AD Application monitoring

Data from StarTrek the next generation - Mr. Tricorder makes me laugh! — Data from StarTrek the next generation – Mr. Tricorder makes me laugh!

‘AD Application monitoring’ > web synthetics, artificial users > android what image comes to mind? Is it a person, or a thing from a Sci-Fi movie? Perhaps Bishop from Aliens, Data from Star Trek. What does ‘AD Application monitoring’ consist of? Currently that means a CRL validity check, and ADFS web synthetic (proving that ADFS is responding). My thanks to Jason Windisch CSA, for the supplied PowerShell!

Quick Download https://github.com/theKevinJustin/ADApplications/

Tailoring the pack to your environment

The purpose of the pack is to add scheduled workflow that acts like the user, identifies if the CRL’s are about to expire. Most times, monitoring stops at ICMP ping. Most times, there’s still an outage, as the network, and servers are responding. The next layer is IIS, Apache, etc. Sometimes the network team gets involved, checking a base IIS URL is configured. Most outages aren’t network, nor IIS wasn’t running. This is why we focus on the web application responding. Does the multi-prong tactical attack make sense?

This pack delivers on-demand tasks, daily reports, and rules/monitors to reflect health. Customize the watcher node, some URL’s, save, and import into SCOM! The purpose

Assign watcher node(s)

Assign a watcher node by creating a registry key.

What does that mean? Watcher nodes are needed to provide user perspective.

Multiple site example

Issue: Users from sites 1,2,3 are having problems accessing web pages. To understand a user in site 2, leverage a server in site 2 to initiate the web request (invoke-webRequest in PowerShell).

Why: Differentiate user experience (per site). Answer the ‘did you know’ – is the application responding from this site/perspective.

Unfortunately, the watcher node concept eludes most administrators. Mastering ‘user perspective’ makes for an invaluable aid moving from reactive ‘fire fighting’ to proactively being told before users. Hopefully this explains the power where monitoring imitates user interactions for key web applications.

How: Create registry key on whatever servers you want to initiate web monitor

From PowerShell (as Admin), or Command Prompt (as admin)

reg add “HKLM\SOFTWARE\ADApplications\WatcherNode”

AD Applications regedit registry key validation

Example of XML snippet from AD Applications management pack

AD Applications Watcher Node - create specific registry key — AD Applications Watcher Node – create specific registry key

Set up CRL Validity check and ADFS synthetic

Next, configure the URL’s for the customer environment for the ‘AD Application monitoring’ management pack.

Update AD Applications module types for monitor/rules for CRL and ADFS synthetics

Configure the CRL validity check array

From your favorite XML editor (notepad++ pictured)

Find/Replace ##FQDN##, ##CRLstring##, numbers to customer environment

CRL Validity check, create your array length as needed for customer environment

Configure the ADFS synthetic request(s)

From your favorite XML editor (notepad++ pictured)

Find/Replace $server, ##FederationFQDN##, if necessary, update ADFS URL string if different (the /adfs/ls/idpiniatedsignon.aspx portion) to customer environment

Update ADFS URL for invoke-webRequest, ADFS default URL in specified example

Save pack

Import and enjoy!

Documentation

URLGenie for advanced website monitoring

PowerShell invoke-webRequest

Addendum logic blog

Proactive Daily Reports

Proactive Analyst Reports as a new way to ingest key insights from SCOM

As a SME or team lead, ever need to know a key insight for the enclave? Let’s talk about the ‘Proactive Daily Reports’ pack. This provides you some built-in reports on what transpired in an enclave. Building again on the Health pillar, we can simplify what owners need to see. Creating a PowerShell script was a simpler alternative to a complex SSRS report that often broke due to patching, and not following best practices. The pack shows a simpler way to bring key insights to owners for Pending Reboots, Expiring PKI certificates, Logical Disk alerts, System Admin summary, and SCOM admin reports including long-running scripts, script errors, SCOM errors, and alert updates report.

Quick Download: https://github.com/theKevinJustin/ProactiveNOSCDailyTasks

Testing the Proactive Daily reports

Let’s start with some example reports – examples for expiring certificates, Logical Disk, Pending Reboot, System Admin summary, and SCOM admin reports including long-running scripts, script errors, SCOM errors, and alert updates report.

Expiring Certs –

About to expire certificates

Logical disk alerts –

Shows Server, drive, and % full data

Pending Reboots

Alerts of servers pending restart, not patched, not rebooted

Pending reboot report lists servers pending restart, not patched, not rebooted alerts

System Admin summary

This is really a consolidation of multiple insights:

Server performance issues
Open ITSM/Remedy tickets
Unhealthy Agents
Pending Reboot, Not Rebooted, Not patched
Disabled/Unhealthy/MaintenanceMode, Repeatedly down Agents
Logical Disk free space alerts
Expiring certificates
AD DC (ADDS) critical alerts
DNS alerts
Group Policy issues

SysAdmin daily summary report example alert

SCOM admin reports

Admin reports have a few separate alert reports, including long-running scripts, script errors, SCOM errors, and alert updates report.

SCOM Admin alerts report example of common SCOM problems

Long running scripts

ScriptErrors showing key SCOM connectivity issues

SCOM Admin script errors to help diagnose report script syntax errors

Useful links

Other blog posts for addendum management packs and capabilities –

https://kevinjustin.com/blog/2023/08/15/proactive-patching-alerts/
https://kevinjustin.com/blog/2023/08/14/top-process-powershell-script/
https://kevinjustin.com/blog/2023/08/15/proactive-daily-reports/

https://kevinjustin.com/blog/2023/08/08/create-closed-alerts-view/

Proactive Patching alerts

As a SME or team lead, ever need to know ‘Proactive Patching alerts’? i.e. What servers need patches applied, aren’t patching, or were missed? This pack builds on three (3) pillars – Health/Security/Compliance, enabling Cyber teams and more. This became an alternate option to a complex pack, with SSRS report, used by a customer to identify systems. The report was long, and had many blank lines/pages, which required a re-write. This pack started with the pending restart monitor directly from the AquilaWeb reboot pack logic. The logic helps SysAdmin/Domain Admin/NOC/NOSC/SOC teams to know when servers need reboots. This need is driven further due to multiple reboots (sometimes) required with Windows monthly updates, and Application updates. Used across multiple customers, this is the first pack enabling a proactive stance to answer the ‘Am I compliant’ question.

Quick Download: https://github.com/theKevinJustin/ProactivePatchUptimeReboot/

Testing the Proactive Patch alerts

David Allen built the ‘Aquilaweb.Support.PendingReboot.Monitor.PendingReboot’ PowerShell monitor, to tell system owners when the pending restart flag was present. Some builds though, make system changes which repeatedly flip the registry key, causing many alerts. Also, downloading the Aquila pack is a trick, as TechNet was retired.

David provided a great idea, which was built upon. This gave rise to the question of, what if the server was not patched, or not rebooted in a period of time? With my Cyber hat on, this became the next piece of content to create. That gave rise to another question – do these scenarios need to reflect in health (monitor), or not (rule)? We’re all about choices, free will, so the pack is built with those options (rules disabled out of the box).

Pending restart monitor XML showing options

The pack is setup to alert with CBS application updates, SCCM/MECM/Config Mgr Endpoint Management updates, and Windows Updates. This has been my experience for the most accurate reflections of alerts on secure builds where Application/System Owner needs to take action.

Last Patch and Last Reboot monitor/rules in the download, are set to 45 days. Tune this value down, if patching occurs at the 30 day mark, increase if you need more time before alerts.

Last Patch Monitor reflecting number of days

Otherwise, download and import into your environment. Depending on your subscription/notification settings, the Proactive set of alerts are built upon the Windows Operating System class. If subscriptions include the class, the notifications are automatic to System/Application owners.

Useful links

David Allen blog

Addendum, what does it mean blog

Top Process PowerShell script

Ever wish you had task manager output when you had a monitor go unhealthy? Following Kevin Holman’s lead to ‘Monitor Processes‘, the idea landed to build out the ‘Top Process PowerShell script’. This morphed into a management pack with Knowledge entries to better explain what is being done. Integrating Top Process into Health Explorer output as a recovery task helped provide another step before alerting. The idea started from the need to prove which Security tool(s) were causing the over-utilized compute spikes, causing non-responsive server(s). Thinking back to my UNIX days, we simply used top, vmstat, iostat, and other commands to identify problematic processes. Integrating PowerShell scripts into SCOM is part of the fun, then linking the obfuscated Security processes for the final output. From there, extrapolate into Azure Functions or Azure Logic apps, for additional functionality for cloud native monitoring.

Quick Download: https://github.com/theKevinJustin/TopProcess

Tier1 separated monitoring (no AD) https://github.com/theKevinJustin/TopProcessTier1

Building out the ‘Top Process PowerShell script’

Kevin Holman built a ‘ Monitor.Performance.ConsecSamples.ThenScript.TwoState.mpx fragment, beginning the logical journey. His fragment helped me start with a working model, taking processes and cores into consideration for true CPU usage on multi-core servers.

Kevin Holman Monitor performance then script fragment for PowerShell get-counter syntax

We need to see the processes, and their corresponding value, then build an output table (custom object). After gathering the processes, feed the TopProcesses array, lastly sorting the array for CPUValue

Next, we’ll want to see what applications/tools might be involved, including Active Client, IIS, monitoring, and EndPoint Management tools (keep things honest!).

Added the Security Processes into the mix

Then we build an output of the data so we can take the datasource (DS) or WriteAction (WA) into a scripted monitor/rule, or recovery tasks linked to various monitors. Even built a forked version in case of SAW/Red Forest, separating Tier0 monitoring from Tier1 (snippet below is NOT that pack)

snippet of manual tasks and recoveries that link to multiple monitors

Useful links

Kevin Holman MP fragments blog and GitHub Fragment library/repository

STIGs for SCOM FIPS compliance on Windows

What does your mind link to with the FIPS acronym? FIPS makes me think of the movie Greyhound where Tom Hanks says LT Flipper, instead of Fippler, all that said being ZERO to do with resolving ‘STIGs for SCOM FIPS compliance on Windows’

The biggest hurdle to ‘STIGs for SCOM FIPS compliance on Windows’, is obtaining the files. The current bundled SCOM ISO’s since 2012 SP1 do NOT contain the gacutil, and cryptography DLL files, to resolve STIG V-220942 (win10), V-226335 (Server 2012/2012R2), V-73701 (Server 2016), V-93511 (Server 2019), V-254480 (Server 2022). As much as we want to resolve FIPS ‘STIGS for SCOM FIPS compliance for Windows Server’, gotta start with the finding relevant files. My thanks to Nathan Gau, Tyson Paul, and Aakash Basavaraj, for their involvement and clarification.

Install DLL for STIGs for SCOM FIPS compliance on Windows

Time to mitigate!

Let’s begin to fix the SCOM Web Console role servers (possibly SQL SSRS and PowerBI Report Server included) for resolving multiple ‘STIGs for SCOM FIPS compliance for Windows Server’. Blog post applies to multiple STIG(s) including STIGs V-220942, V-226335, V-73701, V-93511, V-254480

Download files

Whether from blog download link, or if you have the old ISO’s to obtain the DLL, and server ISO for gacutil , or myvisualstudio.com link

Download SCOM ISO from my.visualstudio.com/Downloads?q=operations

If you downloaded from my.visualstudio.com, extract from ISO.

Copy files to IIS role servers (SCOM web console, SSRS, or PowerBI report Servers) to setup files for FIPS compliance.

Download the DLL to the SCOM default folder –

Best practice is SCOM Default folder on non-system disk @

D:\Program Files\System Center\Operations Manager\Server

Update the registry on relevant servers

Registry key update is required to mitigate ‘STIGs for SCOM FIPS compliance on Windows’.

STIG states to create Enabled Key with a value of 1 in HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\

Verification via RegEdit (registry editor)

Display of regedit for the FIPS enabled key

PowerShell Verification:

$RegPath = “HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy”

[string]$FIPSEnabled = (Get-ItemProperty -Path $RegPath -Name Enabled).Enabled

if ( $FIPSEnabled -eq 0 ) {write-host “FIPS disabled” }

Example Output

PS C:\> $RegPath = “HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy”

PS C:\> [string]$FIPSEnabled = (Get-ItemProperty -Path $RegPath -Name Enabled).Enabled

PS C:\> $FIPSEnabled

PS C:\> if ( $FIPSEnabled -eq 0 ) {write-host “FIPS disabled” }

FIPS disabled

PowerShell to set the registry key:

Blog link

$registryPath = “HKCU:\Software\ScriptingGuys\Scripts”

$Name = “Version”

$value = “1”

New-ItemProperty -Path $registryPath -Name $name -Value $value `

-PropertyType DWORD -Force | Out-Null

Reboot web console servers to verify web console functionality!

This concludes resolving ‘STIGs for SCOM FIPS compliance for Windows Server’

Relevant links and documentation of ‘STIGs for SCOM FIPS compliance on Windows’

Download from blog here (Link https://kevinjustin.com/downloads/FIPS/SCOM-FIPS-dll-and-gacutil.zip)

Nathan Gau’s blog here

VisualStudio download for SCOM ISO’s here

STIG V-220942 for Windows 10

STIG V-226335 for Windows Server 2012/2012R2

STIG V-73701 for Windows Server 2016

STIG V-93511 for Windows Server 2019

STIG V-254480 for Windows Server 2022

NIST reference for hash functions https://csrc.nist.gov/projects/hash-functions

TechNet migrated forum post here

Tenable link for Server 2016 here

NIST policy for Windows Server2019 https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3197.pdf

Windows runs per FIPS 140-2 Section 4.9 https://learn.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation

Researching further, Microsoft certified server2016,2019 per learn articles.

Server 2016 https://learn.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation

Server 2019 https://learn.microsoft.com/en-us/compliance/regulatory/offering-fips-140-2

To Counter the STIG https://www.howtogeek.com/245859/why-you-shouldnt-enable-fips-compliant-encryption-on-windows/

Check your delegation settings

Sometimes as the monitoring admin, you may be responsible to secure your servers, being told from Security/Cyber Teams about new vulnerabilities. The vulnerabilities may be from Tanium, ACAS, Tenable or other security tools. This article is how to help you secure related SCOM web console, and SSRS reporting sites against Unconstrained Delegation vulnerabilities CVE-2020-17049, also AD STIG V-36435.

First we need to identify IF this is a true finding.

Typically this comes from Server/SystemsAdmin with domain admin access:

From PowerShell run:

Get-ADComputer -LDAPFilter
“(userAccountControl:1.2.840.113556.1.4.803:=524288)”

After identifying SCOM servers with unconstrained delegation (scope of blog post is focused on SCOM in a hybrid scenario (prem/cloud), we need to resolve.

With domain administrator rights, open the Active Directory Users and Computers MMC snap-in.

In ADUC, change Find drop-down to Computers
In the Computer name text box, enter <SCOMServer> and click search

Right click the server in the results box > Select Properties.

Select the Delegation tab.

ADUC view of lab server delegation setting

Select Trust this computer for delegation to specified services only > Use any authentication protocol.

Under Services to which this account can present delegated credentials, select Add.

In the new dialog box, select Users or Computers.

Enter <SCOMServer>, and then select OK.

Click the Add button to add services

Select the w3svc and www processes

Select OK.

ADUC GUI adding services for delegation on SCOM server

Once set in AD, reboot server. Running ‘gpupdate /force’ may not apply AD changes to the server object.

After reboot, reach out to SCOM Admins to test webconsole authentication

From edge browser, go to SCOM web console, typically @ https://<SCOMServer>/OperationsManager

On the Monitoring tab, click on Active Directory dashboard on left

Verify authentication works

Documentation

Pentestlab – Detecting Unconstrained Delegation Exposures in AD Environment

Petri.com find and block unconstrained delegation

Learn.Microsoft.com unconstrained kerberos article

Explanatory documents on what/why

Remove Unconstrained Kerberos Delegation

Configure MMA agent via PowerShell

A car mechanic uses battery jumper cables to charge a dead battery.

Do you feel like a mechanic having to jump start the agent configuration like a dead car battery? Assuming the Agent is already installed, you can configure the SCOM agent via PowerShell. Even better when you can PowerShell remote to multiple systems. I hope the PowerShell commands below help you master PowerShell to configure the SCOM side of the MMA agent (house).

/*
# Find/replace variables to your environment like Kevin Holman’s fragments!
##SCOMMGMTGROUP1##
##SCOMMGMTGROUP2##
##SCOMMGMTSERVER1##
##SCOMMGMTSERVER2##
#
*/

$SCOMAgent = New-Object -ComObject AgentConfigManager.MgmtSvcCfg
$SCOMAgent.GetManagementGroup(“##SCOMMGMTGROUP1##”);$SCOMAgent.GetManagementGroup(“##SCOMMGMTGROUP2##”)

# If mgmt groups are incorrectly set
$SCOMAgent.RemoveManagementGroup(“##SCOMMGMTGROUP1##”)
$SCOMAgent.RemoveManagementGroup(“##SCOMMGMTGROUP2##”)

restart-service healthservice

# Domain
$SCOMAgent.AddManagementGroup(“##SCOMMGMTGROUP1##”,”##SCOMMGMTSERVER1##”,5723)

# Verify agent config
$SCOMAgent.GetManagementGroup(“##SCOMMGMTGROUP1##”)
# If you have a second management group

$SCOMAgent.GetManagementGroup(“##SCOMMGMTGROUP2##”)

# Restart and test connectivity
restart-service healthservice

# Check connectivity
test-netconnection -port 5723 -computername ##SCOMMGMTSERVER1##

SCOM Monitor reset logic

Ever want to reset SCOM monitors, and wish it was just a simple Reset Button for unhealthy monitors?

I’ve been using Scott Murr’s TechNet gallery loop to maintain my alerts, and ensure monitors are healthy for all my management packs.

The blurb I put in my DS/WA scripts to reset SCOM monitors. I build on Andrew’s methods I didn’t realize (just think much uglier code!)

Cleaner PowerShell to help reset monitors and rules

My PowerShell variables to reset SCOM monitors, includes my Addendum and the core – DNS example provided below (thank you Andrew!)

## Grab the MP, get the Monitors and Rules from the MP, then grab all alerts found inside the Monitors/Rules

$SCOMCoreMP = Get-SCOMManagementPack -DisplayName “Microsoft Windows Server 2016 and 1709+ DNS Monitoring”
$SCOMAddendumMP = Get-SCOMManagementPack -DisplayName “Microsoft Windows Server 2016 DNS Monitoring Addendum”

$SCOMCoreRules = $SCOMCoreMP.GetRules()
$SCOMCoreMonitors = $SCOMCoreMP.GetMonitors()
$SCOMAddendumRules = $SCOMAddendumMP.GetRules()
$SCOMAddendumMonitors = $SCOMAddendumMP.GetMonitors()

$SCOMCoreReportAlerts = Get-SCOMAlert | ? { ($_.Name -in $SCOMCoreRules.DisplayName) -or ($_.Name -in $SCOMCoreMonitors.DisplayName) }
$SCOMCoreReportAlerts.Count
$SCOMAddendumReportAlerts = Get-SCOMAlert | ? { ($_.Name -in $SCOMAddendumRules.DisplayName) -or ($_.Name -in $SCOMAddendumMonitors.DisplayName) }
$SCOMAddendumReportAlerts.Count

$SCOMOpenReportAlerts = $SCOMAddendumReportAlerts | ? { ( $_.ResolutionState -ne “255” ) }
$SCOMOpenReportAlerts.Count
$SCOMOpenAddendumReportAlerts = $SCOMAddendumReportAlerts | ? { ( $_.ResolutionState -ne “255” ) }
$SCOMOpenAddendumReportAlerts.Count

$SCOMCoreRuleAlerts = Get-SCOMAlert | ? { ( $_.Name -in $SCOMCoreMonitors.DisplayName) -AND ( $_.ResolutionState -ne “255” ) }
$SCOMCoreRuleAlerts.Count
$SCOMAddendumRuleAlerts = Get-SCOMAlert | ? { ( $_.Name -in $SCOMAddendumRules.DisplayName) -AND ( $_.ResolutionState -ne “255” ) }
$SCOMAddendumRuleAlerts.Count

$SCOMCoreMonitorAlerts = Get-SCOMAlert | ? { ($_.Name -in $SCOMCoreMonitors.DisplayName ) -AND ( $_.ResolutionState -ne “255” ) }
$SCOMCoreMonitorAlerts.Count
$SCOMAddendumMonitorAlerts = Get-SCOMAlert | ? { ($_.Name -in $SCOMAddendumMonitors.DisplayName ) -AND ( $_.ResolutionState -ne “255” ) }
$SCOMAddendumMonitorAlerts.Count

$AutoClosed = $SCOMCoreMonitorAlerts.Count + $SCOMCoreRuleAlerts.Count + $SCOMAddendumMonitorAlerts.Count + $SCOMAddendumRuleAlerts.Count
$Test = $SCOMCoreReportAlerts.Count + $SCOMAddendumReportAlerts.Count
$OpenAlerts = $SCOMOpenReportAlerts.Count + $SCOMOpenAddendumReportAlerts.Count
$ResetMonitors = $SCOMCoreMonitors + $SCOMAddendumMonitors
$MonitorAlerts = $SCOMCoreMonitorAlerts.Count + $SCOMAddendumMonitorAlerts.Count

#
# If Cleanup needed, array of report monitors

# Reset Monitors Script
# Put ps1 in mgmtpacks folder
# https://sc.scomurr.com/scom-2012-monitor-reset-cleaning-up-the-environment/
# Download
# https://gallery.technet.microsoft.com/SCOM-2012-Batch-reset-63a17534

#Alternate
#https://gallery.technet.microsoft.com/scriptcenter/Auto-reset-script-for-d8b775ca

if ( $MonitorAlerts -gt 0 )
{
foreach ( $MonitorDisplayName in $ResetMonitors.DisplayName )
{
$Monitors = @( Get-SCOMMonitor -displayname $MonitorDisplayName )

# Set up monitor objects to reset
foreach ($Monitor in $Monitors)
{
$MonitorClass = Get-SCOMClass -Id $Monitor.Target.Id
$ActiveMonitors = Get-SCOMClassInstance -Class $MonitorClass | ? { ($_.healthstate -ne ‘Success’) -AND ( $_.healthstate -ne ‘Uninitialized’) -AND ($_.IsAvailable -eq $true) }
write-host “Found” + $ActiveMonitors.Count + “active monitors.”
if ( $ActiveMonitors -ne $null)
{
foreach ($ActiveMonitor in $ActiveMonitors)
{
write-host ” Resetting Health State on ‘” +$ActiveMonitor.FullName + “‘”
$ActiveMonitor.ResetMonitoringState($Monitor.ID)
}
}
}
}
}

Cleaner PowerShell to help reset monitors and rules

Cleaner PowerShell supplied by Andrew Bradley that’s helped simplify the PowerShell code included resetting/closing monitors and rules via a method call. Hard to believe I’ve been quiet on the blog for the past year, as I’ve been working on SCOM management pack addendums. The ‘cleaner PowerShell’ is being integrated into the various addendums.

have been helpful with many customers, by building out better ways to monitor, clean up alerts, and create daily reports. The Addendum packs add report key insights for many 1P (1st party) Microsoft authored management packs.

Methods

Cleaner PowerShell to help reset monitors and rules

## Grab the MP, get the Monitors and Rules from the MP, then grab all alerts found inside the Monitors/Rules

$SCOMCoreMP = Get-SCOMManagementPack -DisplayName “System Center Core Monitoring”

$SCOMCoreRules = $SCOMCoreMP.GetRules()

$SCOMCoreMonitors = $SCOMCoreMP.GetMonitors()

$SCOMCoreReportAlerts = Get-SCOMAlert | ? { ($_.Name -in $SCOMCoreRules.DisplayName) -or ($_.Name -in $SCOMCoreMonitors.DisplayName) }

Example for DNS management pack

## Grab the MP, get the Monitors and Rules from the MP, then grab all alerts found inside the Monitors/Rules
$SCOMCoreMP = Get-SCOMManagementPack -DisplayName “Microsoft Windows Server 2016 and 1709+ DNS Monitoring”
$SCOMCoreRules = $SCOMCoreMP.GetRules()
$SCOMCoreMonitors = $SCOMCoreMP.GetMonitors()

$SCOMCoreReportAlerts = Get-SCOMAlert | ? { ($_.Name -in $SCOMCoreRules.DisplayName) -or ($_.Name -in $SCOMCoreMonitors.DisplayName) }
$SCOMCoreReportAlerts.Count

$SCOMOpenReportAlerts = $SCOMCoreReportAlerts | ? { ( $_.ResolutionState -ne “255” ) }
$SCOMOpenReportAlerts.Count

# Open alerts

$SCOMCoreRuleAlerts = Get-SCOMAlert | ? { ( $_.Name -in $SCOMCoreRules.DisplayName) -AND ( $_.ResolutionState -ne “255” ) }
$SCOMCoreRuleAlerts.Count

$SCOMCoreMonitorAlerts = Get-SCOMAlert | ? { ($_.Name -in $SCOMCoreMonitors.DisplayName ) -AND ( $_.ResolutionState -ne “255” ) }
$SCOMCoreMonitorAlerts.Count

Adding parameters to datasource/probeaction moduletypes

This post is adding parameters to datasource (DS) or probeaction (PA) moduletypes. Sorry, found this draft from last year that I never published. 🙁 I’m in the ‘missing functionality’ boat. Some would say I’m a dreamer, a good system admin, a car guy who has different ideas than the manufacturer, or something altogether different — you decide 🙂 Hope this blog post helps monitoring experts that author more functionality than what was delivered. Specifically adding parameters to datasource/probeaction moduletype NOT delivered in the OotB functionality?!

Adding parameters to datasource/probeaction moduletypes
First – What is needed
Second – Verify dependencies required for a workflow
Third – Build on example ‘datasource’
Fourth – Configure Monitor/Rule to use Datasource/ProbeAction

Let’s go through step by step through ‘adding parameters to datasource/probeaction moduletypes’ to customize a data source. The datasource requirements are to include/verify the following parameters” TimeOut,TimeOutInMS,MatchCount,SampleCount (match/sample count are intended for rules/monitors)

Pre-reqs (what’s needed for a ModuleType to function)

Working Script – PowerShell/BASH/Perl/SH/KSH
ScriptArgs required at runtime
Other Configuration, or Overrideable Parameters
Using configured parameters properly
Verify ProbeActions (PA) inside DS have relevant parameters

Easiest way to summarize adding a configuration parameter
Must be added to Configuration, OverrideableParameters,ModuleImplementation,
When taking an Out of the box’ OotB’ moduletype to modify, where parameter(s) MUST be used in UnitMonitorType,Rule,Monitor

Quick background for MatchCount/SampleCount:
When adding parameters to datasource/probeaction moduletypes, it’s good to know why this is part of the conversation to be added to monitoring design/implementation.

MatchCount comes in handy for repeated failures BEFORE alerting (count 5 events before alerting)
SampleCount comes in handy for counting number of failed workflows BEFORE alerting (run workflow 6 times failing before alerting)

Example Unix.ShellCommand.Invoke.Script DataSource
Requirement = Add MatchCount/SampleCount (or TimeOut to the PA ProbeAction)

Download

Unseal, and open Microsoft.Unix.ShellCommand.Library.xml in NotePad++, VStudio, (or your favorite XML editor)

Screenshot of default Microsoft.Unix.ShellCommand.Invoke.DataSource
TimeOut and TimeOutinMS are baked in. We begin by adding MatchCount/SampleCount

How to add MatchCount/SampleCount syntax

Adding MatchCount/SampleCount for Configuration, OverrideableParameters, and Module Implementation for DS/PA

NOTE – sometimes you don’t find an example!

This part gets complicated – how far down the rabbit hole do you need the parameters?
Does the DS workflow only need the respective parameters?
Do you have to add to the corresponding PA’s called in the workflow?

Starting simple, add to DS

Add MatchCount/SampleCount to DS Configuration
<xsd:element name=”MatchCount” type=”xsd:unsignedInt” maxOccurs=”1″ minOccurs=”0″ xmlns:xsd=”http://www.w3.org/2001/XMLSchema” />
<xsd:element name=”SampleCount” type=”xsd:unsignedInt” maxOccurs=”1″ minOccurs=”0″ xmlns:xsd=”http://www.w3.org/2001/XMLSchema” />

Add MatchCount/SampleCount to OverrideableParameters (if you want capability to override)
<OverrideableParameter ID=”MatchCount” Selector=”$Config/MatchCount$” ParameterType=”int” />
<OverrideableParameter ID=”SampleCount” Selector=”$Config/SampleCount$” ParameterType=”int” />

Add MatchCount/SampleCount to DS MemberModule
<MatchCount>$Config/MatchCount$</MatchCount>
<SampleCount>$Config/SampleCount$</SampleCount>

Add MatchCount/SampleCount to PA Configuration
<xsd:element name=”MatchCount” type=”xsd:unsignedInt” maxOccurs=”1″ minOccurs=”0″ xmlns:xsd=”http://www.w3.org/2001/XMLSchema” />
<xsd:element name=”SampleCount” type=”xsd:unsignedInt” maxOccurs=”1″ minOccurs=”0″ xmlns:xsd=”http://www.w3.org/2001/XMLSchema” />

Add MatchCount/SampleCount to PA MemberModule
<MatchCount>$Config/MatchCount$</MatchCount>
<SampleCount>$Config/SampleCount$</SampleCount>

Unix.ShellCommand.Invoke.Script
Alternate example for monitors, the SQL Windows Replication mgmt pack has a good UnitMonitor/UnitMonitorType example – Microsoft.SQLServer.Replication.Windows.Monitoring.xml

References

Kevin Holman has a good example for changing frequency and MatchCount here
https://kevinholman.com/2017/08/12/creating-a-scom-service-monitor-that-allows-overrides-for-interval-frequency-and-samples/

Find example by searching unsealed management pack repository (use Tyson’s SCOMHelper PowerShell module to unseal mp/mpb’s to facilitate a better unsealed mp search) https://monitoringguys.com/2019/11/12/scomhelper/