My client wanted to be able to see all of the servers that a certain process was running on. It was a ‘roaming’ process, and could be on any number of servers at any given time.  That’s easily solved with a dynamic group, a WMI query, and a custom attribute. In this example, I’ll be using the ubiqutous Notepad.exe

1. First, start the console, open the Authoring pane, then right click on attributes and select “Create New Attribute“.
2. Give your attribute a name - I used “Notepad Running” - and a nice description, then hit next.
   

   SCOM - Create Attribute Wizard - General Properties Page

3. Under “Discovery Type” select WMI Query and select your target and management pack. Windows Server_Extended is a good choice for something as open ended as our particular request is, but you can narrow it down if you’d like.
   Then hit next.
   

   SCOM - Create Attribute Wizard - Discovery Method

4. Under WMI Configuration we will build our query. Enter root\cimv2 for the namespace and for the query we’ll be using “Select * FROM WIN32_Process where Name = “notepad.exe”. The Property Name field is the most important part, and one not a lot of people understand right away. The “Property Name” field is what SCOM pays attention to, and what you use when you build groups and rules. In this example, I only want processes with notepad.exe to be returned, so I specify that in my query. For the Property name, I’m using Handle, which will always return something, but I could have used almost anything - such as ProcessID.
   

   SCOM - Create Attribute Wizard - WMI Configuration

   If I wanted to create a more generic attribute, I could have used the query “Select * FROM WIN32_Process”, with a property name of “Name”. Then I could create groups with attributes of <Attribute> equals <Process Name>. If you’d like to learn more about the various fields available to you, open CIM Studio, part of the WMI Administrative Tools bundle. When you execute a query, the column names are what we’re talking about here.

   

   CIM Studio - Results of WMI Query

5. After you’re done, hit finish and we’ll be back at the attributes pane. Do a quick search to make sure it was added, and we’re done here.
   

   SCOM - Search Results for custom attribute

6. Now right-click on groups and select “Create a new group”
   Give it a nice friendly name & description and for the management pack choose the same one you used when creating your attribute! That’s important, as dynamic inclusion rules only scope to what is available in the current management pack (And any dependent ones), so you’d be going crazy wondering where your attribute is if you used a different one. Then hit Next>
   

   SCOM - Create Attribute - Create Group Wizard

7. Under “Explicit Members” hit next, we don’t want to put anything in here.
8. Under “Dynamic Members” click on Create/Edit Rules. From the drop down, select the class your attribute was added to (In this case, it’s Windows Server_Extended) and hit add to insert a line. Click on the drop down for Property, and you should see the one we created called “Notepad Running”.
   

   SCOM - Create Attribute - Dynamic Group Query Builder 2

9. Select it, then finish up the formula. In this particular case we’re using “Greater than or equal to” as the operator and “1″ as the value.
   

   SCOM - Create Attribute - Dynamic Group Formula

   To be perfectly honest, you should consider this more of a ‘hack’. What happens is the agent runs “Select * FROM WIN32_Process where Name = ‘notepad.exe’” and returns the Handle property back to the server. The Handle property will never be 0 (Except for the System Idle Process). So if notepad.exe is running on a particular server, it will always return a Handle greater than or equal to 1. If notepad.exe isn’t running on a server, this query returns $null for the handle, which evaluates to FALSE in out Greater than or equal to formula.

10. Click on OK, then Next. Hit next on Subgroups and again on Excluded Members, then hit ‘Create’.

You’re finished. Wait some time for the new discovery to propogate fully, then right click on your newly created group and then “View Group Members”. And now you can interact with this group just like you’ve always been. Have fun!

I’ve also been playing around with PowerShell and 37 year old code.

Super Star Trek - in PowerShell!

Yes, that’s Super Star Trek. Just a little time-waster I work on while I’m mulling over a problem or two. And huge thanks to Jaykul of course, for all of his Powershell knowledge. I can’t do it without him and the crew in #powershell!

Are you on Twitter? If so, be sure to follow OpsMgr to stay on top of the most recent SCOM posts out there! And while you’re at it, feel free to follow me as well - I can always use more friends.

Until next time.

Powered by Twitter Tools.

I want one. From hanging out in a PowerShell chat room I’ve learned so much more, and so much faster, then I would have reading books and going through tutorials.

So I’ve setup an IRC chat room on the FreeNode network. Why FreeNode? Well, the PowerShell guys hang out there, so we might as well hang out there too. So if you’re familiar with IRC, connect to chat.freenode.net and /join channel #scom. Not familiar with it? Then use the web based chat I’ve setup (And will eventually register) or read the ’short’ IRC primer.

Hope to see you there, as I’m fairly lonely in the channel all by myself!

But man, just how do we shoe horn an agent on poor Windows Mobile?

Just wait.

No fret though, we can still do it - it’ll just take a little bit of actual effort.

First, we need to define our Primary and Failover management servers. This isn’t something you can just progmatically grab, so you’ll need to know the name yourself.

In my $PROFILE, I’ve set them to be defined to 2 variables with the following:

Now that we have that set, it’s simple to do the rest. First, lets grab all of the servers that don’t have a failover management server set.

What the above does is call the GetFailoverManagementServers() method on each agent. If they have a failover, it will return data and thus $True. If there aren’t any failovers, it will return nothing - which is the same as $False. So we look for all the ones that don’t return anything.

If you’re curious, you can see just how many servers are missing failovers with

- in my case it was 63.

Now, we just run a quick snippet that adds the failover server to the agent:

That will crunch away as it’s doing it’s thing, we’re redirecting output to $null so we don’t have to see agents scrolling over and over. When it returns you to a prompt, you’re done. If you’d like to verify that you did indeed set all of the agents to have a failover, we can check real quick:

And that’s that. All of your agents have a primary and failover server.

But wait, you have a lot of remotely managed devices too? Monitoring SNMP on a bunch of different servers - what happens for that?

Well, we can’t setup a failover (From what I’ve seen, if I’m wrong please let me know) agent. But we can proactively write a script that will change the proxy agent on the devices, and run it as needed.

This was written in a response to this query on the newsgroups, and is only a cursory look into it. There may be other ways of doing this - and I’d love to hear it. As it stands, I’m not sure how to set them back to a management server as the monitor.

Firstly, we’ll have to pick an agent managed computer to use as the new proxy agent. You can’t use a management server for this, because they aren’t “Agent Managed” and you can’t use Set-ManagementServer because the devices aren’t “Remote Managed Computers”.  I have a seperate agent-managed server on my network I call “Timex” because it acts like a watcher node. So I’ll go ahead and use him.

Then gather a list of our current remotely managed devices

Now just loop through it, setting the device to use the proxy agent we just instantiated:

That will loop through things changing the proxy server that it uses. When it’s done, we can verify it by running:

If it outputs nothing, then they’ve all been changed. Simple as that!

After messing around with authoring console and creating classes based on event viewer errors and other equally exotic methods I came upon something that works wonderfully. The catch? You can only create 254 rules this way.

What am I talking about? Some powershell scripts and the alert resolution states!

By default, there are only 2 states defined - 0 for New, and 255 for Closed. They are always there, and can not be deleted. This leaves 1 - 254 as user definable states. We can use these to make one-to-one events.

Let me start off that this isn’t an ideal solution, but it is the most readable and elegant solution for this particular problem. You probably shouldn’t do this on a single rule basis, but target it more at a wildcard match. You do have a naming convention for your rules and monitors, right? If not, this is the perfect reason to get one. I’ll typically use a convention of <Product Type>-<Product>-<Version (If multiple)-<Rule>. So if I had a rule targeted at exchange, I’d have a rule similar to “EMAIL - Exchange - Exchange 2007 - Search for ‘Jeremy is fired’ in execs mail”. Then when I’m using an exotic config to send an alert, such as this one, I can better fine tune alerts.

Remember, the more you move away from the  “Out of box” yfunctionality with OpsMgr, the more you should be documenting. Or even better, a wiki. Just make a reference to the wiki in the description, and people will know exactly what you’re trying to do - that’s for another post though.

Let’s get on with it, shall we?

I’m going to create a situation. I have a custom application which logs to the Application log. There’s one particular event that only one group in the organization cares about - all they want is a notification of this one single event and nothing else. How do we do it?

The Cliff’s Notes version of what we’ll be accomplishing today:

• Create a custom Resolution State
• Define a new rule
• Deploy a PowerShell script to the RMS to update the resolution state of matching alerts
• Create a notification subscription which responds to our particular state

Now, for the complete steps

1. First go to Authoring > Management Pack Objects > Rules - Right click and “Create new rule”
2. Under rule type, select Alert Generating, Event Based, NT Event Log (Alert) and select a management pack to use.
   
3. Enter a rule name that is distinctive enough that no other rules will have that same name.  Then enter a description, rule category and choose a target. You can go with the shotgun approach and pick “All Computers” here if you’d like.
   
   
4. Now walk through the rest of the wizard and configure your event log settings - for this test I’m using the Application log, Event ID of 926 and event source of “Pavleck.NET Test”. But you can put whatever you want here ace, it’s up to you.
5. Configure your alert. It should automatically copy over the rule name as the alert name. The alert name is what we’ll actually be alerting on, so it’s important that you remember what it is, and ensure it’s distinctive enough to not match something that already exists.
   
6. Now we can work on the other parts of this while our rule is propagating across the environment.
7. Go to Administration > Settings > Alerts - this is where we’ll define a new Alert Resolution State to use. Click on “New…” and name your state and choose an ID for it, I used 10 in this example.
   
8. Click Apply, then Ok and now we’re done with part 2.
9. Let’s go ahead and test and see if our rule works, just open a command window and use some EventCreate.exe magic.
   
10. Open up the alert console for whatever machine you ran that on and you should see our new alert in there - yay, we did something!
    
11. Now we’ll add the magic that changes the alert resolution state. It’s a fairly simple script, and it’s meant to be that way. For simplicity’s sake, we’ll be running this script as a timed response from the RMS. Depending on how your particular environment is setup, you could also run it inside of the rule itself, as an additional response to “Create Alert”. But that only works well if you only plan on doinbg this sparingly, otherwise it makes more sense to run this from the RMS and add onto the script as needed.
    First, download SCOM-UpdateResolution.ps1 here (Or view it after the jump) and edit the alert name, resolution state and RMS to what matches your environment.
12. Now we’ll need to go and create a new rule. Rule type is Timed Commands > Execute a command. Give it a name and description. I’ve set the rule category to “Maintenance” as that makes the most sense to me.
    
13. For the schedule, I’ve set mine to run every 2 minutes. This means there will be a delay of that much between alerts and notifications, but that’s acceptable to me. Then hit next.
14. Configure the command line execution settings as shown - remembering to use “&” instead of “&”. I’ve set the timeout to 45 seconds.
    
15. Hit create and that’s almost all of it - all we need to do now is to create the alert subscription. Go to administration, right click on Subscriptions and choose “Create new notification subscription”
16. Step through it like normal, choosing all groups, all classes. When you get to the Alert Criteria page, uncheck “New” and “Closed” and check our new resolution state. If you keep ‘closed’ in there, it will pertain to all alerts that close. That’s one drawback to this method, you won’t get closed alerts.
    
17. Finish it up as you normally would, then lets test it! Create a few more test events, and lets see if it works.

That’s all there is to it. This works, reliably and 100% of the time. It’s extremely flexible and easy to follow for someone just walking into your environment.

By using a single PowerShell script, and targeting the RMS computer group you’ll be making sure that you have only a single simple script to edit and by mirroring the files and directory paths to any other management servers in your environment you maintain this method if you ever need to promote one to an RMS.

Here’s the full script, in case any one wants to view it this way - as you can see it’s quite simple. It’s also easily edited to add more functionality - I’ll be posting updates to it every now and then.

1. Open your MOM 2005 Administration console, click on “Management Packs”, then select “Import/Export Management Packs” in the right hand pane.

2. Go through the wizard, selecting the export option, and choosing the rule group you’re looking for. You can choose to export views and tasks as well, but I recommend against that as it’s easy enough to recreate in OpsMgr and you have a lot more objects to choose from. Give it a file name - I usually use <Rule Group>.MP.2005 to make it obvious where it came from.

3. Next you’ll want to make sure you have the MOM 2005 Resource Kit installed on your management server and go to %PROGRAM FILES%\Microsoft Operations Manager Resource Kit\Tools\Convert Management Packs to XML. Copy the file MP2XML.exe to the same place you exported your management pack to.

4. Now get to that location via the command line, and lets take that binary AKM and make it useful. Converting it is pretty straightforward - just run MP2XML.exe MOM2005ManagementPack.akm MyNewXMLFile.xml.

5. When it’s done, copy that new MOM 2005 XML document into your SCOM directory. In that directory lie 2 tools we need, MPConvert.exe and MPVerify.exe. You can copy these tools somewhere else if you like, but the verification tool needs access to other management packs so make sure it’s in your %PATH% otherwise.

6. Run MPConvert.exe against your XML file. The tool is looking for MPConvert.exe OLD_NAME NEW_NAME. For simplicity’s sake I use the same name, only appending _converted to the end to differentiate the 2.

7. When that’s done, run MPVerify.exe against the new managment pack. What this tool does is ensure that everything has been converted over to the new format properly. It’s as simple as MPVerify.exe New_Management_Pack.xml

8. From there, it’s up to you. You can open the new unsealed management pack in the Authoring Console to adjust things, or you can just import it in as it is - the choice is yours! That’s all there is to it!

Enter OpsMgr 2007. It introduced us to an old concept of the ‘monitor’. The monitor is a multi-state event. It watches for multiple items; something will set a particular item into a failed or degraded mode, and there is a corresponding event that marked it as being healthy again. This is wonderful, as it helps minimize the amount of open alerts sitting in your system at any given time. Less open alerts means we have more relevant information to look at.

When it comes to core Windows monitors, it works beautifully and 100% of the time. If you cross a memory threshold, an event is created and an alert goes out (If you’ve set it up to alert). When the memory drops below this threshold, then the monitor marks that particular object as being in a Healthy state again and, if you’ve allowed it to, it auto-closes the alert.

When this doesn’t work beautifully and 100% of the time is when you need to rely on 3rd party agents and management packs. I’ll use the HP Management Packs as an example, because that’s what I’ve been facing recently.

The way OpsMgr knows about hardware events that happen on an HP machine is because the HP agents themselves will place an event in the Event Viewer and/or send an SNMP trap about it. Works flawlessly to create an event in SCOM about an unhealthy object. What doesn’t work perfectly is the corresponding event that marks that system as being healthy again.

The reason for this seems to depend on the exact configuration of a server, the version of the HP agents, and the actual event itself. If there is an event, such as a power supply failing, the log is populated and SCOM creates an event saying “Power Supply #1 degraded.”. When that power supply is replaced, it won’t necessarily auto-resolve the event, because instead of seeing “Power Supply #1 Healthy”, the HP agents might instead log “Power Supply (Serial number: FD30401104-P) Inserted into Bay #0″. The monitor isn’t looking for that, and so it isn’t aware that that is the corresponding ‘good’ event, and the event stays open.

So theoretically you could replace a failing piece of hardware, such as a Power Supply, which doesn’t auto-resolve and then in the future have that same PSU die, which won’t cause a new alert and literally leave you ‘powerless’ to know what is going on.

Now, in a normal deployment of OpsMgr this isn’t to large of a concern. There are always eyes on the console or emails being sent. Someone will see it, fix it, then ensure the event is closed.

The current situation I’m in, however, doesn’t work this way. SCOM is being used consoleless to monitor a group of monitoring tools. Essentially it’s here to keep ‘them’ honest, and to ensure there’s another level of defense to protect us and let us know when a failure has occurred.

Because of this, those slight discrepancies in the HP agents and the HP management pack aren’t acceptable. But OpsMgr really doesn’t have a way of being run without anyone paying attention to it - or does it?

It actually does. What I’ve setup at this site is a PowerShell script which runs every 4 hours and resolves all the open HP alerts.The HP Agents themselves will run a self-check every hour or so, and log that “Power Supply #1″ is still failed. Because we’ve already cleared that alert, SCOM will pick it up again and re-fire the event, the alert, and all that jazz. In essence, we’ve created a ‘nag’ feature in SCOM.

This is beneficial in our case, because the current setup of OpsMgr where I’m at is mainly there to watch the other monitoring tools. This ‘nag’ lets us know that the problem was either not taken care of, or was not alerted on - thus ‘keeping them honest’.

How we do all this is very simple - the OpsMgr Command Shell has almost everything we need.

We’ll use Get-Alert to bring back a list of all open HP events, and Resolve-Alert to close them, adding a comment that we automated this.

To find the HP alerts, we need to match against the MonitoringObjectFullName property inside the alert. Through trial and error, I noticed that every single HP object began with “HewlettPackard”. So we’ll match against that, picking all alerts that don’t have a resolution state of 255 (Closed).

From there, we cycle through the alert array, passing each one to Resolve-Alert, along with a -comment - in my case I used “Closed by Powershell - see (link) for more details” with a link to the internal Wiki.

And that’s really all that there is to it. Mind you, I’ve done a lot more in the script, as you’ll see below. It measures how long it took to bring up the alerts, counts how many were per severity, the repeat count, etc then creates a PropertyBag and submits all the information to OpsMgr for reporting. It then also logs it to the eventviewer.

Download SCOM-Resolve-HardwareAlerts.ps1

This script is best setup to run every 4 hours or so. It’s setup as a generic ‘timed script’ inside of SCOM. If you’d like more info on setting up SCOM to work with Powershell more properly, see Brian Wren’s post here.

Here’s the script:

SCOM & MOM - All Feeds.opml

SCOM & MOM - MS “Official” Feeds.opml

SCOM & MOM - Community Feeds.opml

SCOM & MOM - Useful Feeds.opml