bar:

printscreen-0453

In the next screen choose: “+ Add a runbook”

printscreen-0454

Choose “Create a new runbook”

printscreen-0455

Give the new runbook a name and choose Powershell as Runbook type:

printscreen-0456

Copy the following powershell code in the right window:

param(
[Object]$WebhookData
)
## check whether log source exists ##
$logsourceexist = [System.Diagnostics.EventLog]::SourceExists("OMS");
if ($logsourceexist -eq $false)
## Create the log
{New-EventLog –LogName Application –Source “OMS”}

## Get the content of the webhook
$RequestBody = ConvertFrom-JSON -InputObject $WebhookData.RequestBody
## This is just to show you what’s in it ##
$RequestBody | Export-Clixml -Path C:\Temp\Invoke-OMSAlertDiskCleanup_RequestBody.xml
## You can get all the values! ##
$user = $RequestBody.SearchResults.value.Account[0]
$computer = $RequestBody.SearchResults.value.Computer[0]
$counter = -split (Get-Content C:\temp\Invoke-OMSAlertDiskCleanup_RequestBody.xml | Out-String) | Where-Object { $_ -eq "Account" } | Measure-Object | Select-Object -exp count

## Let’s create this for the SCOM
Write-EventLog –LogName Application –Source “OMS” –EntryType Error –EventID 1 –Message “User: $user has too many failed logon attempts on $Computer. This happened $counter times. ”

 

Click the Save button and then the Publish button and click yes to publish the runbook to your azure automation account.

printscreen-0458printscreen-0459

printscreen-0460

Your runbook is now ready to be triggered by our alert in step 4

Step4. Develop the search query in OMS and create the OMS alert

Ok I’m cutting some steps short here. I assume you already have your machine connected to OMS and are sending up your security logs. If not follow these guidelines to get you going: http://scug.be/dieter/2015/05/08/microsoft-operations-management-suite-quickstart-guide/

So let’s see.how we are going to solve this… First of all most of the search queries do not have to be constructed from the ground up. They can just be found in the solutions and tweaked a bit. For example this scenario can easily be extracted from the Security and Audit solution (if you have configured it of course):

Open up the Security and Audit Solution by clicking on the Security and Audit solution:

printscreen-0440

In the left part of the screen you have “Identity and Access, Click on it to open it

printscreen-0441

In the middle of the screen you get the amount of failed logons and eureka! Vlab\administrator is in there… Well for demo reasons I had my 5 year old try to login…

So click on the desired account.

printscreen-0442

The search query window opens and there you have your search query all ready to go…

printscreen-0443

Type=SecurityEvent AccountType=user AND EventID=4625 Account=’VLAB\Administrator’

Now click on the Alert button on the top left choices to instantly create an OMS Alert which will be our trigger for the process to get the alert in SCOM:

printscreen-0445

The Create alert window pops open and basically has 3 areas:

  • General: This is where you define your criteria for the alert to be fired
  • Schedule: This is where you define your frequency of checking + the amount it has to occur within this timeframe
  • Actions: This is where you define how you would like to be notified

First things first: The General part:

printscreen-0446

  • Fill in a name for the Alert
  • Choose the Severity
  • Search query is already filled in and copied from the search query window earlier on.
  • Time window this can be no lower than 5 minutes. For demo purposes we set it at 15 min

Note: You already see we have 6 results for the given timeframe so our alert is going to fire.

Second the schedule part:

printscreen-0447

  • Alert frequency is when the search query needs to run. We choose here every 5 min.
  • Generate alert based on: Here we define how many results the search query needs to return before we want to be notified. In his scenario there’s no point in alerting when someone mistyped the password just once. That is highly doubtable an attempt to hack.

Third the Actions pane:

printscreen-0448

  • Email notification: Well self explanatory
  • Webhook: If you have another application which is taking in a webhook url you can activate it here. In fact calling a runbook is also a webhook but more on that later.
  • Runbook: Here you can select a runbook of Azure automation which linked to your workspace. (note I selected a runbook I made earlier on. Select here the name you gave your runbook in step 3)
    • Click yes

printscreen-0449

    • select the runbook (note you can not change the automation account the one displayed is linked to your workspace)

printscreen-0450

Run on (choose hybrid worker)

      • Note a small bug is still live in the console. If you close this view after configuring the actions and check the config of the alert this will always highlight Azure although you have selected Hybrid Worker => no panic!

 

So now we already have the alert which is kicking of our runbook on our Hybrid worker on prem.

At this stage we have:

  1. An alert which is detected in OMS
  2. An alert is raised in OMS. This can be checked by clicking the red dot on the bell in the top toolbar of your OMS workspace

printscreen-0461

3. A runbook is triggered which:

    1. Extracts the data from the oms alert webhook
    2. Creates a log file on the azure hybrid worker
    3. logs the data in the eventlog of the hybrid worker.

Step5. Get the alert in SCOM

So now when we check the eventlog of the Azure hybrid worker on prem we normally find the following alert everytime the OMS automation runbook is triggered by the OMS alert:

 

printscreen-0463

Now it’s quite straightforward to get the alert in SCOM by using a standard Monitor (self resetting after a while)

printscreen-0465

Note: I used a custom targetting to Hybrid Runbook Worker to make sure the monitor is not run on all machines.

and eureka:

printscreen-0464

The MP I used for reference: http://scug.be/dieter/files/2017/06/OMS.Alerting.MP_.rar

 

success_baby

The alerts show up in SCOM triggered by our search query, transferred through OMS alerting, treated by an OMS automation runbook towards our Azure Hybrid runbook worker where it’s picked up by our management pack…

SCU 2016: Prepare to have your mind blown!

 

I got the news that I have the privilege (that’s how I definitely see it) to speak once again at SystemCenterUniverse in Dallas on the 19th of January 2016.

theoryxi

I consider this a huge privilege as I have a special relationship with this particular event. This is in fact where my wild journey through the System Center Universe as a speaker started. 2 years ago SCU held a fierce battle to determine who would be the new SCU_Jedi winning a session at this event… I was lucky enough to pull it off and suddenly I was presenting among the (what I consider) big shots in the System Center world…

Most of them are still presenting today if you look at the list of speakers it is quite impressive:

The first but not complete list: http://www.systemcenteruniverse.com/presenters.htm

As you can see al the usual suspects are there!

For the full agenda please check here: http://www.systemcenteruniverse.com/agenda.htm

this year again there’s a 2 track approach so you have the ability to cross over and see a session out of your comfort zone to learn really new cool stuff!

My session will be about the vast power of OMS and how it can create new possible insights in your environment. A truly not to miss session if you ask meSCUheader

Can’t fly in?

Too bad… You are missing out…

Not really! Because SCU is (I think) the only event who offers free streaming of the event over the web. There are even a lot of viewing parties organized near your location where you can easily follow the event from your location!

OK but why should I fly in then?

Well that’s very simple as well! IF you have the ability to fly in you get a chance to mingle with peers and talk to the speakers. There are no designated areas for speakers or whatsoever so everyone is really accessible to have chat or answer your questions…

So this is probably expensive right?

A full day of training on different subjects for only 150$ that’s a bargain if you ask me!

Last but not least

This is one of the events who are really embracing the social media (twitter, facebook,…) to reach out to attendees onsite but also across the world to engage during and after the event.

Make sure you follow: @scu2016 and #scu2016 on twitter for the latest updates and feeds!

 

Hopefully see you all there!

SCOM: Add community power and keep the engine running…

 

Let’s face it: a good program is like a car. You need to maintain it properly to keep it in running condition. Well this is also the case with SCOM. I visit a lot of clients and one of the main questions I get is in fact how to make sure SCOM stays healthy and running.

Field_maintenance_on_a_1956_model_Cessna_172

Well there are some indicators in SCOM itself suggesting that there are issues with the install but unfortunately they are easily missed or looked over.

So this is where the awesome SCOMunity steps in!

This post should become your one stop location to find some of the leading community management packs you’ll need to keep your SCOM environment going or at least very easily pinpoint where there are (potential) issues.

These are management packs I actually install at almost every client I visit:

TAO Yang’s Self Maintenance management pack

Tao has been an active member of the Scomunity for quite some time now  and his self maintenance management pack is already in version 2.4.0. This management pack features a lot of tasks and checks that every SCOM admin should perform but it’s always cool to have a management pack doing it for you. Before I used TAO’s management pack I had a standard PowerShell toolkit to automate some of the tasks but now if the customer approves it (remember it’s still an unsealed MP so sometimes you need approval of customers) I load up the management pack and configure it. TAO really went all in and included also a PDF to assist you in installing and configuring the MP.

image_thumb7

Image (Tao Yang)

Some of the tasks I like the most (this is not a full list but just to highlight the things I personally find handy in there):

  • Automatic scheduled distribution of agents across the  management servers. Even with the possibility to limit the amount of agents distributed between the management servers
  • Auto approve agents in management pending based on a input mask to make sure they are allowed in the MG.
  • Check whether a management server is placed in maintenance mode
  • Find orphaned alerts
  • ….

This is an invaluable management pack for every scom admin out there. Whether you are visiting a lot of clients and need to get a clear view on the health of the management group or have only one client. This will free up a lot of your time and also reduce the chance of problems because there are early warning systems build-in. More info here:

http://blog.tyang.org/2014/06/30/opsmgr-2012-self-maintenance-management-pack-2-4-0-0/

SCOM Health Check Reports V3 (Oskar Landman + Pete Zerger)

One of the other hard things to do is in fact give a small report to the SCOM admin / supervisor telling how SCOM is actually doing and whether things are well in your SCOM environment.

Just recently Oskar Landman and Pete Zerger have updated their SCOM Health Check reports to give you a proper status in one glance.

This set of reports will give you an even more in depth view how you’re environment is doing and what are the key points to work on to further enhance your environment. One of the key benefits is the fact that you can check in detail that every aspect of your dbase and what is coming into them is valid and not too much. This is really helpful if you start your noise cancelling to really focus on the big consumers concerning space and cpu time of your SQL dbase.

Make sure you read the manual thoroughly before proceeding as you need to take additional steps prior to installation.

More info here:

image_thumb12

Image (SystemCenterCentral)

Check the article here: http://www.systemcentercentral.com/scom-health-check-reports-v3/

Download here: https://gallery.technet.microsoft.com/SCOM-Health-Check-Reports-c32e8f93

Let’s crank up that download count because this is definitely something you need in your SCOM environment

TAO Yang’s SCOM datawarehouse health script

This one is clean and simple. All the different things you would need to check on your datawarehouse but actually probably never did combined in a PowerShell script.

All the different aspects of what you need to know about your Datawarehouse are reported and gathered on a html page. This is one of the things you actually need to do at every customer site you come across to get an instant view on how the datawareshouse and more important the SCOM environment is setup and performing.

More info can be found here: http://blog.tyang.org/2015/06/11/opsmgr-2012-data-warehouse-health-check-script/

In conclusion

These are just 3 community provided tools which are freely available to help you get more insight in your environment or the environment you need to troubleshoot.

Special thanks goes out to TAO Yang, Oskar Landman and Pete Zerger in particular to invest their time in making these solutions possible / available and of course also thanks to all the other active community members who keep developing new things for SCOM and system center in general.

If you are just starting with SCOM: This is not an exhaustive list of all the add-ons out there. If you are looking for a 1 place stop to start your journey take a look at my: SCOM Link overview blog which is currently under revision: http://scug.be/dieter/2012/12/30/scom-2012-overview-link-blog/

Microsoft Operations Management Suite: Remove workspace

 

This blog post is part of the Microsoft Operations management Suite Quick start guide which can be found here: http://scug.be/dieter/2015/05/08/microsoft-operations-management-suite-quickstart-guide/

 

One of the things I’ve noticed right away when I fist opened the Microsoft Operations Management Suite (OMS) was the fact that I had different workspaces. They were all created in opinsights because the fact I added 3 different management groups in their respective SCOM console.

No sweat of course. I now build 1 management group in my lab environment where I configured everything so I wanted to get rid of the other workspaces.

Turns out there are 2 ways you can delete a workspace and in fact this was not clear in the beginning.

How to get to the “close workspace” option

The remove option is well hidden in the menu’s to probably avoid deletion by accident which is actually a good thing but it’s a little bit too hidden in my humble opinion.

To get to the remove option follow the steps below:

Log on with your account. You will actually get all the different workspaces which are configured and hold data:

printscreen-0310

In this case I would like to remove the DWIT workspace as this is my ancient lab environment.

Select DWIT and open the workspace.

printscreen-0312

Select DWIT in the right upper corner and select the DWIT EUS | administrator wheel:

printscreen-0313

At this point you will have the settings of your workspace and right at the bottom there’s an option to close the workspace.

NOTE: Make no mistake your workspace will be removed and your data will be erased!

printscreen-0315

Now here is where things can go either way. There are 2 different options here:

  • Workspace connected to a MS account
  • Workspace connected to a Azure subscription

Close a workspace connected to a MS account

This one is actually very simple.

If you see the printscreen of the post above just click close workspace…

printscreen-0316

OMS will present you with a nice message box with what’s going to happen and kindly asks you why you want to close.

Note: It’s not required to select an option but please do so to help Microsoft further develop the product to whatever direction you want it to go.

Close a workspace linked to an azure subscription

When your workspace was created with the azure management portal you will not be able to close your workspace from the OMS interface but you will need to delete the workspace in azure itself. You will get the message “This account can only be deleted from the Azure Management Portal”

printscreen-13-05-2015 0003

Open your Azure management portal and navigate in the bar in the left to Operation Insights (note this name can be changed when you read this article as MS is aligning all the naming toward the OMS brand):

    printscreen-0308

Select the account you want to delete and press the delete button at the bottom of the page

printscreen-13-05-2015 0002

Are you really sure?

printscreen-0309 

At this point the account is deleted and within a couple of minutes it should disappear from the available workspaces.

  printscreen-0318

Note: The accounts that are created outside of the Azure portal will have a GUID like name. This name is generated when you link a workspace to your Azure account.

Microsoft Operations Management Suite: Connect Datasources

 

This blog post is part of the “Microsoft Operations Management Suite: Quickstart guide” which can be found here: http://scug.be/dieter/2015/05/08/microsoft-operations-management-suite-quickstart-guide/

 

After we have successfully created our workspace and have installed our Solutions it’s now time to bring in our data to start the magic and witness the insight in our data that OMS can bring

Here you have 3 options:

printscreen-8-05-2015 0000

  • Attach Servers directly (limited to 64 bit): This is used if you want to attach a server which is not monitored by SCOM. A certificate will be generated and inserted into a package that downloads and installs the Microsoft monitoring agent service onto the desired server and connects the server to your OMS.
  • Attach System Center operations manager: You can attach various management groups in OMS. If you click connect you will be guided to the on boarding process for connecting a SCOM environment to OMS. More on this later
  • Attach Azure Storage account: you can add a Azure storage account to facilitate the availability options regarding backup restore etc. More on this later in this blog series.

Note: If you receive errors when connecting these servers to your environment review this troubleshoot article to set the firewall correctly: http://blogs.technet.com/b/momteam/archive/2014/05/29/advisor-error-3000-unable-to-register-to-the-advisor-service-amp-onboarding-troubleshooting-steps.aspx

Connecting a standalone server to OMS:

If you want to attach several servers which are not monitored by SCOM you can easily download the agent and installed. No need to fiddle with the certificates yourself any more!

Download the agent and install it on a server:

printscreen-8-05-2015 0008

The agent package is around 25mb and will be downloaded to your local machine. Transfer the package to a machine which is not monitored by SCOM and install the package.

Note: The same restrictions as installing an agent from the console apply. It’s not possible to onboard a server which has a SCOM component installed such as a gateway server , management server,… Which makes sense because if you have these servers in place you have a SCOM environment and it’s far more easy to onboard the management group entirely instead of doing this per server.

Copy the MMASetup-AMD64 package to your server and run as administrator

printscreen-8-05-2015 0009

The standard manual install dialog for a Microsoft Monitoring Agent Starts

printscreen-8-05-2015 0010

click through the first screens

printscreen-8-05-2015 0011

printscreen-8-05-2015 0012

The next screen is interesting. Here we need to decide whether we are going to actually install the microsoft monitoring agent exclusively for OMS or also for the on prem SCOM. In this scenario we are choosing to exclusively use the agent for OMS

printscreen-8-05-2015 0014

Now we need to fill in the GUID keys which are shown on the OMS page right under “connect a server”.

The workplace ID is straight forward: The workplace ID noted in the OMS console

The Workspace key is in fact noted as the “private key” in the OMS console.

Note: Again this probably will be aligned after the SCOM console is aligned with the new OMS system.

printscreen-8-05-2015 0015

Click next and install

printscreen-8-05-2015 0016

printscreen-8-05-2015 0017 printscreen-8-05-2015 0018

Finish. Wait 5 min and refresh your console:

printscreen-8-05-2015 0019

Note: if you have more than one workspace make sure you select the correct workspace where you want to connect the server to as the id will be unique per workspace.

Connecting a System Center operations manager management group:

Open your SCOM environment and navigate to Administration > Operational Insights > Operational Insights Connection

Note: These names will probably change in the next UR or management pack release.

printscreen-8-05-2015 0001

Click configure or Re-configure Operational Insights

printscreen-8-05-2015 0002

printscreen-0301

Select whether you are using a work or Microsoft account. I’m using a Microsoft Account:

The associated workspaces with your account are loaded and selectable

printscreen-0302

Select your workspace and click update or create

printscreen-8-05-2015 0004

Next choose which groups or servers you would like to send data to your OMS workspace. Click add a computer / group in the tasks bar on the right.

printscreen-8-05-2015 0005

Select the servers / groups you want an click add

printscreen-8-05-2015 0006

 

So now all the servers are coming into your Operational Insights Managed view.

printscreen-0305

This management group will show up in your OMS workspace as 1 connected management group:

printscreen-8-05-2015 0007

The name / number of servers and the last data received is shown to give you a clear view on the status of your management groups.

Configure log collection

A lot of solutions are dependent on the logs received. As this was one of the first valuable additions that opinsights brought this is almost mandatory to have in OMS as well.

Go to the last step of the “wizard” and select what logs that need to be gathered on the connected servers:

printscreen-8-05-2015 0021

When configured we’ll get a nice 100% mark and we are ready to go!

printscreen-8-05-2015 0022

Summary

Connecting is a breeze if your servers are able to reach the OMS service on port 443. You can connect individual servers or entire management groups where you decide which servers are actually sending data to the OMS service.

For now the agents for linux are not available yet but they will become available very soon.

So now you are all set to start playing with the Solutions you have installed while data is pooring in!

Microsoft Operations Management Suite: Configure Workspaces

This blog post is part of the Microsoft Operations management Suite Quick start guide which can be found here: http://scug.be/dieter/2015/05/08/microsoft-operations-management-suite-quickstart-guide/

 

A wokspace is basically the same as your management group in SCOM. It contains all the differernt Solutions, connected datasource and azure account to start working. You can have several workspaces based with one account but interaction between different workspaces is not possible.

Create a workspace

In this scenario we are going to build a new workspace. Just choose the name / email and the region and click create

printscreen-4-05-2015 0001

Next up we need to link the Azure subscription we have associated to our Microsoft or corporate account. Note that having an Azure subscription is not a prerequisite for this step (you can just click not now) but it is highly recommended.

printscreen-4-05-2015 0002

To make sure you are the proper owner of the email (note that it doesn’t have to be an email that is by default the email address associated to your account) Microsoft is sending you a confirmation mail which you need to follow.

Click confirm now and continue.

printscreen-0300

At this point your workspace will be ready and you will have all the standard tiles but no data is poring in just yet.

Configure a Workspace

Head over to the Settings tile where you will be guided to connect your sources to the OMS service. In the past this involved setting up proxy servers and complicated settings as since the integration with SCOM this has become peanuts. OMS is also using the same entry point that Opinsights was using to get connected.

printscreen-4-05-2015 0003

First step is in fact to add solutions. Formerly known as Integration packs (IPs) these solutions each will have their own purpose to tailor the way you want to use OMS. There are by default already some Solutions installed so you can click “connect a data source” to continue.

printscreen-4-05-2015 0004

 

Now that you have your workspace configured it’s time to connect your datasources to get your data in!

 

 

Microsoft Operations Management Suite: Quickstart guide

 

So Microsoft Operations Management Suite (OMS) was launched during Ignite 2015 and is awaiting your data to show its power to give you the insights in your environment and actually manage your environment not limited to the boundaries of your own environment or your azure environment. But before we can play with the goodies we need to configure everything correctly.

printscreen-6-05-2015 0000

This guide will grow in time to be your one stop to get you going, configuring and using Microsoft Operations Management Suite (OMS) . Bookmark this post to get regular updates on my journey through OMS to help you save some time while exploring the possibilities of OMS.

Below is a list of topics that can be used to already start your journey:

Microsoft Operations Management Suite: A first glance

This blog post is part of the “Microsoft Operations Management Suite: Quickstart guide” which can be found here: http://scug.be/dieter/2015/05/08/microsoft-operations-management-suite-quickstart-guide/

It has been a while since i was been blown away by news about SCOM and monitoring in general. During the recent keynote of Ignite in Chicago however Microsoft delivered… I personally was surprised by the vast number of announcements regarding System Center in general and monitoring and management tools in particular.  One of the coolest things for me personally was the announcement of Microsoft Operations Management Suite (OMS).

printscreen-6-05-2015 0000

A little bit of history is in its place to show you this is not a product which was born overnight. The first sign that Microsoft was working on a service to monitor and aggregate data in the cloud emerged when System Center Advisor was launched. System Center Advisor was a small tool which gave you a quick overview of your compliance level of your environment and check to see how you are doing in installing and configuring System Center. With an update of once a day and not a lot of adoption this tool was not widely spread. Although it wasn’t this heavily used it actually paved the road for Opinsights preview. The Opinsights preview was leveraging the power of Azure to give you even more control on finding out how your data center was doing by using serveral free apps to make assessments based on data you’ve sent to the Azure cloud services. The integration was created in SCOM making it a usable tool and easier to configure. The service was free so I personally encouraged a lot of customers to start exploring it. The fact you could also connect machines directly without having SCOM added to the level of adoption.

So what brings OMS more than the previous versions?

Well in OMS will give even more integration to different services you will need to do to manage your datacenter, it will integrate even more into your Azure environment to become your one tool to deal with different aspects of exploring your datacenter.

The following 4 groups of tools are at this point integrated into OMS:

printscreen-6-05-2015 0001

Log Analytics

Log Analytics was already present in Opinsights but has been fine-tuned. You can now gather all logs of different tools and servers and see what events are actually the most common in your environment and take corrective actions accordingly. This is in my  personal opinion a very valuable addition if you would like to find out what the most common problems on your servers are. In fact in SCOM you actually need to configure what to monitor. Log Analytics however uses the power of the Azure storage to collect and keep all the events for you to easily query them and find out patterns and such.

Automation

This feature is new and will actually integrate Automation across the different components you have in your datacenter. The Automation module will integrate with  Websites, Virtual Machines, Storage, SQL Server, and other popular Azure services. The automation runbooks will be easily created through a drag and drop interface giving you basically the opportunity to create automation in seconds. Tying in to all the different components you can automate repetitive tasks across your on-prem and cloud services. This will decrease the margin for human error and like all the different automations if it’s done correctly you will actually lower downtime and increase your view on your environment.

Availability

Availability is not only keeping your applications and data online but also making sure that they stay online or can be restored after a breach in service. The availability tools will give you the power to actually synchronize data between different locations to facilitate the different dataflows between the different locations to ensure that your data will be safe. In this automation tap the different tools will be place to make sure you have all you need to keep your environment up and running and restore as quick as possible. The automation apps will actually tie in to your Azure backup services such as: azure backup, azure site recovery,…

Security

Besides getting everything online and keeping it online a lot of companies are also concerned about keeping everything safe. In the modern world it is a challenge to find a right balance between a workable system and a secure system. The security apps will give you the insights you need to actually Identify malware and missing system updates, collect security related events, perform forensic, audit and breach analysis.

So how does it work?

If you were already using the opinsights preview feature your account is automatically transferred to a free account in OMS. This frree account will give you a 7 day retention and a maximum amount of data uploaded of 500Mb. This is solely for testing purposes to get you going. The integration remains in the SCOM management group and will actually upload all the data in CAB files to the OMS cloud service. Your tools will still be there in your dashboard with the possibility to actually connect more data sources to the OMS service. For more detailed instructions make sure to check out my series on OMS found here on my blog.

Check out the following links for more info:

SCOM: Automatically create management packs with PowerShell

Recently I was asked by a customer to make a multi tenant SCOM setup with different environments. There are several ways of doing this with connected management groups and all but I opted to keep one management group and make the separation there as this was the best fit for the client. I’m not saying that this is the best fit everywhere but for this particular case it was.

They have a very strict DTAP (Development – Test – Acceptance – Production) lifecycle for their software release model so this should be reflected in the SCOM model as well making things a little bit more complicated.

So to sum up the requirements:

  • Naming convention of the override management packs needed to be consistent
  • An override management pack needs to be created for all management packs introduced in the environment and for all stages in the DTAP process
  • An easy way has to be setup in the procedures for the engineer to create the override MP’s for all environments

You could create a procedure to instruct the engineer to create the management packs as part of implementing a new management pack in the environment but this creates tedious repetitive work which will lead to errors or will just be forgotten.

download (1)

That’s why I’ve automated the process of creating these override management packs with PowerShell following the naming convention which is in affect in your company.

[xml]
###
# This PowerShell script will create override management packs for all management packs which fall into a specific
# patern documented in $orgmanagementpackname
# Usage: CreateManagementPack.ps1
# Note: You can change the parameters below and pass them with the command if desired.
# Based on the script of: Russ Slaten
# http://blogs.msdn.com/b/rslaten/archive/2013/05/09/creating-management-packs-in-scom-2012-with-powershell.aspx
# Updated the script to create a management pack for all environments in the array $environments
###

###
# Declaration of parameters
###
$ManagementServer = "localhost"
$orgmanagementpackname = "microsoft.windows.server.2012*"
$Environments = "P", "A", "D", "T"

###
# Find the managementpacks which fit the filter documented in $orgmanagementpackname
###
$managementpacks = Get-SCOMManagementPack |where{$_.Name -like "*$orgManagementPackName*"} | select name
Foreach ($managementpackocc in $managementpacks)
{
$name = $managementpackocc.name
}
$name
###
# For all managementpacks in array managementpacks create a new override management pack with a correct naming convention
# and 1 override management pack per environment
###
Foreach ($env in $environments)
{
# fill in the name of the management packs
$ManagementPackID = "*Fill in company name here (no spaces!)*."+$env+".$managementpackocc"+"."+"overrides"
$ManagementPackName = "*Fill in company name here*: "+$env+" : "+$managementpackname+" overrides"
Add-PSSnapin Microsoft.EnterpriseManagement.OperationsManager.Client
$MG = New-Object Microsoft.EnterpriseManagement.ManagementGroup($ManagementServer)
$MPStore = New-Object Microsoft.EnterpriseManagement.Configuration.IO.ManagementPackFileStore
$MP = New-Object Microsoft.EnterpriseManagement.Configuration.ManagementPack($ManagementPackID, $ManagementPackName, (New-Object Version(1, 0, 0)), $MPStore)
$MG.ImportManagementPack($MP)
$MP = $MG.GetManagementPacks($ManagementPackID)[0]
$MP.DisplayName = $ManagementPackName
$MP.Description = "Auto Generated Management Pack"
$MP.AcceptChanges()
}
}
[/xml]
Download the script from the technet gallery:

download-button-fertig11

This script will actually find all the management packs which fit the input mask in $orgmanagementpackname and create for each of these management packs an override management pack following the naming in $ManagementPackID and $ManagementPAckName.

This results in the following structure:

printscreen-8-04-2015 0001

Note:

  • Run this script preferable on a management server or a machine which has the SCOM console installed. If you don’t run this on a management server make sure to change the $managementserver variable to point to a valid up and running management server in the management group you would like to have the override packs created in.
  • Because we run this via PowerShell and not execute the work manually there are no “rogue” empty folders created in the monitoring view thus we are not clogging up our console view.

SCOM: Configure a monitor recovery task for a healthy state

During a recent project a client had a small request to create a monitor and run a command when a device was not accessible anymore. Easy right! But (yep there’s always a but) they wanted to run a command when the monitor was returning back to a healthy state to restart a service when the device came back online… Hmmm and all in 1 monitor.

So the conditions were as follows:

Monitor:

  • Action: Run a PowerShell based monitor to test the connection with the device
  • BAD: Device is down => Run recovery task to remediate
  • GOOD: Device is up again => Run recovery task to restart service

(note: Always do this small matrix of a monitor design to exactly know what the customer wants)

I don’t have the device to simulate but came up with a small example in my lab to show you how to get this working with just 1 monitor. The situation in my lab is very simple. I want to turn on my desk lighting when my pc is on (and I’m working) and turn it off when my pc is not online.

My conditions:

Monitor:

  • Action: Run Powershell based monitor to test the connection and pass the result to SCOM
  • BAD: PC is offline: => turn off my desk lighting
  • GOOD: PC is online:=> turn on my desk lighting

So first things first we need to test the connection to see whether my pc is running. To check this I’m using this small script:

[xml]

param ([string]$target)
$API = New-Object -ComObject "MOM.ScriptAPI"
$PropertyBag = $API.CreatePropertyBag()

$value = Test-connection $target -quiet

$PropertyBag.AddValue("status", $value)

$PropertyBag
$API.Return($propertybag)

[/xml]

So I’m testing the connection and sending the response to SCOM. The  PowerShell “Test-Connection $target –quiet” command will just return true or false as a result whether the target is accessible or not

Creating the Monitor with Silect MP Author

The creation of this monitor consists of 2 parts:

  • Defining the class where the monitor will be targeted to and therefore the machine which will test the connection to the desktop
  • Passing the status from the machine to SCOM and take action by using a monitor

Defining a class:

To properly target this monitor we need to create a class in SCOM which identifies the servers that need to test the connection. In this case I’ve added a reg key to all servers who need to ping the desktop so I’m starting a Registry Target to create my class:

printscreen-0254printscreen-0255

I fill in a server that has the key already in there to make it much easier to browse the registry instead of typing it in with an increased margin for errors.

printscreen-0256

Select the Registry key you want to look for

printscreen-0257

In my case I’ve added a key under HKEY_LOCAL_MACHINE\Software\pingtestwatchernode

printscreen-0258

Select the key and press add and ok

printscreen-0259

Identify your registry target:

printscreen-0260

Identify your discovery for the target

printscreen-0261

In my case I just check whether the key is there. No check on the content.

printscreen-0263

The discovery will run once a day.

printscreen-0264

Review everything and press finish

printscreen-0265

At this point our class is ready to be targeted with our script monitor.

Next up is to create the monitor:

Create a new script monitor:

printscreen-0266

Browse to the PowerShell script and fill in the parameters. In this case I have 1 parameter which is “target” and will hold the IP of the desktop.

printscreen-0267

Define the conditions:

Healthy condition is when the status is true and type boolean

printscreen-0268

Critical condition is when the status is False

printscreen-0269

Note: I’m using a “boolean” Type

Configure the script and select the target you have created earlier on and the availability parent monitor

printscreen-0270

Identify your script based monitor

printscreen-0271

Specify a periodic: run every 2 minutes

printscreen-0272

No alert generation necessary.

printscreen-0273

Review all the parameters and create the script based monitor.

printscreen-0274

Load the management pack in your environment and locate the monitor:

printscreen-0278

Check the properties => recovery tasks and create 2 recovery tasks for the Health state “critical”.

Note that the screenshot below already shows the correct healthy state after config of the mp.

printscreen-0279

Export the managment pack and open it in an editor and locate the “recoveries” section to find your recovery tasks we just created:

printscreen-0280

scroll to the right and locate the “ExecuteOnState” parameter and change the one you want to run when the monitor goes back to healthy from “Error” to “Success”

Save the management pack and reload it in your environment.

printscreen-0281

So all we need to do is test it…

My pc is on: IT-Rambo has his cool backlight:

20141130_230930098_iOS

My pc is off and the light is automatically turned off…

20141130_230904267_iOS

Final Note: If you use this method you need to make sure to NOT save the recovery tasks in the console anymore otherwise the different settings we just changed in our management pack will be again overwritten as SCOM can’t natively configure a recovery task for a healthy state.

You can use this basically for anything where you want to run 2 conditions on the same monitor or even 3 if you have a 3 state monitor.

Enough talk, let’s build
Something together.