Use SCOM helper for advanced administration

VoteForPedro — Vote for Pedro and SCOM helper

First, use SCOM helper for advanced administration (a shameless plug to Tyson & MonitoringGuys blog!)

In case you didn’t know, as I may be the last off the airplane, it’s time to talk about SCOMHelper. Things you forget, like using a power drill, versus manual screwdriver, all because you’re familiar with the old trusty screwdriver. Man, I think I upgraded past the power drill with a cord, to a lithium-ion powered impact drill with SCOMHelper.

Blog https://monitoringguys.com/2019/11/12/scomhelper/
Download https://www.powershellgallery.com/packages/SCOMHelper

Install SCOMHelper

Time to use SCOM helper for advanced administration, and get it installed!

Pretty simple install. I would recommend adding to monitoring team server, jumpserver, from SCOM MS, or console enabled, Operations Manager plug-in installed machines.

From PowerShell (as admin)

Install-Module -Name SCOMHelper

SCOM helper functions
Clear-SCOMCache Compare-String Deploy-SCOMAgent Export-SCOMEffectiveMonitoringConfigurationReport Export-SCOMEventsToCSV Export-SCOMKnowledge Export-SCOMOverrides Fast-Ping Get-SCOMAlertKnowledge Get-SCOMClassInfo Get-SCOMHealthCheckOpsConfig Get-SCOMMPFileInfo Get-SCOMRunAsAccountName Get-SCOMRunAsProfilesAccounts Get-SCOMRunningWorkflows Get-StringHash New-SCOMClassGraph New-SCOMComputerGroup Ping-AllHosts Remove-SCOMObsoleteReferenceFromMPFile Set-SCOMMPAliases Show-SCOMModules Show-SCOMPropertyBag Test-Port Unseal-SCOMMP Update-SCOMComputerGroup Start-SCOMOverrideTool

Open PowerShell (as admininstrator)
Type: Install-Module -Name SCOMHelper

Example output
PS C:\> Install-Module -Name SCOMHelper

Untrusted repository
You are installing the modules from an untrusted repository. If you trust this repository, change its
InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from
‘PSGallery’?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is “N”): A

If SCOMHelper is already installed
Open PowerShell (as admininstrator)
Type: Install-Module -Name SCOMHelper -Force

(You may get the untrusted repository message if you answered Y (yes) or N (no)

Example output
PS C:\> Install-Module -Name SCOMHelper -Force
PS C:\>

Just one example –

Use the Unseal-SCOMMP to unseal your MP and MPB’s for your SCOM mgmt pack repository

Have fun playing!

If you’re administering management groups, I can pretty much guarantee you will need these:

Export-SCOMEffectiveMonitoringConfigurationReport

Export-SCOMOverrides

Get-SCOMHealthCheckOpsConfig

Get-SCOMRunningWorkflows

New-SCOMClassGraph

Remove-SCOMObsoleteReferenceFromMPFile

Show-SCOMPropertyBag

I’m off to unseal my repository, so my Notepad++ searches can find more examples for new authoring functionality.

Parse Events via PowerShell into table

Parsing Events via PowerShell into table — Optometrist eye testing equipment picture

Parse Events via PowerShell into table. Ever have need to parse an event, and grab a field from the event description, then perform some action after that?

Here’s some PowerShell that may help you first to create a table, then setup columns, gather data, then parse what you need, and run a command to then output to the table

# Create Table for alerts

$Table = @()

$Table = $null

$Table = New-Object System.Data.DataTable “Failed Hosts List”

$Col1 = New-Object System.Data.DataColumn Host

$Col2 = New-Object System.Data.DataColumn IPAddress

$Table.Columns.Add($Col1)

$Table.Columns.Add($Col2)

$Alert20046 = Get-WinEvent -FilterHashtable @{LogName=’Operations Manager’;

ID=’20046′;}

$Alerts20046 = $Alert20046.Message

$Alerts20046.count

$Alerts20046uniq = $Alerts20046 | sort -uniq

$Alerts20046uniq.count

# $DeniedUniq = $Denied20046 | Sort-Object -Uniq

# $ServersDenied = @()

foreach ( $server in $DeniedUniq)

{

$Name = nslookup $server

foreach ($server in $Name)

{

# Add to Table

# $Name.Split(“:”)[6]

# $Name.Split(“:”)[8]

$row = $Table.NewRow()

$row.Host = $Name.Split(“:”)[6]

$row.IPAddress = $Name.Split(“:”)[8]

$Table.Rows.Add($row)

}

Mining Windows Event Log

Mining Ore from the Windows Event Log and finding a way to make it portable

Use Get-WinEvent to use XML and filters from event viewer, to mine an event, including examples for a specific string, from a specific event, in a specific event log?

Hopefully this post will help with a few tips to simplify monitoring for events, whether in AzMon, SCOM, or via PowerShell.

Let’s start with the Dr Scripto blog post from quite a while ago –

https://devblogs.microsoft.com/scripting/data-mine-the-windows-event-log-by-using-powershell-and-xml/

Not sure how many people use get-WinEvent, but this is one tool in PowerShell that can help an admin parse the XML side of an event.

Example 1

Query Application Event Log for Severity, Event, and Event Data contains lync.exe

$query = @”

<Select Path=”Application”>*[System[Provider[@Name=’Application Hang’]

and (Level=2) and (EventID=1002)]]

and *[EventData[Data=’lync.exe’]]</Select>

</Query>

</QueryList>

“@

Get-WinEvent -FilterXml $query

PowerShell output

Use Get-WinEvent to use XML and filters from event viewer

The Tip or Trick part of this – leverage your Event Viewer Filter as a query to use with get-WinEvent

Credit for this tip comes from Andrew Blumhardt!

See below for examples to ‘use Get-WinEvent to use XML and filters from event viewer’

Navigating via Event Viewer:

Hop onto your favorite server, or connect to another server via Event Viewer

Go to the Event Log > Click Filter Current Log

Build out your filter (i.e. choose specific Event Sources, exclude events, include severities, timeframe (start/end), etc.)

Switch to the XML tab (and note you can edit your query further!)

You can copy the query from the Event Viewer into your Get-WinEvent syntax

$query = @”

<QueryList>
<Query Id=”0″ Path=”Application”>
<Select Path=”Application”>*[System[Provider[@Name=’Microsoft.SystemCenter.VirtualMachineManager.2012.Monitor.UserRoleQuotaUsageMonitor’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2012.Report.ServiceUsageCollection’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2012.Report.VMUsageCollection’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2016.EnableCredSSPClient’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2016.Monitor.UserRoleQuotaUsageMonitor’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2016.Report.ServiceUsageCollection’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2016.Report.VMUsageCollection’] and (Level=2 or Level=3) and (EventID=25933)]]</Select>
</Query>
</QueryList>

“@

Get-WinEvent -FilterXml $query

PowerShell output

Example 3

Grab System Event Log, Event ID 5827 (NetLogon denied events)

get-WinEvent -FilterHashtable @{LogName=’System’; ID=’5827′;}

PowerShell output

Documentation:

Get-WinEvent https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.1

MSFT DevBlogs https://devblogs.microsoft.com/scripting/data-mine-the-windows-event-log-by-using-powershell-and-xml/

Installing and configuring the MMA agent via Command line

GUI install option, see blog

PowerShell Agent configuration, see blog

Updated 1 Feb 2023

Pre-reqs to build out an install script/package

MMA agent executable

ALA Workspace ID

ALA Workspace Primary Key

Download MMA agent

Click on Windows Servers from Connected Sources to download Windows Agent

Click on Linux Servers from Connected Sources to download Linux Agent

Obtain WorkspaceID

From the Azure Portal (https://portal.azure.com)

Click on Log Analytics, <your subscription >

Click on Advanced Settings

My view defaulted to Connected Sources > Windows Servers

Save the workspace ID and workspace key to notepad/OneNote for later

Build out command line for setup file

(optionally to include in Application Deployment package)

Grab pre-reqs above: (saved from above to build the command line)

Exe/msi file

Workspace ID

Workspace key

Craft out your command line (MECM super installer code updated by Neal Smith

SCOM MECM Agent Package Installer Command Line

The setup.exe or MSI command line parameters to pass are:

MMA-specific options	Notes
NOAPM=1	Optional parameter. Installs the agent without .NET Application Performance Monitoring.
ADD_OPINSIGHTS_WORKSPACE	1 = Configure the agent to report to a workspace
OPINSIGHTS_WORKSPACE_ID	Workspace Id (guid) for the workspace to add
OPINSIGHTS_WORKSPACE_KEY	Workspace key used to initially authenticate with the workspace
OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE	Specify the cloud environment where the workspace is located 0 = Azure commercial cloud (default) 1 = Azure Government
OPINSIGHTS_PROXY_URL	URI for the proxy to use
OPINSIGHTS_PROXY_USERNAME	Username to access an authenticated proxy
OPINSIGHTS_PROXY_PASSWORD	Password to access an authenticated proxy

Example:

setup.exe /qn NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID=<your workspace id> OPINSIGHTS_WORKSPACE_KEY=<your workspace key> AcceptEndUserLicenseAgreement=1

Category: PowerShell

Use SCOM helper for advanced administration

Install SCOMHelper

Parse Events via PowerShell into table

Mining Windows Event Log

Example 1

Use Get-WinEvent to use XML and filters from event viewer

Navigating via Event Viewer:

Example 3

Installing and configuring the MMA agent via Command line

Updated 1 Feb 2023

Pre-reqs to build out an install script/package

Download MMA agent

Obtain WorkspaceID

Build out command line for setup file

Other helpful links