Category Archives: SCOM

Authoring SCOM VSAE

Service Discovery and Monitoring with Operations Manager

Published by:

One of the most frequent requests we get from customers is to create monitor for application services. Often enough you will find management packs for well know applications, but if you can’t, you will need to create those by yourself. With that, you have basically two options: use the provided Authoring Template in the SCOM console, which has been extensively described on the internet or create monitors in the same authoring area of SCOM, but using an existing target, like Windows Operating system or Windows Computer.

The first option is good because SCOM will not only monitor the services, but it will also create a discovery for those services and make them available to be listed as independent objects in a State view, for example. The cons of this approach is that if you have a lot of services, a lot of work will be required to create all the monitors. It also uses a lot more resources to discover the services, since for each monitored service, you a discovery will be added. This template is also good if you want CPU and and memory monitoring for the services, which are available through the template as well.

With the second option, which much leaner in terms o resources, the con is that the services themselves do not become objects themselves. The monitors for each one of them will be visible in the Health Explorer only. Alerts will work normally though.

What should you do then?

Well, there is a third option, which will require some XML edition and authoring skills. I’ve been using this for different customers and it has a good feedback. To build this solution, I’m using Visual Studio 2015 with the Management Pack Authoring extensions.

It all starts with a Class definition:

<ClassType ID=”Company.Application.Class.Computer” Accessibility=”Public” Abstract=”false” Base=”Windows!Microsoft.Windows.ComputerRole” Hosted=”true” Singleton=”false” />

This one defines a computer class that will host the services. And now the services themselves:

<ClassType ID=”Company.Application.Class.Service” Accessibility=”Public” Abstract=”false” Base=”Windows!Microsoft.Windows.LocalApplication” Hosted=”true” Singleton=”false”>
  <Property ID=”ServiceName” Type=”string” Key=”false” CaseSensitive=”false”  MaxLength=”256″ MinLength=”0″ />
  <Property ID=”ServiceDisplayName” Type=”string” Key=”true” CaseSensitive=”false” MaxLength=”256″ MinLength=”0″ />
  <Property ID=”ServiceProcessName” Type=”string” Key=”false” CaseSensitive=”false” MaxLength=”256″ MinLength=”0″ />
  <Property ID=”StartMode” Type=”string” Key=”false” CaseSensitive=”false” MaxLength=”256″ MinLength=”0″ />
  <Property ID=”LogOnAs” Type=”string” Key=”false” CaseSensitive=”false” MaxLength=”256″ MinLength=”0″ />
</ClassType>

Next, I will need two discoveries, one to discover the computers and then, another one to discover the services. This could be condensed in a single script discovery, but WMI is less expensive than scripts in terms or CPU cycles.

First the computer discovery:

image

Make sure you pick the right service prefix in the WMI query part, to properly identify the computers that belong to that class.

This discovery will then scan all computers that are part of the Windows Server Operating System Class every 15 minutes. Once one machine with that services mentioned above is found, a new instance of the Company.Application.Class.Computer class will be created.

And the service discovery itself:

image

This discovery will scan all the previously discovered computers that belong to the Company.Application.Class.Computer class  and look for the services according to the WMI query. Once any of the services is found, a new member of the Company.Application.Class.Service is discovered and the properties are mapped:

image

Having Service objects as entities by themselves makes it easy to monitor, since you can only create a single monitor that targets all the objects:

image

And that is pretty much it. The remaining pieces of the MP references, presentation and display strings. Make sure to customize the IDs and messages according to your needs.

The final MP can be found here.

Hope this helps!

Authoring SCOM

Yet another update to the Extended Agent Info Management Pack

Published by:

imageI have recently updated my Extended agent info MP to include information about Operations Management Suite. I have now added a task to configure the agent to use OMS.

The new task shows in the tasks pane when you click on any agent or agents in the Extended Agents View:

image

Once clicked, you will need to override the name (should be Guid, I know) of the workspace and the key to that workspace:

image

Once configured, click override and then Run. Once completed, the agent (as long as it supports OMS, version 7.2 and higher), it will be configured as below:

image

I have also fixed an issue where once a management group was removed, the Monitoring Service wouldn’t start. I have found this great piece of code Here from Matty T and have incorporated the technology. Thanks Matty!

The new version can be found here!

Azure Operations Management Suite SCOM

Updated Extended Agent Info Management Pack

Published by:

A while ago I wrote this article to help with SCOM side by side migrations from SCOM 2007. With the new Operations Management Suite wave and the possibility of agents reporting to an OMS workspace independently, visualizing agents that have been configured and/or have the OMS direct agent installed seems to be something that will be useful.

So, I have updated the management pack and it can be found here.

The basic difference is that you can see more information in the view:

image

As you can see above, some agents report to multiple workgroups as well as an OMS workspace.

Next steps in my backlog are tasks to configure an agent that has the agent (enable, disable, change workspace) and even perhaps upgrade the agent with the OMS binaries.

 

Hope this helps.

SCOM

Configure the SQL Agent Job Monitor in Operations Manager

Published by:

I had to configure the SQL Agent Job Monitor for a customer and had some very interesting experiences while doing it.

The first fact to be aware about is that Jobs are not discovered by default. I believe Microsoft did that to avoid unnecessary cycles when not all jobs may be that critical.

If you want to enable the discovery of the jobs, you will have to first go to the Authoring area and scope as below:

image

Once you do that, your options should be as below when you select Discoveries on the Left side:

image

To enable the discovery, apply an override to either or both SQL 2008 and SQL 2012 Agents:

image

In this case, I have created a groups of SQL Servers that were important to have jobs monitored and applied the override to that group only.

Once the discovery runs, you should see the Agent Job State being populated:

image

image

Once you have the SQL Agent Jobs discovered the monitors will run by default, both last run states and Job Duration.

image

That’s when the fun starts. These are very peculiar monitors. Let’s take a look at each aspect of them.

1. The monitors are enabled by default, but don’t generate alerts. If you are looking to have alerts from them, you will need to apply an override:

image

2. For the Last Run Status monitor, the default behaviour is to send alerts (if you enable them) when the monitor is in a critical state. But surprise, this monitor never goes into a critical state!

image

So, even if you override it to send alerts, you will need an extra override for it to actually work:

image

3. Although the default value of the Alert Severity property is set to be Critical, when you get an alert, it will be a Warning alert,not critical. It’s not clear to me why, since all the configuration seems ok. If you really want the alert to be critical, you’ll need another override:

image

It really seems redundant, but it fixes the problem.

4. It seems that the Auto-Resolve Alert property also doesn’t work as expected. I have reset the health of the monitor and the Alert closed by itself, which I wouldn’t expect with the Auto-Resolve Alert set to false. The very likely reason for that you can see in the monitor properties:

image

So, if you want to change that, you will need to force the override below:

image

Once you get the alerts, they are a bit cryptic and not very informative:

image

image

For the SQL admin, those steps will likely make sense. Smile

 

Hope this helps!

SCOM

SCOM Event Log monitoring–Event Source vs EventSourceName

Published by:

This is an old subject and EVERYBODY should know how to create an Alerting rule that detects a certain event and triggers and alert. However, the way things are laid out in SCOM can make your daily life difficult. Just run in to an issue yesterday that was giving me (more) gray hair.

The requirement was simple: detect abnormal BSOD or power related shutdowns. Easy as pie, right?

The events are fairly easy to pinpoint. Say, for example, event ID 1001:

image

Cool. All you have to do is create an Alerting rule in SCOM, with this criteria:

image

image

Event ID: 1001

Source: BugCheck

image

Right?

Wrong!

Here’s what I’ve experienced. When testing the rule, I run a simple PowerShell command to create a fake event:

Write-EventLog –LogName System –Source “BugCheck” –EntryType Error –EventID 1001 –Message “This is a test message.”

Event is pretty similar:

image

That should have triggered my alerts. It didn’t however. Since I have ‘faked’ the event, the message shows me a bit more than just ‘This is a test message.’:

image

Now, notice this:

image

Why does it say the source is Microsoft-Windows-WER-SystemErrorReporting when the source is supposed to be “BugCheck”?

So, I’ve decided to change the rule to:

image

Bingo! Now, the alert was generated correctly. In summary, the source you see in the event log is what SCOM sees when detecting the event. The same applies for Kernel-Power, for example:

image

Now the reason for that is in the details of the event:

image

In fact, the EventSourceName is ‘BugCheck’. The Provider Name is considered the souce by SCOM, as  you can see above and below:

image

The way to fix it, if you want to use the EvenSourceName is to use a custom field. Notice SCOM doesn’t provide a native ‘EventSourceName’ option:

image

You can then use:

image

And there you have it!

 

Hope this helps!

SCOM

Operations Manager 2012 R2 U7 Released

Published by:

You can get it here! (use IE if you have windows 10).

There’s quite a list of issues solved:

· The home page link in the Web Console Noscript.aspx file is vulnerable to cross-site scripting (XSS)

·  “Agents by Health State” report shows duplicate entries and inconsistent data

· Dependent tables are not groomed (Event.EventParameter_GUID table)

· Management Packs do not synchronize between management servers

· Leaked transaction causes over 100 SPIDs in SCOM database to be permanently blocked by the “p_DataPurging” stored procedure

· Operations Manager SDK crashes because of SQL errors when QueryResultsReader.Dispose is called

·  You can’t view dashboard performance counters that are created by using the TCP Port Monitoring templateDynamic inclusion rule is added to a group definition unexpectedly if an explicit member instance of the group disappears

·  You can’t create group by using the SQL Server 20XX Installation Seed

· Add MPB support to the SCOM online catalog

· Active Directory Integration in Perimeter Network fails when there is only an RODC present

· System Center Operations Manager subscriptions that use the filter to search for specific text in the description (of the message) do not work

· CLR load order change

· Problems in obtaining monitoring objects by using “managementGroup.EntityObjects.GetObjectReader”

· The “Threshold Comparison” setting in the consecutive-samples-over-threshold monitor cannot be configured

· Agentless Exception Monitoring (AEM) causes the Health Service to crash because the maximum path length of 248 character is exceeded

· After you update management packs, the newly added default (visible) columns to view are not visible automatically

· Branding update – Updates the “Operational Insights” name to “Operations Management Suite” in the System Center Operations Management console. (yey!)

Here’s my experience installing it:

Downloading the required bits:

image

The steps are pretty similar to the previous ones:

Supported installation order

We recommend that you install this update rollup package by following these steps in the given order:

  1. Install the update rollup package on the following server infrastructure:
    • Management server or servers
    • Gateway servers
    • Web console server role computers
    • Operations console role computers
  2. Apply SQL scripts (see installation information).
  3. Manually import the management packs.
  4. Apply the agent update to manually installed agents, or push the installation from the Pending view in the Operations console.

 

1. Let’ start by applying the binaries:

image

Server first:

image

Needs restart:

image

Now Console and Web Console:

image

2.Applying the SQL Scripts:

First the Operations Manager DB:

image

image

Historically, a reboot or stopping the SCOM server helps this query to run smoothly.

Now the DW:

image

This one is pretty quick.

3.Now the MPs

On my first try, although the setup asked me to reboot to complete the install (some files might have been in use), it failed to update one of the MP files (from C:\Program Files\Microsoft System Center 2012 R2\Operations Manager\Server\Management Packs for Update Rollups)

image

So, I ended up extracting the visualization mp manuall, but you could probably fix it by running the .msp for the server once more.

4. Last but not least, update the agents:

image

Some visual signs it worked:

image

SCOM

Monitoring Abnormal (sudden) Disk Usage with SCOM

Published by:

A customer recently asked me for a solution to monitor an abnormal growth in usage of a volume or disk. SCOM doesn’t have a native monitor for that. Enters PowerShell and authoring!

First I wrote the script, that essentially accepts a drive letter, a threshold (in MBytes) and a debug flag to log events in event viewer.

The script will use Get-WmiObject Win32_LogicalDisk -ComputerName . -Filter “DeviceID=’$driveletter'” | Select-Object Size,FreeSpace to retrieve the status of the drive.

I will then compare the previous Freespace usage (using temp file to compare) and if the growth is larger than the threshold, the rule is triggered.

I have also included a rule to collect event 666 (debug) if enabled.

The Management Pack has basically two rules:

   
Fehse.Extended.Disk.Monitoring.DiskGrowthPercentageRule 5% growth on a 15 minutes interval

Fehse.Extended.Disk.Monitoring.DiskGrowthRule

5Gb of growth on a 15 minutes interval

Both rules are disabled by default and need to be overridden for each computer you want to monitor (or disk in this case).

Debug is enabled by default, so you can expect events 666 in the Operations Manager log on every computer running the scripts. They will look like this:

image

MP can be found here.

 

Hope this helps!

SCOM

New SQL MP 6.6.0.0

Published by:

Microsoft recently released a new Microsoft SQL Server Management pack for SCOM 2012. Here’s my experience importing and reviewing its new features/general operation.

The MP can be downloaded here and it has a decent set of new features and fixes:

New features and fixes:

  • Dashboards were replaced with the new ones
  • Components of replication functionality are deprecated and disabled by default
  • SPN monitor now correctly handles disjoined namespaces
  • Added support for filegroups containing filestreams and partition schemes
  • Memory Consumption monitor has been fixed
  • Upgradeability from 6.4.1.0 version is supported
  • Added CPU Usage monitor and rule for SQL Server 2005
  • Added ConsecutiveSamples Condition to the Buffer Cache Hit Ratio and Page Life Expectancy monitors
  • AlwaysOn discovery was reworked
  • Minor fixes.

After installing it, the files will be located on a folder.

All you have to do is import from disk.

You won’t need all of them, very likely. Make sure you only import MPs that you’ll actually going to use. In my case, only these:

image

But not. I’ve just looked and noticed I had imported the SQL 2008 pieces as well as the always on feature. I will then update the SQL 2008 and remove the Always on, since I’m not using it at this moment:

image

Importing these:

image

OK.All good now.

First looks at the console show some new cool dashboards…but not. When I clicked, I’ve got a funny message that the dashboard didn’t exist or had been removed.

As usual, closing and re-opening the SCOM operations Console fixed the issue. Here’s a quick sample of the new dashboards:

image

It looks great. This is called the Datacenter view. If you (double)click on any of the tiles, you will get more information (databases):

image

and jobs:

image

This is great, but there is more! The SQL team has been so generous in creating those dashboards that they will also share these with other platforms.

Yes, yes. That’s what you think: you can leverage this same visualization to show information about other objects. Let’s give it a try!

To the batworkspace!

image

 

Look at that!

image

image

The new dashboard will be a bit quiet, but let’s fix this:

image

Nothing cat beat the classics. Let’s pick All Windows Computers:

image

Hum, interesting:

image

This is a brand new SCOM, so, not a lot of stuff there, but makes sense:

image

The nice thing about it is that you can add multiple groups:

image

Settings allow for changes in the refresh interval and colours:

image

 

Summary: couldn’t find any operational flaw yet but will keep you posted. As for visualization, it is a great improvement. Thank the SQL team for developing and sharing this!

 

Hope this helps!

Authoring SCOM

Issue with SCOM Run As Account

Published by:

Recently had an issue with my custom fileshare monitor but I believe it can happen to any Run As Account/Profile. My MP has a run as profile, to run the PowerShell commands:

image

When installing this at a customer, we have re-purposed an existing Run As Account, by changing the account credentials. The Account was then assigned to my Run As Profile.

image

However, the monitor wouldn’t work. Bummer! I had that tested extensively in my lab. And it is a simple monitor. So, I have added more debug to the script:

image

It will then show the logged on user while running the command.

image

For my (big surprise), the account running the monitoring was the account set before the re-purposing. And yes, it had been almost four days, so, not a case of waiting for the MPs to be updated in the agent.

So, quick solution: create a new Run As Account and assign it to the MP’s run as profile.

Fixed!

Moral of the story: you can’t always trust what it says in the run as account credentials configuration. There must an issue that needs to be looked at. Maybe by clearing the Health Store, it will download the correct information.

Hope this helps!

 

Take the time and get an Azure subscription or and MSDN subscription, as well as a night at the movies if you are in Canada!

Authoring SCOM

SCOM Distributed Application Object Location

Published by:

Often enough I find myself asked where can certain types of objects be found in SCOM when creating a Distributed Application. It seems straightforward but the location of some of them can take you a few minutes to find. So here goes a summary of objects I find useful:

Windows Computer

Object->

Configuration Item->

Logical Entity->

Device->

Computer->

Windows Computer

Web Application Monitors

Object->

Configuration Item->

Logical Entity->

Perspective->

Web Application Perspective

Web Availability Monitors

Object->

Configuration Item->

Logical Entity->

Perspective->

Web Application Availability Monitoring Test Base

SQL Jobs

Object->

Configuration Item->

Logical Entity->

Application Component->

Windows Application Component->

SQL Component->

SQL Agent Job

Windows Services

Object->

Configuration Item->

Logical Entity->

Local Application->

Windows Local Application->

Windows Local Service->

Windows Service

Distributed Applications (User Created)

Object->

Configuration Item->

Logical Entity->

Service->

User Created Distributed Application

TCP Ports

Object->

Configuration Item->

Logical Entity->

Perspective->

TCP port check Perspective

Databases (SQL)

Object->

Configuration Item->

Logical Entity->

Application Component->

Database->

SQL Database

Clusters

Object->

Configuration Item->

Logical Entity->

Group->

Windows Cluster

Hope this helps!

 

Subscribe to Azure and enjoy the Cloud Computing model!

Also try MSDN and take your chance to get a night at the movies!