Task Scheduler Monitoring in SCOM using Rule

One of the best advantages in SCOM is how easily we can monitor event logs. Simply go to Event Viewer, find the Event ID and start monitoring.

Below are the steps through which Task Scheuler jobs can be easily monitored via SCOM rule.

Things to know before configuring monitoring:

1. Task Scheduler job name should not have spaces.

2. Task name used for monitoring configuration purpose must has to be same as shown in Event XML view.

Steps to retrieve the XML view for events logged via Task Scheduler. I have tried to demo using my case. Please refer to screenshot and steps:

1. Got to Task Scheduler and select the task name "MyJob" (Containing Folder name and Task name should not have spaces).

2. Select "History", select the event log.

3. Click on "Details" tab and click on XML view 

Figure for Steps 1,2 & 3

4. Copy the content into a notepad, or any text editor as per your choice.

5. Find the row containing text <Data Name="TaskName">.

6. Copy the text between the <Data> tag as shown in the figure. (In my case, its "\HourlyJobs\MyJob".) This will be required for configuring Rule in SCOM.

Figure for Steps 4,5 & 6

Now, in further steps, we need to configure a rule under "Windows Server Operating System" target. You can choose any other target of your choice.

Open Authoring workspace on SCOM and create a new Rule for NT Event Log (Alert):

1. Select or create one management pack and Choose NT Event Log (Alert) Rule.

Figure for Step 1

2. Keep the Rule disabled, if you want to target to single server. Give the Rule a suitable name.

Figure for Step 2

3. Give the log name as "Microsoft-Windows-TaskScheduler/Operational"

Figure for Step 3

4. Select the "..." button.

Figure for Step 4

5. Select the third option "Use parameter name not specified above and enter the text "EventData/DataItem/*[name()='EventData']/*[name()='Data' and @Name='TaskName']"

Figure for Step 5

6. Click Ok and complete the expression by specifying equals the copied name that we copied from <Data> tag. (In my case he expression equals "\HourlyJobs\MyJob").

Figure for Step 6

7. Configure the alert as per your need in the next window.

Figure for Step 7

 

8. Finally Override "Enabled" property to "True" for this rule to the desired server where the task scheduler is configured.

Hope you enjoyed the monitoring of task scheduler with this simple configuration. ☺

Read More

Remote Agent Prerequisite Checker Tool

This tool is the command line version of the MOMNetCheck tool we shipped with MOM 2005 resource kit. The new tool allows you to specify multiple computer names to run the check against and accounts for the new prerequisites required by the OpsMgr agents such as MSXML 6. Instruction on how to use this tool is available in the readme that is part of the attached zipped file. You need .NetFramework 2.0 to run the tool, you need to have permissions to access remote registry on the remote servers and you need to copy the tool down locally before you can run it.

MOMNetChkCmd.zip

Read More

All SCOM Event IDs Spreadsheet

 The following are typical situations:

1. I get a colleague or a customer telling me “I am having a problem and the SCOM agent is showing 21037 events and 20002 events.  What’s wrong with it?”   
2. I want to tune an OpsMgr environment and reduce load on the database by turning off a few event collections, as my friend Kevin Holman suggests here http://blogs.technet.com/kevinholman/archive/2009/11/25/tuning-tip-turning-off-some-over-collection-of-events.aspx .
3. I am analyzing, sorting and grouping Events with Powershell like I have written on my blog lately http://www.muscetta.com/2009/12/16/opsmgr-eventlog-analysis-with-powershell/ but I can’t read those long descriptions properly.
4. I exported an EVT from a customer environment and I load it on a machine that does not have OpsMgr message DLLs installed – all I see are EventIDs and type (Warning, Error) – but no real description – and I still want to figure out what those events are trying to tell me.

Getting to the point: I, like everyone – don’t have every OpsMgr event memorized.

This is why I thought of building this spreadsheet, and I hope it might come in handy to more people.

The spreadsheet contains an “AllEvents” list – and then the same events are broken down by event source as well:

When you want to search for an events (in one of the situations described above) just open up the spreadsheet, go to the “AllEvents” tab, hit CTRL+F (“Find”) and type in the Event ID you are searching for:

And this will take you to the row containing the event, so you can look up its description:

The description shows the event standard text (which is in the message DLL, therefore is the part you will not see if opening an EVT on another machine that does not have OpsMgr installed), and where the event parameters are (%1, %2, etc – which will be the strings you see in the EVT anyway).

That way you can get an understanding of what the original message would have looked like on the original machine

Read More

Monitor F5 BIGIP with OpsMgr

 

Introduction

Monitoring F5 BIGIP (the term ‘firewall appliance’ is used interchangeability) with OpsMgr is out of the box not possible. A few 3rd party companies offer professional Management Packs equip OpsMgr with this capability.

As F5 BIGIP offers REST and SNMP interfaces, self-authoring a Management Pack seemed to be a possible task.

Please find below details of some hours’ brain work ;-)

 

Design

• A Windows Server, taking the role of ‘F5 Monitoring Server’ queries firewall appliances via SNMP and REST.
• A Scheduled Task is launching PowerShell scripts which perform the queries and storing the result in JSON files locally.
• Discoveries and Monitoring scripts in the F5 MP are interpreting the JSON files to provide OpsMgr Topology and Health information. 

 

Configuration (Optional)

After importing the Management Pack the following Monitors may be configured:

Usage

Alert views show details current breaches of configured threshold breaches:

State view show the state of a particular item:

See the whole system by opening the diagram view on “system”:

 

Management Pack Source

GitHub: https://github.com/Juanito99/F5_BIGIP_OpsMgr

 

License Terms

Monitor F5 BIGIP with OpsMgr
Copyright (C) 2017 Ruben Zimmermann (Juanito99)

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANT ABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>.

Read More

Integrate Oracle DBs with SCOM through Foglight

Problem:

How to get the health state of our Oracle Databases into OpsMgr?

One approach was installing SCOM agents on AIX and purchasing a Management Pack from a specialized vendor.

Main argument to stick on the current solution was because Foglight fully satisfies monitoring Oracle Databases.

Requirement:

Integrate our Oracle DBs’ health state information into SCOM benefiting on Foglights’ data. As the vendor only offered a Management Pack to forward alerts to SCOM, authoring a custom Management Pack seemed to be the only possible way.

Solution Approach:

A registry key on any Windows Server is used to promote it act as the “Foglight MonitoringServer”.

Foglight’s command line tool “foglcmd” is used to export topology and health information into XML files.

A Scheduled Tasks runs periodically “foglcmd” on the “Foglight MonitoringServer” to pull the current data into files.

The “Foglight MonitoringServer” hosts the Management Pack and runs discovery- and monitoring scripts which parse the XML files to feed OpsMgr with the information.

Result:

This management pack provides topology and health state of our Oracle environment to SCOM.

As the source is available, feel free to customize it according to your demand.

Note:

An early stage of the Management Pack as VSAE solution file and XML can be found on Github.  https://github.com/Juanito99/OraDBs_Fogl_OpsMgr

Technical information to use this management pack can be found on: http://www.rjz.de/OraDBsToOpsMgrViaFoglightSetup

Integrate Oracle DBs through Foglight - Setup Guide

Prepararation:

Foglight

A dedicated user account should be created and permitted in Foglight to query information. Add it to the red highlighted group.

Foglight-Monitoring-Server:

Choose one usual Windows Server which is been monitored via SCOM.

• Set the following registry key to promote it to the “OraglceFoglight Monitoring Server”:

[HKEY_LOCAL_MACHINE\SOFTWARE\ABC\ OracleFoglightMonitoringServer]

• Copy fglcmd.zip from the foglight server, typically located in <InstallDirectory>\tools to the “Oracle Monitoring Server” and extract it.
• Add into fglcmd.bat the following line which need to reflect the installed Java Version. – E.g.
  set JAVA_HOME=C:\Program Files\Java\jre1.8.0_102
   
• Download the internal server certificate of the management server as Base64 and import it to the Java certificate store:
  C:\Program Files\Java\jre1.8.0_102\bin>keytool -importcert -file C:\foglightb64.cer -alias delinfoglight -keystore ../lib/security/cacerts -storepass changeit
   
• Create a directory C:\Temp\FoglightMonitoring\
• Create Scheduled Task to run the batch files which retrieves the Oracle environment information from Foglight. – customize the following script: https://github.com/Juanito99/OraDBs_Fogl_OpsMgr/blob/master/Cmd%20for%20Scheduled%20Task/QryFoglightSrv.cmd
  
  Agent, Database, TableSpace, Servers and Listener are the components which are been queried.

  Each of the components will create one XML file, stored in C:\Temp\FoglightMonitoring\

  • fogoracledboAgentModel.xml
  • fogoracledboDatabase.xml
  • fogoracledboListenerstatus.xml
  • fogoracledboServers.xml
  • fogoracledboTablespace.xml

Internals

About Discoveries

• MonitoringServer is discovered by via ‘FilteredRegistryProvider’, details above.
• TableSpace, Servers, Listener, Database, Agent and DatabaseSystem are discovered by ‘TimedPowerShell.DiscoveryProvider’ which used paramerized DiscoverDBOs.ps1
• DiscoverDBOs.ps1 is exptecting the XML files in C:\Temp\FoglightMonitoring\
• Relations are discovered by ‘TimedPowerShell.DiscoveryProvider’ which use DiscoverDBORelations.ps1

About Monitors

• TableSpace, Servers, Listener, Database, Agent are monitored via custom – module monitor. The monitor itself is MonitorDBOAdv.vbs.
• MonitorDBAdv.vbs uses the ‘aggregateState’ is judge. State changes are according to value.
• 0-2 = ‘Healthy’,  3 and 4 = ‘Critical’.

About Views

Each element has an own state view located in the dedicated folder ‘ABC Database Oracle Foglight Folder’.

Read More

Twitter you alerts with SCOM

Twitter you alerts with SCOM 

Can SCOM twitter alerts and state changes and what can be the use. Why do we want to use twitter to be notified?

One thing was clear in a sec it would be cool to let SCOM twitter in the first place! Second of all Twitter is fast and you just need a internet connection. But you don’t want everybody to read your alerts, warnings with domain names and ip addresses will expose company data to everyone to see, but if you protect your Twitter account where you have to accept your followers you can manage the alert receivers. So think about the security risk before you let SCOM Tweet your alerts.

What can be nice is to create multiple twitter accounts and subscription channel to Twitter for just the exchange admin’s or de AD guys to get the alerts fast and don’t have the SCOM console open all day (every phone has an Twitter app so no problem there).

So how can i make my SCOM 2007 R2 Twitter alerts?

It’s not really difficult to do so you got to have internet access a Twitter account with password and cUrl.

You have to obtain cUrl from the following location for you system, both x64 and x32 are available here so choose the one you need.

Copy cUrl into you c:\windows\system32 directory and cUrl will be available.

I’ve created a Twitter account wwwally_OpsMgr with a password which in the example will be password.

First test from a command line if cUrl is working from you SCOM RMS server to make sure it will works.

 

curl –basic –user wwwally_OpsMgr:password –data status=”I'm twittering from #SCOM!!” http://twitter.com/statuses/update.xml

If your response looks like this your all set to go!

 

Now you can start creating the SCOM Twitter Channel which you can use to tweet you alerts.

In the OpsMgr console open the Administration pane and navigate to Notifications / Channels and create a new channel.

In the settings pane of the command notification channel wizard use the following settings:

1. In the Full path use: C:\windows\system32\curl.exe
2. In the Command line parameters use: –basic –user wwwally_OpsMgr:password –data status=”$Data/Context/DataItem/AlertName$!” http://twitter.com/statuses/update.xml
3. In the Startup folder use: C;\windows\system32
4. Click Finish to create the notification channel.

Now your done setting up the Twitter notification channel and you can start connecting it to the subscriptions.

Read More

PKI Certificate Verification Management Pack for SCOM 2012, 2016, 2019

 

PKI Certificate Verification Management Pack for SCOM 2012, 2016, 2019

Management Packs

by Raphael Burri on June 22nd, 2015

Update January 2019 – gone Open Source

Compatible with SCOM 2016 and 2019

If you are still using or plan to do so: The PKI Certificate Management Pack can now be found in open source on GitHub: https://github.com/rafabu/SCOM-PKICertificateMP

Get the latest release from there and get involved. The downloads on this site will no longer be maintained and eventually removed.

 

Update June 22, 2015 – Version 1.3.0.0 now available for download.
Compatible with SCOM 2012 and SCOM 2012 R2 only.

NOTE: This update will only import on SCOM 2012 and later.
PKI Certificates serve to protect web sites by enabling SSL, secure cross-server communication and see many other uses.

The PKI Certificate Verification MP discovers PKI Certificates and Certificate Revocation Lists inside computers’ local certificate stores. It helps preventing service interruptions caused by invalid certificates by alerting when: 

– a certificate’s lifetime is about to expire
– a certificate’s lifetime has ended
– a certificate has become invalid because of a different reason
– a CRL has not been updated in a timely manner

The MP contains a full set of inventory reports to help you audit certificates. The included guide contains detailed instructions on how to configure the MP. Click the Download links at bottom to download the management pack archive.

The PKI Certificate Verification MP was a jointly developed by Raphael Burri, Pete Zerger and Jaime Correia, specifically for release on the SystemCenterCentral.com site.

An article on MP authoring by the same authors uses the PKI Certificate Verification MP as a sample to explain the concepts and procedures of writing a Management Pack. It is available on the site at the link below

MP Creation Zen: Part 1 – Concepts and Application Modeling

Change History

Changes between 1.2.1.3 (August 2014) and 1.3.0.0 (June 2015)

• Added Tasks: Archive Certificate, List Certificate Properties, Disable/Enable Monitoring, Rediscover (in optional add-on MP)
• Added Recoveries: Archive Certificate, Disable Monitoring
• Added Discovery: Web Hosting certificate store (Server 2012 / 2012 R2)
• Additional certificate property: Certificate Template. It is also listed on reports.
• Discovery filter expanded to certificate template.
• Alert description: Additional details on the certificate chain and SCOM action account used.
• CRL Lifetime Monitor: Threshold is exposed as an overridable parameter.
• CRL health roll up monitor added.
• Expiring certificate view & report: Default threshold of 1 month may be overridden.
• Views: Changed criteria on views to make them more reliable when using user scopes.
• Reporting bug: Certificate inventory did not list all certificates.
• Additional MP: Rediscovery Tasks. Immediate trigger of store content discovery after archive, disable/enable or rediscover tasks

Changes between 1.2.0.210 (April 2014) and 1.2.1.3 (August 2014)

• Discovery Filter with include and exclude regular expression on certificate subject as well as on certificate and CRL issuer.
• Discovery Filter on “Ehanced Key Usage”. By default the MP does no longer discover MS Network Access Protection certificates (napHealthyOid and napUnhealthyOid). Other OIDs may be excluded as well.
• PowerShell compatibility monitor got triggered on 2012 (when no PoSh 1.0 key existed).
• Using 1st certificate SAN as subject in case the subject is empty (not defined).

Changes between 1.0.1.20 (March 2012) and 1.2.0.210 (April 2014)

•  re-written MP, main logic now based on a PowerShell instead of a VB script.
•  full support for Windows Server 2012 (R2)
•  dropped SCOM 2007 support (use the legacy version 1.0.1.20 if SCOM 2007 is still a requirement).
•  support any system locale.
•  advanced certificate validation overrides.

Changes between 1.0.1.15 (March 2011) and 1.0.1.20 (March 2012)

• Corrected a discovery bug that would hit when a server’s locale was non-US and CA certificates were found in the store.
• Fixed some spelling issues in display strings
• Verified OpsMgr 2012 compatibility

 Changes between 1.0.0.288 (released Jun 17, 2010) and 1.0.1.15

• Improved discovery of Issued to and Issued by properties: Will use Subject Alternative Name if certificate doesn’t have a subject and will correctly extract the subject if CN= isn’t encountered on the first line of the subject string.
• Additional certificate property: CA Version (based on extension szOID_CERTSRV_CA_VERSION). If this property holds a value, that certificate is a Windows CA one.
• Does no longer discover superseded CA certificates. Evaluation is based on the CA Version property. Additional override to change that behavior if required.
• Monitors will not mark superseded CA certificates as expired if their discovery is enabled.
• Expose script timeout as an overridable parameter
• Changed alert priority to ‘Low’.
• Broke upgrade path to avoid potential agent stale issues when upgrading from V 1.0.0.280 or earlier.

Changes between 1.0.0.280 (released April 19, 2010) and 1.0.0.280

• Much more relaxed script timing
• cook down safe timing override option
• public certificate store data source (to add custom certificate stores)
• better compatibility with legacy Operation Systems (2000 & 2003)
• introduces a Release Notes document; which is a must read for updates from any previous release to 1.0.0.288!

Please read the release notes carefully before attempting an upgrade of any previously released version.

Download

The download consists of a zip archive with the management pack, guide, release notes plus examples:

Download: PKI Certificate MP 1.4.0.0 (SCOM 2016/2019)

Download Release: https://github.com/rafabu/SCOM-PKICertificateMP

Download: PKI Certificate MP 1.0.1.20 (legacy SCOM 2007). Note that this version is no longer being developed

Source: http://www.systemcentercentral.com/pack-catalog/pki-certificate-verification-mp/

Read More

Integrate Solarwinds NPM with SCOM

 

Make your network device state visible in SCOM by gathering information from SolarWinds NPM

 

 

Introduction

OpsMgr is great for monitoring servers and ‘things’ which run on servers. Through management pack authoring it is possible to monitor anything which can be contacted through the network.

In principal SCOM can monitor network devices as switches, routers, etc. It fulfils basic demands. Compared to other network – monitoring tools the user interface is slow and ductile. Effort in administration is high and requires a certain skill set.

 

In contrast SolarWinds NPM is a lightweight and easy to use network monitoring solution. It can be learned in short time and the UI is quiet responsive.

My personal favorite is underlying REST – Web Service which SolarWinds uses for all its network management or monitoring tools. It can be easily queried and responds in JSON. Queries are formulated in a SQL dialect SWQL and can be tested in the SWQL Studio

 A SDK is available and maintained on github. – https://github.com/solarwinds/OrionSDK/wiki

Problem

• Get network device information into SCOM, benefiting from SolarWinds NPM.
• Having health state of devices available to be further used in Distributed Applications.

Design

• A Windows Server, taking the role of ‘SolarWinds Monitoring Server’.
• Scripts inside the Management Pack will query the REST services to pass information about Topology and Health to OpsMgr.

Configuration

By default, monitoring is enabled, alerting not. If required, overrides can be created and stored in an ‘override management pack’.

The default interval of 5 minutes is used to query SolarWinds NPM. This can be changed as usual.

 

Network devices are categorized by names. E.g. Switch; name contains ‘sw’, Router; name contains ‘gw’ or ‘vpn’, Firewall; name contains ‘fw’
If that does not fit your requirement it can be easily changed in the DiscoverNPMNodes.ps1 as part of the Visual Studio solution.

The monitoring script, MonitorNPMNodes.ps1 need to be changed as well.

 

Usage

State view show the state of a particular item:

Diagram view gives detail about the particular item:

Management Pack Source

GitHub:
https://github.com/Juanito99/SolarWinds_NPM_OpsMgr

 

Setup Guide

Only a few steps are required to start using this MP. Details on:
http://www.rjz.de/SolarWindsNPMToOpsMgrSetup

 

Source: http://www.systemcentercentral.com/

Read More

How to remove objects from monitoring (Remove-SCOMDisabledClassInstance)

How to remove objects from monitoring (Remove-SCOMDisabledClassInstance)

Questions normally seen on TechNet forums would be similar to this: I have a server that I’m monitoring, however I do not want to monitor SQL 2008 on this server for XYZ reason. Enter the SCOM 2012 cmdlet Remove-SCOMDisabledClassInstance. This cmdlets job is to delete all class instances for which a discovery has been disabled by using an override. All the relationships that involve these class instances are also deleted. This task can be database intensive, if manipulating large numbers of computer objects.

First figure out which management pack you will be working with. In the example above we are going to remove monitoring of SQL Server 2008 from a specific server. Using the SCOM 2012 Management Pack Viewer open up the SQL Server 2008 (Discovery) management pack. Click the discoveries option then take a look for a seed discovery. In this example it is the SQL Server 2008 DB Installation Discovery Source.

Armed with the name of the Discovery/Class we are looking for, open up the OpsMgr console, and click the Authoring tab, and expand the Management Pack Objects and select the Object Discoveries. Click change scope and type SQL in the Look for box, and select the SQL Server 2008 Installation Seed target, then click OK.

Right click on the SQL Server 2008 DB Installation Discovery Source, and select Overrides > Override the Object Discovery > For a specific object of class: Windows Server, then select the specific server name that you want to un-discover SQL on.

Then open the Operations Manager PowerShell console, and run the cmdlet Remove-SCOMDisabledClassInstance, confirm to run it and your done. The objects should be removed shortly.

 

If you were planning on doing this on a group of servers, create a group of servers that would need to be stored in the SQL Server 2008 (Monitoring) – Override management pack, so the group would be visible to the override. The membership of this group needs to be made up of Windows Server objects. Right click on the SQL Server 2008 DB Installation Discovery Source, and select Overrides > Override the Object Discovery > For a group, then select the specific group that you want to un-discover SQL on.

Then open the Operations Manager PowerShell console, and run the cmdlet Remove-SCOMDisabledClassInstance, confirm to run it and your done. The objects should be removed shortly.

If you want to keep the server from ever being discovered just leave the override in place.

Read More