Ever need to build out a capability and the SQL query is your blocker? Use a SQL query Plan ‘howTo’ to figure out what’s taking query so long. My thanks to Dennis Zwahlen (a Data and AI CSA – LinkedIn ) helping me figure out what was causing a SCOM DW SQL query to render data VERY slowly!
Don’t get me wrong, the sheer volume of events is definitely part of the problem. Event rules are using expressions to further restrict collected event data.
SCOM DW Events ingested for DC Security Events when SIEM is a limit, and NOT using ACS feature. Will discuss the SCOM DW Event ingestion and additional XML authoring options to turn down the pressure.
Time to use the ‘SQL query Plan howto’ blog for SQL execution plan, to help to figure out why the DW Query takes so long. Using the execution plan, similar to SQL profiler, will provide insight to possibly speed up query, allowing PowerBI app/report rendering of data.
From SSMS > View > Add Display Estimated Execution Plan
From SSMS > View > Add Display Estimated Execution Plan
SQL execution plan starting from the left documenting SQL query
SQL query plan starting from the left documenting SQL query
Sort is taking 4.5 minutes in this example of the SQL execution plan visual. You can see moving right from the Join lines documents how SQL behaves, and how each piece affects overall execution.
SQL query plan starting moving right from the left documenting SQL query
Hope this helps for another diagnostic SQL step in your tool box!
HA HA HA, that’s so funny. An error I didn’t expect importing the latest SQL packs ‘Updating SQLServer packs to v7.2.0.0’
Quick public service announcement – remove the SQL Server Core Custom Monitoring pack before ‘updating SQLServer packs to v7.2.0.0’! Read to save time and frustration, before importing the packs, as the previous 7.0.42.0 pack isn’t upgradable to v7.2.0.0.
Time to update PowerBI Report Server to PowerBI May 2023 update/install for PowerBI Desktop and Report Server!
Do you use PowerBI to render monitoring insights from SCOM, SolarWinds, ACAS/Tenable, ForeScout or more? In case you didn’t know, PowerBI Report Server is the on-premise solution where updates from the PowerBI Cloud Service make way to prem at least twice a year. Time to update to ‘PowerBI May 2023’ when you’re air-gapped, or just NOT to the cloud. This post is how to upgrade PowerBI Report Server and PowerBI Desktop to the latest version. This has been a few iterations in progress, and I couldn’t find any blog showing how to update these components. NOTE: MDE/Intune/MECM/EM tools can be used to package this easily enough, but it’s typically a very small subset of servers used.
Grab a snapshot of PowerBI Report Server and Desktop Before MSI update/install
Before we upgrade to ‘PowerBI May 2023 install’ MSI’s –
Open Control Panel > Programs and Features > Search for Report (and hit enter)
Windows Server, Control Panel, Programs and Features before install
Check PowerBI Desktop (shows before and after!)
Open Control Panel > Programs and Features > Search for ‘power’ (and hit enter)
PowerBI Desktop Windows Server, Control Panel, Programs and Features before install
Begin PowerBI Desktop update
Assuming you’ve downloaded the PowerBI updates and saved to relevant servers. Check PowerBI blog here, PowerBI Report Server page for the latest version.
PowerBI Desktop and PowerBI Report Server from PowerShell, Windows Server, Control Panel, Programs and Features before install
Confirm EULA
Click ‘I Accept’ check box and then Next to continue Desktop install
PowerBI Desktop EULA
Confirm Desktop Path
I changed to secondary drive to NOT fill up C: boot disk
PowerBI Desktop May2023 update path
Click Next to begin install
Click Next to begin install
PowerBI Desktop May2023 Next
Click Finish
Click Finish to complete update
PowerBI Desktop May2023 Finish
PowerBI Desktop Reboot required prompts
PowerBI desktop prompted twice for reboot required
Click OK
PowerBI Desktop required reboot prompt first time
Prompted again for reboot
PowerBI Desktop required reboot prompt
Click OK
PowerBI Report Server update
Begin PowerShell window for PowerBI Report Server exe update
Check Version prior to install
Click on Start > Control Panel > Programs > Programs and Features
Type Report (and hit enter)
Verify version
PowerBI Report Server before update
PowerBI Report Server update
Check what’s installed before update
Check Control Panel > Programs > Programs and Features > Report (hit enter)
PowerBI Report Server updated
Begin Report Server install/update
From PowerShell as Administrator window > Type .\PowerBIReportServer.exe
Hit enter
NOTE: Similar popup output to PowerBI desktop pictured below
PowerBI Desktop and PowerBI Report Server from PowerShell, Windows Server, Control Panel, Programs and Features before install
Choose Upgrade/Install PowerBI Report Server
PowerBI Report Server Upgrade/Install prompt
Accept EULA
Click on ‘I accept’ radio checkbox
PowerBI Report Server EULA prompt
Report Server update installing
Watch while PowerBI Report Server updates
PowerBI Report Server Install progress
PowerBI Report Server reboot required
PowerBI Report Server prompts for reboot – ‘Restart required’
Click Close to reboot server
NOTE: Optionally click on Restart. Validate PowerBI Report server service is running via services.msc, and then check the PowerBI Report Server URL specified is functional. This may still require server reboot!
PowerBI Report Server Restart Required
Additional verification of PowerBI Report Server install
Verify PowerBI Report Server updated from Windows Control Panel
Click on Start > Control Panel > Programs > Programs and Features
Type Power (and hit enter)
Verify the version number matches (unfortunately, Report Server does NOT list the version in the title)
IIS Error 500 – Don’t let a vulnerability cause downtime with your SCOM web console
This article will help resolve security HSTS vulnerability CVEs on IIS10. The steps apply to Windows Server 2016+, to help resolve multiple vulnerabilities, including CVE-2023-23915 CVE-2023-23914 CVE-2017-7789. There are a few ways to configure IIS, and the blog post will show how to set up HTTP response, and HTTP redirect for the SCOM web console role’d server(s).
Setting HSTS on IIS10 to resolve with Server2016 1609
Open PowerShell window as Admin cd c:\windows\winsxs gci wow64_microsoft-windows-iis-shared* | ft Name
Example aim for latest directory
NOTE bottom entry based on software versioning
Example output
PS C:\windows\winsxs> gci wow64_microsoft-windows-iis-shared* | ft Name
Name
—-
wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.14393.0_none_48b28891ffe5bdae
wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.14393.1613_none_90c5a57843ef1621
wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.14393.5246_none_90f3a94643cc33e1
# AppCMD lines .\appcmd.exe set config -section:system.applicationHost/sites “/[name=’Default Web Site’].hsts.enabled:True” /commit:apphost .\appcmd.exe set config -section:system.applicationHost/sites “/[name=’Default Web Site’].hsts.max-age:31536000” /commit:apphost .\appcmd.exe set config -section:system.applicationHost/sites “/[name=’Default Web Site’].hsts.includeSubDomains:True” /commit:apphost .\appcmd.exe set config -section:system.applicationHost/sites “/[name=’Default Web Site’].hsts.redirectHttpToHttps:True” /commit:apphost
For Server2016 1709 and greater
To add the HSTS Header, follow the steps below:
Open IIS manager.
Select your site.
Open HTTP Response Headers option.
Click on Add in the Actions section.
In the Add Custom HTTP Response Header dialog, add the following values:
Name: Strict-Transport-Security
Value: max-age=31536000; includeSubDomains; preload
Or directly in web.config as below under system.webServer:
Question example of two cartoon people discussing something. Both have thought bubble cartoons looming overhead.
Ever run through an event log scenario deciding ‘event collection vs. alert rule’ is the way to filter out the needle from the haystack? There’s a few ways to do this with Monitoring tools. If you’re cloud centric, a KQL query (assuming you’re collecting the event logs, if you’re using Operations Manager (SCOM), there’s a few ways to consume the events. SCOM ACS is basically a DB for collecting Security events, and typically is an unused feature in SCOM by most customers. Kevin Holman’s had many blog posts for ACS, testing the filter, as well as a management pack (MP) fragment (blog here, GitHub fragment library here).
Let’s walk through criteria deciding ‘event collection vs. alert rule’:
Do the event(s) happen often? If so, how often?
Can you filter the event description to limit the amount of gathered event?
Do you need match count or samples before action required? (i.e. count x events in y time)
Is there a regulatory or compliance requirement to collect every event?
Is this something you want to visualize with PowerBI?
For better visualizations, would the EventID help view/sort data in a tabular output? i.e. Think PowerShell property) as well as TimeRaised/TimeGenerated, and Event Description
Example – DC Security events
When there is a regulatory requirement to collect events, we need to decide ‘event collection vs. alert rule, and IF we can filter for specific pieces of the event. Holman has examples of alert parameters, and dynamic data, which are very useful to get the needles out of the haystacks. Depending on your goals, use event parameters, or leverage CustomFields in the alert to build required fields.
Depending on the requirements, event collection is useful to collect related EventID’s with RegularExpressions. Use Event rules WHEN action is required. Leverage Regular expressions help filter what we collect (via event collection or alert rule. By extension, utilize CustomFields in the alerts to help the presentation or SQL query towards a PowerBI report.
Lastly, let’s talk about the use of CustomFields to add additional data to the alert, but NOT in the event description (Holman’s blog here)
For the tabular view of alert data (from PowerShell as with SQL query of Alerts view, we might need to display the data, such as EventDisplayNumber, TimeRaised, Message, (alternate is Parameters, or UnformattedDescription). Additionally, check alert output details, from the SCOM MS in PowerShell via get-SCOMAlert -name “MonitorDisplayNameHere” | fl | more
A car mechanic uses battery jumper cables to charge a dead battery.
Do you feel like a mechanic having to jump start the agent configuration like a dead car battery? Assuming the Agent is already installed, you can configure the SCOM agent via PowerShell. Even better when you can PowerShell remote to multiple systems. I hope the PowerShell commands below help you master PowerShell to configure the SCOM side of the MMA agent (house).
powershell
/*
# Find/replace variables to your environment like Kevin Holman’s fragments!
##SCOMMGMTGROUP1##
##SCOMMGMTGROUP2##
##SCOMMGMTSERVER1##
##SCOMMGMTSERVER2##
#
*/
My PowerShell variables to reset SCOM monitors, includes my Addendum and the core – DNS example provided below (thank you Andrew!)
## Grab the MP, get the Monitors and Rules from the MP, then grab all alerts found inside the Monitors/Rules
$SCOMCoreMP = Get-SCOMManagementPack -DisplayName “Microsoft Windows Server 2016 and 1709+ DNS Monitoring” $SCOMAddendumMP = Get-SCOMManagementPack -DisplayName “Microsoft Windows Server 2016 DNS Monitoring Addendum”
First, some background – the Snapshot Synchronization alert just tells you there was a SQL issue running the workflow.
Second, the Snapshot Synchronization alert from a health model perspective, is NOT a critical issue (outage). Create override severity to 1 (warning) to prevent false wake-up calls. I’ll get this to my GitHub repo shortly!
Let’s troubleshoot the alert
Start with Tyson’s SCOM Maintenance pack, and run the tasks
Tyson’s SCOM Maintenance pack tasks
Alternative long steps
Login to server with SSMS installed –
Open SSMS > Connect to the SCOM OpsMgr DB > Click on New Query
Select WorkItemName, b.WorkItemStateName, ServerName, StartedDateTimeUtc, CompletedDateTimeUtc, DurationSeconds, ERRORMESSAGE
from cs.WorkItem a , cs.WorkItemState b
where a.WorkItemStateId= b.WorkItemStateId
and WorkItemName = ‘SnapshotSynchronization’
Solution:
The jobs may show Succeeded by the time you login to SQL = EOJ (end of job)
If Failed is latest date/timestamp, re-run the task “Request Snapshot Synchronization” which can be found when we select “Management Configuration Service Group” in the below mentioned view.
View:
From Monitoring Tab > Click on Operations Manager folder > Click on Management Group Health widget > Highlight unhealthy state from Management Group Functions.
Click on the ‘Request Snapshot Synchronization’ task to execute the Stored Procedure “SnapshotSynchronizationForce” on the OpsMgr DB.
NOTE: There are two tasks with same name but with different targets i.e. ‘Management Configuration Service Group’ and ‘Management Configuration Services’
The other task can be found on below view after selecting the Management Server you want the Task to be executed on
View:
From Monitoring Tab > Expand Operations Manager folder > Expand Management Configuration Service folder > Click on Services State view
Create Override for the alert
To change snapshot monitor to warning
From SCOM Console > Authoring Tab
Expand ‘Management Pack Objects’ > Click on Monitors
In the ‘Look for:’ bar type Snapshot synchronization state and hit enter
Monitor name = Snapshot synchronization state
Right click on monitor > Overrides > Override the monitor > For all objects of class
Click checkbox for Severity > change Critical to Warning
Click Edit – add comment – i.e. date/time changing to warning
Select your override pack > Click OK
Click OK to execute change
Override snapshot monitor to warning
Resources
Tyson’s MonitoringGuys blog for SCOM Maintenance pack – download here
Like Meguiar’s cleaner wax to your car’s finish, this post will help utilize cleaner PowerShell to help reset monitors and rules
Cleaner PowerShell supplied by Andrew Bradley that’s helped simplify the PowerShell code included resetting/closing monitors and rules via a method call. Hard to believe I’ve been quiet on the blog for the past year, as I’ve been working on SCOM management pack addendums. The ‘cleaner PowerShell’ is being integrated into the various addendums.
have been helpful with many customers, by building out better ways to monitor, clean up alerts, and create daily reports. The Addendum packs add report key insights for many 1P (1st party) Microsoft authored management packs.
Methods
Cleaner PowerShell to help reset monitors and rules
## Grab the MP, get the Monitors and Rules from the MP, then grab all alerts found inside the Monitors/Rules
$SCOMCoreMP = Get-SCOMManagementPack -DisplayName “System Center Core Monitoring”
## Grab the MP, get the Monitors and Rules from the MP, then grab all alerts found inside the Monitors/Rules
$SCOMCoreMP = Get-SCOMManagementPack -DisplayName “Microsoft Windows Server 2016 and 1709+ DNS Monitoring”
$SCOMCoreRules = $SCOMCoreMP.GetRules()
$SCOMCoreMonitors = $SCOMCoreMP.GetMonitors()
Adding parameters to datasource/probeaction moduletypes
This post is adding parameters to datasource (DS) or probeaction (PA) moduletypes. Sorry, found this draft from last year that I never published. 🙁 I’m in the ‘missing functionality’ boat. Some would say I’m a dreamer, a good system admin, a car guy who has different ideas than the manufacturer, or something altogether different — you decide 🙂 Hope this blog post helps monitoring experts that author more functionality than what was delivered. Specifically adding parameters to datasource/probeaction moduletype NOT delivered in the OotB functionality?!
Adding parameters to datasource/probeaction moduletypes
First – What is needed
Second – Verify dependencies required for a workflow
Third – Build on example ‘datasource’
Fourth – Configure Monitor/Rule to use Datasource/ProbeAction
Let’s go through step by step through ‘adding parameters to datasource/probeaction moduletypes’ to customize a data source. The datasource requirements are to include/verify the following parameters” TimeOut,TimeOutInMS,MatchCount,SampleCount (match/sample count are intended for rules/monitors)
Pre-reqs (what’s needed for a ModuleType to function)
Working Script – PowerShell/BASH/Perl/SH/KSH
ScriptArgs required at runtime
Other Configuration, or Overrideable Parameters
Using configured parameters properly
Verify ProbeActions (PA) inside DS have relevant parameters
Easiest way to summarize adding a configuration parameter
Must be added to Configuration, OverrideableParameters,ModuleImplementation,
When taking an Out of the box’ OotB’ moduletype to modify, where parameter(s) MUST be used in UnitMonitorType,Rule,Monitor
Quick background for MatchCount/SampleCount:
When adding parameters to datasource/probeaction moduletypes, it’s good to know why this is part of the conversation to be added to monitoring design/implementation.
MatchCount comes in handy for repeated failures BEFORE alerting (count 5 events before alerting)
SampleCount comes in handy for counting number of failed workflows BEFORE alerting (run workflow 6 times failing before alerting)
Example Unix.ShellCommand.Invoke.Script DataSource
Requirement = Add MatchCount/SampleCount (or TimeOut to the PA ProbeAction)
Unseal, and open Microsoft.Unix.ShellCommand.Library.xml in NotePad++, VStudio, (or your favorite XML editor)
Screenshot of default Microsoft.Unix.ShellCommand.Invoke.DataSource
TimeOut and TimeOutinMS are baked in. We begin by adding MatchCount/SampleCount
Adding MatchCount/SampleCount for Configuration, OverrideableParameters, and Module Implementation for DS/PA
How to add MatchCount/SampleCount syntax
Adding MatchCount/SampleCount for Configuration, OverrideableParameters, and Module Implementation for DS/PA
NOTE – sometimes you don’t find an example!
This part gets complicated – how far down the rabbit hole do you need the parameters?
Does the DS workflow only need the respective parameters?
Do you have to add to the corresponding PA’s called in the workflow?
Add MatchCount/SampleCount to OverrideableParameters (if you want capability to override)
<OverrideableParameter ID=”MatchCount” Selector=”$Config/MatchCount$” ParameterType=”int” />
<OverrideableParameter ID=”SampleCount” Selector=”$Config/SampleCount$” ParameterType=”int” />
Add MatchCount/SampleCount to DS MemberModule
<MatchCount>$Config/MatchCount$</MatchCount>
<SampleCount>$Config/SampleCount$</SampleCount>
Add MatchCount/SampleCount to PA Configuration
<xsd:element name=”MatchCount” type=”xsd:unsignedInt” maxOccurs=”1″ minOccurs=”0″ xmlns:xsd=”http://www.w3.org/2001/XMLSchema” />
<xsd:element name=”SampleCount” type=”xsd:unsignedInt” maxOccurs=”1″ minOccurs=”0″ xmlns:xsd=”http://www.w3.org/2001/XMLSchema” />
Add MatchCount/SampleCount to PA MemberModule
<MatchCount>$Config/MatchCount$</MatchCount>
<SampleCount>$Config/SampleCount$</SampleCount>
Unix.ShellCommand.Invoke.Script
Alternate example for monitors, the SQL Windows Replication mgmt pack has a good UnitMonitor/UnitMonitorType example – Microsoft.SQLServer.Replication.Windows.Monitoring.xml
Find example by searching unsealed management pack repository (use Tyson’s SCOMHelper PowerShell module to unseal mp/mpb’s to facilitate a better unsealed mp search) https://monitoringguys.com/2019/11/12/scomhelper/
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
