Azure Monitor Archives - Kevin Justin's Blog

Configure MMA agent via PowerShell

A car mechanic uses battery jumper cables to charge a dead battery.

Do you feel like a mechanic having to jump start the agent configuration like a dead car battery? Assuming the Agent is already installed, you can configure the SCOM agent via PowerShell. Even better when you can PowerShell remote to multiple systems. I hope the PowerShell commands below help you master PowerShell to configure the SCOM side of the MMA agent (house).

/*
# Find/replace variables to your environment like Kevin Holman’s fragments!
##SCOMMGMTGROUP1##
##SCOMMGMTGROUP2##
##SCOMMGMTSERVER1##
##SCOMMGMTSERVER2##
#
*/

$SCOMAgent = New-Object -ComObject AgentConfigManager.MgmtSvcCfg
$SCOMAgent.GetManagementGroup(“##SCOMMGMTGROUP1##”);$SCOMAgent.GetManagementGroup(“##SCOMMGMTGROUP2##”)

# If mgmt groups are incorrectly set
$SCOMAgent.RemoveManagementGroup(“##SCOMMGMTGROUP1##”)
$SCOMAgent.RemoveManagementGroup(“##SCOMMGMTGROUP2##”)

restart-service healthservice

# Domain
$SCOMAgent.AddManagementGroup(“##SCOMMGMTGROUP1##”,”##SCOMMGMTSERVER1##”,5723)

# Verify agent config
$SCOMAgent.GetManagementGroup(“##SCOMMGMTGROUP1##”)
# If you have a second management group

$SCOMAgent.GetManagementGroup(“##SCOMMGMTGROUP2##”)

# Restart and test connectivity
restart-service healthservice

# Check connectivity
test-netconnection -port 5723 -computername ##SCOMMGMTSERVER1##

WebConsole APM hotfix for SCOM2012R2 and above

Vaccination Record - SCOM hotfix released for WebConsole/APM on SCOM2012R2 and above — Vaccination Record

SCOM hotfix released for WebConsole/APM on SCOM2012R2 and above, time for another SCOM shot! Don’t forget your vaccination card 🙂

Let’s get started. Time to fix the vulnerability for ‘SCOM hotfix released for WebConsole/APM on SCOM2012R2 and above’. Read the support article, and assess what versions you have in your sandbox and production. Once assessed, it’s time to test/implement/verify the fix applied.

Support article

https://support.microsoft.com/en-us/topic/update-for-idor-vulnerability-in-system-center-operations-manager-kb5006871-0e3a513a-ad80-4830-8984-2fc5a40ee7f7

SCOM WebConsole Hotfix links

(support.microsoft.com articles)

Specific support article for SCOM2019 UR3 Hotfix

SCOM2019 UR3 Hotfix support.microsoft.com article link

Specific support article for SCOM2016 UR10 Hotfix

SCOM2016 UR10 Hotfix support.microsoft.com article link

Specific support article for SCOM2012R2 UR14 Hotfix

SCOM2016 UR10 Hotfix support.microsoft.com article link

# Download (same EXE has all 3 SCOM versions)

https://download.microsoft.com/download/3/e/e/3eec1274-64d5-4285-84b9-c50800eb2dd2/KB5006871.EXE

Hotfix updates two paths on SCOM management server with the WebConsole role

Paths updated

(don’t forget to add File Version property to your display)

NOTE Drive letter depends on where you installed SCOM (typically D:)

SCOM2019 paths

D:\Program Files\Microsoft System Center\Operations Manager\WebConsole\AppDiagnostics\Web\bin

D:\Program Files\Microsoft System Center\Operations Manager\WebConsole\AppDiagnostics\AppAdvisor\Web\Bin

SCOM2016 paths

D:\Program Files\Microsoft System Center 2016\Operations Manager\WebConsole\AppDiagnostics\Web\bin

D:\Program Files\Microsoft System Center 2016\Operations Manager\WebConsole\AppDiagnostics\AppAdvisor\Web\Bin

Screenshot of paths

AppDiagnostics File Path - SCOM hotfix released for WebConsole/APM on SCOM2012R2 and above — AppDiagnostics File Path

AppDiagnostics AppAdvisor File Path - SCOM hotfix released for WebConsole/APM on SCOM2012R2 and above — AppDiagnostics AppAdvisor File Path

Just in case you forgot how to add properties in Windows Explorer…

In the columns (Name, Date modified, etc,) right click > More

Add file property - SCOM hotfix released for WebConsole/APM on SCOM2012R2 and above — Add file property

Hit F to move down to the F named details > hit check box for ‘File Version’ or click on File Version and hit space bar

Click on OK

Add file property File Version - SCOM hotfix released for WebConsole/APM on SCOM2012R2 and above — Add file property File Version

Sort by ‘Date Modified’ Column

Verify File Version - SCOM hotfix released for WebConsole/APM on SCOM2012R2 and above — Verify File Version

File versions AFTER installing hotfix

Depending on which SCOM version you’re running, the path stays pretty much the same, and you want to verify that files were updated for the ‘SCOM hotfix released for WebConsole/APM’

SCOM2019

UR3 = 10.19.10505.0 > Hotfix file version = 10.19.10550.0

SCOM2016

UR10 = 7.2.12324 > Hotfix file version = 7.2.12335.0

Standard UR10 files are 8.0.10918.0

Voila > SCOM hotfix complete

Notify your Security team you’ve patched, because sometimes the scanner software isn’t accurately updated (where Security needs to open a case with their vendor!)

Complete: Patched environment for ‘SCOM WebConsole/APM on SCOM2012R2 and above’

Parse Events via PowerShell into table

Parsing Events via PowerShell into table — Optometrist eye testing equipment picture

Parse Events via PowerShell into table. Ever have need to parse an event, and grab a field from the event description, then perform some action after that?

Here’s some PowerShell that may help you first to create a table, then setup columns, gather data, then parse what you need, and run a command to then output to the table

# Create Table for alerts

$Table = @()

$Table = $null

$Table = New-Object System.Data.DataTable “Failed Hosts List”

$Col1 = New-Object System.Data.DataColumn Host

$Col2 = New-Object System.Data.DataColumn IPAddress

$Table.Columns.Add($Col1)

$Table.Columns.Add($Col2)

$Alert20046 = Get-WinEvent -FilterHashtable @{LogName=’Operations Manager’;

ID=’20046′;}

$Alerts20046 = $Alert20046.Message

$Alerts20046.count

$Alerts20046uniq = $Alerts20046 | sort -uniq

$Alerts20046uniq.count

# $DeniedUniq = $Denied20046 | Sort-Object -Uniq

# $ServersDenied = @()

foreach ( $server in $DeniedUniq)

{

$Name = nslookup $server

foreach ($server in $Name)

{

# Add to Table

# $Name.Split(“:”)[6]

# $Name.Split(“:”)[8]

$row = $Table.NewRow()

$row.Host = $Name.Split(“:”)[6]

$row.IPAddress = $Name.Split(“:”)[8]

$Table.Rows.Add($row)

}

Mining Windows Event Log

Mining Ore from the Windows Event Log and finding a way to make it portable

Use Get-WinEvent to use XML and filters from event viewer, to mine an event, including examples for a specific string, from a specific event, in a specific event log?

Hopefully this post will help with a few tips to simplify monitoring for events, whether in AzMon, SCOM, or via PowerShell.

Let’s start with the Dr Scripto blog post from quite a while ago –

https://devblogs.microsoft.com/scripting/data-mine-the-windows-event-log-by-using-powershell-and-xml/

Not sure how many people use get-WinEvent, but this is one tool in PowerShell that can help an admin parse the XML side of an event.

Example 1

Query Application Event Log for Severity, Event, and Event Data contains lync.exe

$query = @”

<Select Path=”Application”>*[System[Provider[@Name=’Application Hang’]

and (Level=2) and (EventID=1002)]]

and *[EventData[Data=’lync.exe’]]</Select>

</Query>

</QueryList>

“@

Get-WinEvent -FilterXml $query

PowerShell output

Use Get-WinEvent to use XML and filters from event viewer

The Tip or Trick part of this – leverage your Event Viewer Filter as a query to use with get-WinEvent

Credit for this tip comes from Andrew Blumhardt!

See below for examples to ‘use Get-WinEvent to use XML and filters from event viewer’

Navigating via Event Viewer:

Hop onto your favorite server, or connect to another server via Event Viewer

Go to the Event Log > Click Filter Current Log

Build out your filter (i.e. choose specific Event Sources, exclude events, include severities, timeframe (start/end), etc.)

Switch to the XML tab (and note you can edit your query further!)

You can copy the query from the Event Viewer into your Get-WinEvent syntax

$query = @”

<QueryList>
<Query Id=”0″ Path=”Application”>
<Select Path=”Application”>*[System[Provider[@Name=’Microsoft.SystemCenter.VirtualMachineManager.2012.Monitor.UserRoleQuotaUsageMonitor’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2012.Report.ServiceUsageCollection’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2012.Report.VMUsageCollection’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2016.EnableCredSSPClient’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2016.Monitor.UserRoleQuotaUsageMonitor’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2016.Report.ServiceUsageCollection’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2016.Report.VMUsageCollection’] and (Level=2 or Level=3) and (EventID=25933)]]</Select>
</Query>
</QueryList>

“@

Get-WinEvent -FilterXml $query

PowerShell output

Example 3

Grab System Event Log, Event ID 5827 (NetLogon denied events)

get-WinEvent -FilterHashtable @{LogName=’System’; ID=’5827′;}

PowerShell output

Documentation:

Get-WinEvent https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.1

MSFT DevBlogs https://devblogs.microsoft.com/scripting/data-mine-the-windows-event-log-by-using-powershell-and-xml/

Don’t forget python as pre-req for agent install

Grocery List, items to get and notes — Grocery List

Hey guys, don’t forget python as pre-req for agent install! Came across this again, where the docs site doesn’t mention python-ctypes as pre-req for agent install. Let’s flip to GitHub for the agent. GitHub lists the python pre-req here. Otherwise, it’s Openssl 1.1.0 is only supported on x86_64 platforms (64-bit).

Let’s begin by starting with a Linux server. I’ve used Ubuntu in my lab, specifically, Ubuntu v16.04.

Regular user run ‘sudo apt-get install python-ctypes‘

Super user/root ‘apt-get install python-ctypes‘

As of 1 July, v1.13.7.0 is current (latest) 64 bit OMS for Linux agent released.

References

GitHub link https://github.com/Microsoft/OMS-Agent-for-Linux

GitHub Agent Download (AzMon/ALA/OMS/SCOM agent for Linux ) https://github.com/microsoft/OMS-Agent-for-Linux/releases/download/OMSAgent_v1.13.7-0/omsagent-1.13.7-0.universal.x64.sh

Python requirements https://github.com/Microsoft/OMS-Agent-for-Linux#python-requrements

Install guide https://github.com/Microsoft/OMS-Agent-for-Linux#azure-install-guide

Troubleshooting Service Map pack

Updated 14 Mar 2019

If you get these exceptions like me, the issue has been raised, with a deliverable targeted for SCOM2019UR1.

Disable the rule to reduce noise.

Are you using Service Map Management pack, and getting errors?

This alert is based on the 46651/46652 event ID in the Operations Manager event log

From SCOM Console > Authoring Tab > Management Pack Objects > Rules

Search in ‘Look for:’ bar GenericException (yes no space in between)

Rule

Rule Details

To enable debug on the MS

For collecting logs, please do the following:

Create folders “c:\Debug\ext\”
Now, Wait for an hour(which is the default time interval set in the rule for running service map api).
You will see some log files created in that folder “ext”. Please share the same in email.

The file showed up after the alerts, and listed debug INFO and WARN lines, and the time stamps match up to the generic exception rules.

Stay tuned for more information, I have been trying to get more answers on the exception

{WARN} [12:35:20.966] [ScomUtils] failed to export XML for Management Pack: System.NullReferenceException: Object reference not set to an instance of an object.

at ScomBridge.ScomUtils.WritePackXmlToFile(ManagementPack pack, String filename)