Configure SNOW Subscriptions

ServiceNowLogo - Create SCOM subscriptions — ServiceNowLogo – Create SCOM subscriptions

Depending on requirements, creating multiple subscriptions within SCOM to leverage subscriber/channels required. Selecting rules/monitors, and resolution state conditions to help Application teams get incidents for key issues requiring intervention. NOTE Depending on what was command channels were created for various AssignmentGroup(s) and Team(s) within the organization.

Configure ‘TEST Holman’s Command Channel’ subscription

Configure channel to execute logAlert.ps1 command channel to verify SCOM outputs

SCOM Navigation steps:

Click on Administration Tab > Notifications > Channels

Click New

Name

TEST Holman’s Command Channel

Description

C:\MonAdmin\Scripts\LogAlert.ps1 Utilize LogAlert.ps1 example from Holman’s blog. Specific Subscription details: +CRITERIA = ALL Alerts +RESOLUTIONSTATE = NEW (0) +SUBSCRIBER = CHANNEL SCOM Command Channel Subscriber via POWERSHELL +CHANNEL Test LogAlert.ps1 SCOM Command Channel

Setup and use Holman’s script execution channel blog to test what account SCOM uses for notifications

https://kevinholman.com/2021/08/25/what-account-will-command-channel-notifications-run-as-in-scom/

Click on Settings

Example screenshot from Holman’s blog

Full path of Command file:

C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe

Command line parameters

-executionPolicy bypass -noprofile -file “C:\MonAdmin\scripts\logalert.ps1” -AlertID “$Data[Default=’NotPresent’]/Context/DataItem/AlertId$” -AlertName “$Data[Default=’NotPresent’]/Context/DataItem/AlertName$” -AlertDescription “$Data[Default=’NotPresent’]/Context/DataItem/AlertDescription$” -Severity “$Data[Default=’NotPresent’]/Context/DataItem/Severity$” -ResolutionState “$Data[Default=’NotPresent’]/Context/DataItem/ResolutionState$” -ManagedEntityPath “$Data[Default=’NotPresent’]/Context/DataItem/ManagedEntityPath$” -ManagedEntityDisplayName “$Data[Default=’NotPresent’]/Context/DataItem/ManagedEntityDisplayName$” -ManagedEntityFullName “$Data[Default=’NotPresent’]/Context/DataItem/ManagedEntityFullName$” -ManagedEntity “$Data[Default=’NotPresent’]/Context/DataItem/ManagedEntity$” -CreatedByMonitor “$Data[Default=’NotPresent’]/Context/DataItem/CreatedByMonitor$” -WorkflowId “$Data[Default=’NotPresent’]/Context/DataItem/WorkflowId$” -DataItemCreateTimeLocal “$Data[Default=’NotPresent’]/Context/DataItem/DataItemCreateTimeLocal$” -WebConsoleUrl “$Target/Property[Type=”Notification!Microsoft.SystemCenter.AlertNotificationSubscriptionServer”]/WebConsoleUrl$?DisplayMode=Pivot&AlertID=$UrlEncodeData/Context/DataItem/AlertId$”

Startup folder for the command line:

C:\MonAdmin\SCRIPTS

Click Finish

Configure New-SNOWEvent command channel in SCOM

Grab file from GitHub repository https://github.com/theKevinJustin/New-SNowEvent

As needed, save TXT file as .ps1 on SCOM MS’s

Design recommendation

Create multiple command channels depending on assignment group and team(s) to pass these variables to the script.

NOTE path to setup channel execution, AssignmentGroup, and Team variables

Configure ‘TEST SNOW Event Creation’ SCOM Notification command channel

NOTE Use these steps to create multiple command channels, as the AssignmentGroup and Team may differ depending on Application Owners

SCOM Navigation steps:

Click on Administration Tab > Notifications > Channels

Click New

Name

TEST SNOW Event Creation

Description

C:\MonAdmin\Scripts\New-SNowEvent.ps1 Outputs 711 Events into Operations Manager event log.

Specific Subscription details: +CRITERIA = ALL Alerts +SUBSCRIBER = CHANNEL New-SNowEvent.ps1 via POWERSHELL +CHANNEL ServiceNow SNOW Event Creation Channel

New-SNOWEvent.ps1 command channel creates ServiceNow SNOW events for alerts and incidents.

This channel will also update the SCOM alert TicketID, Owner, ResolutionState to modify SCOM alert with SNOW information, or information passed in SNOW event.

See blog for more details https://kevinjustin.com/blog/2024/03/27/servicenow-event-integration/

Click on Settings

Full path of Command file:

C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe

Command line parameters

-executionPolicy bypass -noprofile -file “C:\MonAdmin\scripts\New-SNowEvent.ps1” -AlertID “$Data[Default=’NotPresent’]/Context/DataItem/AlertId$” -AlertName “$Data[Default=’NotPresent’]/Context/DataItem/AlertName$” -AssignmentGroup “JustinTime System Admin” -Team SYM

Startup folder for the command line:

C:\MonAdmin\SCRIPTS

Click Finish

Create new channel for New-SNowIncident.ps1

Grab file from GitHub repository https://github.com/theKevinJustin/New-SNOWIncidents

As needed, save New-SNowIncident file as .ps1 on SCOM MS’s

Design recommendation

Create multiple command channels depending on assignment group and team(s) to pass these variables to the script.

NOTE path to setup channel execution, AssignmentGroup, and Team variables

Configure ‘TEST SNOW Event Creation’ SCOM Notification command channel

NOTE Use these steps to create multiple command channels, as the AssignmentGroup and Team may differ depending on Application Owners

SCOM Navigation steps:

Click on Administration Tab > Notifications > Channels

Click New

Name

TEST SNOW Event Creation

Description

C:\MonAdmin\Scripts\New-SNowEvent.ps1 Outputs 711 Events into Operations Manager event log.

Specific Subscription details: +CRITERIA = ALL Alerts +SUBSCRIBER = CHANNEL New-SNowEvent.ps1 via POWERSHELL +CHANNEL ServiceNow SNOW Event Creation Channel

New-SNOWEvent.ps1 command channel creates ServiceNow SNOW events for alerts and incidents.

This channel will also update the SCOM alert TicketID, Owner, ResolutionState to modify SCOM alert with SNOW information, or information passed in SNOW event.

See blog for more details https://kevinjustin.com/blog/2024/03/27/servicenow-event-integration/

Click on Settings

Full path of Command file:

C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe

Command line parameters

Startup folder for the command line:

C:\MonAdmin\SCRIPTS

Click Finish

Configure SCOM Subscribers

Read the ‘Configure SCOM Subscribers’ blog to build out the SNOW subscribers for multiple PowerShell command channels. Create subscribers according to design requirements.

CHANNEL New-SNowEvent.ps1 via POWERSHELL

Follow the screenshots and fill in the wizard per the steps below.

Subscriber Name:

CHANNEL New-SNowEvent.ps1 via POWERSHELL

Click Next

SCOM subscriber wizard to Configure SCOM Subscribers - New-SNowEvent subscriber wizard — SCOM subscriber wizard to Configure SCOM Subscribers – New-SNowEvent subscriber wizard

Verify ‘always’ radio button is selected

NOTE If notifications required during specific times, configure as needed

Click Next

SCOM subscriber wizard - New-SNowEvent for Schedule radio button — SCOM subscriber wizard – New-SNowEvent for Schedule radio button

Type SnowEvent in Address name: text box

Click Next

SCOM Subscriber New-SNowEvent Address field in wizard

Change ‘Channel Type’ dropdown to Command

Select ‘ServiceNow SNOW Event Creation Channel’ Command Channel from dropdown

Click Next

SCOM Subscriber wizard - New-SNowEvent Channel drop down details — SCOM Subscriber wizard – New-SNowEvent Channel drop down details

On the Schedule tab, click Finish

SCOM Subscriber wizard - New-SNowEvent Schedule tab > Always send radio button — SCOM Subscriber wizard – New-SNowEvent Schedule tab > Always send radio button

Click Finish again to complete subscriber

SCOM Subscriber wizard - Suscriber final Finish window — SCOM Subscriber wizard – Suscriber final Finish window

Repeat steps to ‘Configure additional ‘SCOM Subscribers’

CHANNEL Test LogAlert.ps1 SCOM Command Channel via POWERSHELL

Optional create subscriber, depending on design requirements

CHANNEL Test New-SNowIncident.ps1 SCOM Command Channel via POWERSHELL

Additional Documentation to Create SCOM subscribers

SCOM2019 https://learn.microsoft.com/en-us/system-center/scom/manage-notifications-create-subscriptions?view=sc-om-2022

SCOM2022 https://learn.microsoft.com/en-us/system-center/scom/manage-notifications-create-subscriptions?view=sc-om-2022

Create SCOM Command Channels

Time to update SCOM, specifically to ‘create SCOM Command Channels’, then subscribers, and subscriptions. Depending on requirements, create multiple channels within SCOM.

Save .ps1 file(s) to SCOM MS

LogAlert.ps1 to verify SCOM notification account

New-SNowEvent.ps1 to inject events into ServiceNow

New-SNowIncident.ps1 to inject incidents into ServiceNow

Save LogAlert.ps1

Create Command channel script and save to SCOM MS(s)

From Kevin Holman blog https://kevinholman.com/2021/08/25/what-account-will-command-channel-notifications-run-as-in-scom/

Open in (notepad/notepad++/VSCode, PowerShell ISE) editor, paste the following:

param($AlertID, $AlertName, $AlertDescription, $Severity, $ResolutionState, $ManagedEntityPath, $ManagedEntityDisplayName, $ManagedEntityFullName, $ManagedEntity, $CreatedByMonitor, $WorkflowId, $DataItemCreateTimeLocal, $WebConsoleUrl)

$ScriptName = “logalert.ps1”

$EventID = “710”

$whoami = whoami

$momapi = New-Object -comObject MOM.ScriptAPI

# Begin logging script starting into event log

write-host “Script is starting. `n Running as ($whoami).”

$momapi.LogScriptEvent($ScriptName,$EventID,0,”Script is starting. `n Running as ($whoami).”)

#Log script event that we are starting task

$momapi.LogScriptEvent($ScriptName,$EventID,0,”Script is starting. `nRunning as ($whoami). `nAlertID: ($AlertID) `nAlertName: ($AlertName) `nAlertDescription:($AlertDescription) `nSeverity:($Severity) `nResolutionState: ($ResolutionState) `nManagedEntityPath: ($ManagedEntityPath) `nManagedEntityDisplayName: ($ManagedEntityDisplayName) `nManagedEntityFullName: ($ManagedEntityFullName) `nManagedEntity: ($ManagedEntity) `nCreatedByMonitor: ($CreatedByMonitor) `nWorkFlowId: ($WorkflowId) `nDataItemCreateTimeLocal: ($DataItemCreateTimeLocal) `nWebConsoleURL: ($WebConsoleUrl)”)

write-host “LogAlert.ps1 script logging SCOM Notification channel account whoami = $($whoami)” >> C:\MonAdmin\scripts\TestOutputChannel.txt

Save content as LogAlert.ps1 on SCOM MS’s

NOTE path to setup channel execution

Save New-SNowEvent.ps1

Create Command channel script and save to SCOM MS(s)

Grab file from GitHub repository https://github.com/theKevinJustin/New-SNowEvent

As needed, save New-SNowEvent file as .ps1 on SCOM MS’s

Save New-SNowIncident.ps1

Depending on design requirements, grab file from GitHub repository https://github.com/theKevinJustin/New-SNOWIncidents

As needed, save New-SNowIncident file as .ps1 on SCOM MS’s

Configure ‘Test LogAlert.ps1 SCOM Command Channel’

This command channel helps admins determine variables possible to pass to PowerShell script(s).

SCOM Navigation steps:

Click on Administration Tab > Notifications > Channels

Click New

Name

Test LogAlert.ps1 SCOM Command Channel

Description

Test LogAlert.ps1 SCOM Command Channel using Holman’s blog https://kevinholman.com/2021/08/25/what-account-will-command-channel-notifications-run-as-in-scom/

Full path of the command file:

C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe

Command line parameters:

-executionPolicy bypass -noprofile -file “C:\MonAdmin\scripts\LogAlert.ps1” -AlertID “$Data[Default=’NotPresent’]/Context/DataItem/AlertId$” -AlertName “$Data[Default=’NotPresent’]/Context/DataItem/AlertName$” -AlertDescription “$Data[Default=’NotPresent’]/Context/DataItem/AlertDescription$” -Severity “$Data[Default=’NotPresent’]/Context/DataItem/Severity$” -ResolutionState “$Data[Default=’NotPresent’]/Context/DataItem/ResolutionState$” -ManagedEntityPath “$Data[Default=’NotPresent’]/Context/DataItem/ManagedEntityPath$” -ManagedEntityDisplayName “$Data[Default=’NotPresent’]/Context/DataItem/ManagedEntityDisplayName$” -ManagedEntityFullName “$Data[Default=’NotPresent’]/Context/DataItem/ManagedEntityFullName$” -ManagedEntity “$Data[Default=’NotPresent’]/Context/DataItem/ManagedEntity$” -CreatedByMonitor “$Data[Default=’NotPresent’]/Context/DataItem/CreatedByMonitor$” -WorkflowId “$Data[Default=’NotPresent’]/Context/DataItem/WorkflowId$” -DataItemCreateTimeLocal “$Data[Default=’NotPresent’]/Context/DataItem/DataItemCreateTimeLocal$” -WebConsoleUrl “$Target/Property[Type=”Notification!Microsoft.SystemCenter.AlertNotificationSubscriptionServer”]/WebConsoleUrl$?DisplayMode=Pivot&AlertID=$UrlEncodeData/Context/DataItem/AlertId$”

Startup Folder for Command Line:

C:\MonAdmin\SCRIPTS

Click Finish

Configure ‘ServiceNow SNOW Event Creation Channel’

SNOW Event command channel injects ServiceNow SNOW events, with logic to check for alert, incident, then update the SCOM alert TicketID, Owner, ResolutionState based on runtime.

SCOM Navigation steps:

Click on Administration Tab > Notifications > Channels

Click New

Name

ServiceNow SNOW Event Creation Channel

Use New-SNowEvent.ps1 to create SCOM subscription that creates SNOW incidents, then updates SCOM alert with TicketID, Owner, Resolution State for SCOM alert.

Full path of the command file:

C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe

Command line parameters:

Startup Folder for Command Line:

C:\MonAdmin\SCRIPTS

Click Finish

Configure ‘ServiceNow SNOW Incident creation channel’

This command channel helps admins determine variables possible to pass to PowerShell script(s).

SCOM Navigation steps:

Click on Administration Tab > Notifications > Channels

Click New

Name

ServiceNow SNOW Incident creation channel

Use New-SNowIncident.ps1 to create SCOM subscription that creates SNOW incidents, then updates SCOM alert with TicketID, Owner, Resolution State for SCOM alert.

Full path of the command file:

C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe

Command line parameters:

-executionPolicy bypass -noprofile -file “C:\MonAdmin\scripts\New-SNowIncident.ps1” -AlertName “$Data[Default=’Not Present’]/Context/DataItem/AlertName$” -AlertID “$Data[Default=’NotPresent’]/Context/DataItem/AlertId$” -Impact 4 -Urgency 4 -Priority 3 -AssignmentGroup “RCC-C – System Admin” -BusinessService SYSMAN -Category “SYSMAN Support” -SubCategory Repair -Channel Direct

Startup Folder for Command Line:

C:\MonAdmin\SCRIPTS

Click Finish

Test SNOW script

Time to ‘Test SNOW script’ for event or incident injection. As long as the prerequisites are verified, to include network connectivity, URL, ID, Password, etc., we’re ready to go!

Once the CredentialManager piece has been completed, by the same token you can begin testing the script. Testing can begin, whether to the SCOM Admin SA account, or to the SCOM Notifications account, or even hard coding the values into your PowerShell session.

Begin script testing

The testing leverages that you’ve downloaded various integration scripts first, then being saved on SCOM MS (management servers). The following blog posts, GitHub repo’s will set up multiple methods to test from PowerShell (command line) as SA or SVC accounts.

Create new SCOM Command Channels

LogAlert.ps1 from Kevin Holman’s blog https://kevinholman.com/2021/08/25/what-account-will-command-channel-notifications-run-as-in-scom/

New-SNowEvent GitHub repository https://github.com/theKevinJustin/New-SNowEvent

New-SNowIncident.ps1 GitHub repository https://github.com/theKevinJustin/New-SNOWIncidents

Once files are saved, copy to SCOM MS (noting path for later tests).

Preferred choice is non-system disk (i.e. D:)

Lab example is C:\MonAdmin\Scripts

RDP to server with SVC or SCOM Admin SA account

Open PowerShell as administrator

Change directory to script directory on SCOM MS

cd \ ; cd MonAdmin/scripts

Inventory saved files via dir (gci):

gci New-SNOW[ie]*.ps1

gci LogAlert.ps1

Grab Critical alert from $Alerts array

$Alerts = get-scomalert -ResolutionState 0 -severity 2

# Test warning events with Severity 1

# $Alerts = get-scomalert -ResolutionState 0 -severity 1

$AlertID = $Alerts[0].ID

$AlertName = $Alerts[0].Name

$AssignmentGroup = “JustinTime Infra”

PowerShell SCOM alert variables assumed for script to run from PowerShell

Test script supplying variables

.\New-SNowEvent.ps1 -AlertID $AlertID -AlertName $AlertName -AssignmentGroup $AssignmentGroup -Team SYM

.\New-SNowIncident.ps1 -AlertID $AlertID -AlertName $AlertName -AssignmentGroup $AssignmentGroup -Team SYM

New-SNOWEventPowerSHellOutput for REST Event injection.

Verify SCOM alert updated for ServiceNow REST injection

Check SCOM console/web console for SCOM alert updates to ResolutionState, TicketID, Owner fields, where TEAM = SYM, and Assignment Group = JustinTime Infra specified

SCOM Monitoring tab Active Alerts output view showing Owner, ResolutionState, and TicketId fields updated.

Be aware of issues

Indicator of Certificate/trust issue

Invoke-RestMethod error seen when organization cert not installed, making server sending REST injection NOT trusted.

Indicator when SNOW alert rule not configured or matching – excessive retry’s. Also note output shows summary of tests, ServiceNow SNOW detail, and SCOM alert updates.

New-SNOWEvent.ps1 failures when SNOW Alert rule not matching or created.

Logging to Operations Manager Event Log for addtional troubleshooting or debug. Unless otherwise updated, the script logs to the ‘Operations Manager’ event log, EventID = 710-712

Single Starting event indicates failed pre-requisite (pre-req NOT met)

SCOM OperationsManager events logging integration script status, as well as whoami and additional debug.

Additional information

ServiceNow Event integration

ServiceNow Incident Integration

Setup SCOM Notifications account

With domain joined machine, use a separate notification services svc account for notifications. SCOM is typically leverages MSAA, or even local system, depending on the accounts used when building out SCOM. Kevin Holman did an excellent job blogging this here

Verify SCOM notification account

Verify and ‘Setup SCOM Notifications account’ to separate notifications outside typical SCOM service SVC account functionality. Also, separating allows CredentialManager to secure, encrypt, and store credentials used by the notification account. Time to verify!

RDP to SCOM MS using notification account.

Open SCOM Console

Click on Administration tab

Expand Run As Configuration

Click on Accounts

Search for notification

Double click on Notifications account

Click on Credentials tab

Verify account being used, in light of CredentialManager piece storing SNOW ID and account.

NOTE Account should be part of SCOM Admins AD group

SCOM console view of Notifications SVC Account

SCOM Notifications Event Log troubleshooting

Knowing the notifications account will aid with SNOW integration scripts, as well as help log whoami, ‘run as’ logging to the ‘Operations Manager’ event log. The specific test and event or incident scripts leverage EventID’s 710-712. 710 for LogAlert.ps1, 711 for New-SNowEvent.ps1, and 712 for New-SNowIncident.ps1.

Single Starting event indicates failed pre-requisite (pre-req NOT met)

Additional SCOM Notifications documentation

Learn articles

SCOM2019 https://learn.microsoft.com/en-us/system-center/scom/manage-notifications-create-configure?view=sc-om-2019

SCOM2022 https://learn.microsoft.com/en-us/system-center/scom/manage-notifications-create-configure?view=sc-om-2022

Additional blog posts explaining ServiceNow connectivity

Options https://kevinjustin.com/blog/2024/05/24/lots-of-options-to-create-servicenow-incidents-through-powershell-scripts-connectors-and-3rd-party-vendors/

PreReqs https://kevinjustin.com/blog/2024/05/30/snow-rest-integration-prerequisites/
Network and Credential https://kevinjustin.com/blog/2024/05/30/snow-rest-connectivity/

Event Integration https://kevinjustin.com/blog/2024/03/27/servicenow-event-integration/

Incident Integration https://kevinjustin.com/blog/2024/03/27/servicenow-incident-integration/

ServiceNow Connector https://kevinjustin.com/blog/2024/04/30/servicenow-connector-for-scom/

SNOW REST integration prerequisites

Did you know –

These PowerShell scripts allow organizations to specify which alerts/events that need to go to ITSM tool.

Does not matter to the tool, whether Broadcom (Spectrum/DXOI), SolarWinds, MECM/MEM/MCM, SCOM

Pretty much ANY tool that can leverage PowerShell scripts and/or REST calls can utilize this script.

The following ServiceNow ‘SNOW REST integration prerequisites’ are required before proceeding.

TEST/PROD ServiceNow (SNow) URL(s)

Password

Incident short_description naming convention

ServiceNow SNOW Alert rule (to make events create incidents)

ServiceNow SNOW Incidents require additional variables to match ServiceNow selections

SNOW Incident short_description field is the title of the incident

Pre-define this in the SNOW REST Event/incident injection, to meet organizational naming conventions

Description can be additional details about the issue to be investigated, resolved.

SNOW Incident short_description, description fields

Examples of short_description titles

# Setup SNOW Event Name standard

Example SNOWAlertName

$SNOWAlertName = “<Org> <Team> SCOM Test Event – $Alert”

Example SNOWAlertName

$SNOWAlertName = “<Team> <ORG> SCOM Event – $AlertName”

Example SNOWAlertName

$SNOWAlertName = “<Team> <ORG> SCOM $AlertName”

Example SNOWAlertName

$SNOWAlertName = “##CUSTOMER## ##TEAM## SCOM Event – $AlertName”

Example SNOWAlertName

$SNOWAlertName = “##TEAM## ##CUSTOMER##: SCOM – $AlertName”

Example SNOWAlertName

$SNOWAlertName = “##TEAM## ##CUSTOMER##: SPECTRUM – $AlertName”

Example SNOWAlertName

$SNOWAlertName = “##TEAM## ##CUSTOMER##: SOLARWINDS – $AlertName”

SNOW Incident fields

Direct Incident REST injection requires additional fields, such as caller, business_service, category, subcategory, channel, impact, urgency, priority, assignment_group

Additional information

REST/RESTAPI https://www.techtarget.com/searchapparchitecture/definition/RESTful-API

SNOW Utah Connector https://docs.servicenow.com/bundle/utah-it-operations-management/page/product/event-management/task/t_EMConfigureSCOMConnector.html

Additional blogs showing scope and options using ServiceNow for ITSM tool

https://kevinjustin.com/blog/2024/03/27/servicenow-event-integration/

https://kevinjustin.com/blog/2024/03/27/servicenow-incident-integration/

https://kevinjustin.com/blog/2024/04/30/servicenow-connector-for-scom/

https://kevinjustin.com/blog/2024/05/24/lots-of-options-to-create-servicenow-incidents-through-powershell-scripts-connectors-and-3rd-party-vendors/

Create ServiceNow incidents from SCOM

Been working to ‘Create ServiceNow incidents from SCOM’ with Joe Kelly (Joe’s LinkedIn), Steven Brown (Steven’s LinkedIn), and Tim Fields (Tim’s LinkedIn). Over the past few months, we’ve found quite a few methods available, some free, some with cost. All methods are built on ServiceNow (SNow) REST commands. The resulting PowerShell scripts can do most of the heavy lifting for other Tools like SolarWinds, vCenter, vRealize, Zabbix, SAP manager, Kafka, Nagios, HP OpenView.

Last month’s blog showcased the ServiceNow API/Connector for SCOM

ServiceNow Connector for SCOM

Depending on your customer use cases, this may not be the preferred choice.

One SNOW flavor is like NetCool, where you inject ALL SCOM alerts into ITSM tool (i.e. SNOW events). Another flavor allows you to create a group of objects which will inject SNOW events.

What if you only want incidents for a small subset, and don’t want to wait on SNOW team?

We got that covered.

What if SNOW team wants events only, how can you create an incident?

We got that covered.

ServiceNow connector options:

Inject SNOW incident from SCOM (direct) https://github.com/theKevinJustin/New-SNOWIncidents

Inject SNOW event (requires SNOW alert rules to process alert to incident) https://github.com/theKevinJustin/New-SNowEvent

SNOW SCOM connector

1. Send all SCOM alerts to SNOW as events
2. Send specific SCOM group of objects to SNOW as events

3^rd party options

1. 1. OpsLogix SCOM ServiceNow connector (costs) https://www.opslogix.com/servicenow-incident-connector
  2. Cookdown SNOW incident connector https://www.cookdown.com/blog/how-to-build-a-servicenow-incident-connector-for-scom download MP https://www.cookdown.com/servicenow-monitoring-mp#download
  3. Tim McFadden SCOM ServiceNow connector https://www.scom2k7.com/introducing-the-scom-to-servicenow-connector/ (unsure if Tim still supports this)

Stay tuned…

Next steps are to build out the SCOM command execution channel using Holman’s blog https://kevinholman.com/2021/08/25/what-account-will-command-channel-notifications-run-as-in-scom/

ServiceNow Incident Integration

Time to integrate your Monitoring tools to ITSM tool. First, this blog post documents ‘ServiceNow Incident integration’. Second, let’s explain the common acronym in my experience is SNOW/SNow. Third, some background – ServiceNow has been around for some time as an Information Technology Service Management (ITSM), and discovery tool. As a SaaS solution, companies can purchase a subscription and integrate tools via RESTAPI to create/update/close events or incidents.

First, let’s begin to discuss SCOM notification methods. SCOM2022 adds a new capability with Teams integration. Second, most people are familiar with notification methods leveraging Email (html or not), perhaps SMS, but not so much command channel, calling some script in shell, PowerShell, etc. Generally, the command channel is basically a post processing script capability to execute notifications. Third, example tools where command channel might be used – BMC BEM (BMC Event Manager), BMC Remedy, xMatters, DerDack; SNOW integration within SCOM, using notification channels. Lastly, SaaS solutions (vendors like xMatters, and ServiceNow) allow RESTAPI crafted requests to take actions.

SNOW prerequisites

1) ServiceNow User/Password (or API key)

2) SNOW RESTAPI PowerShell needs to securely access credentials

For the Incident PowerShell, we store Credentials within Windows Credential Manager

3) Network connectivity to SaaS provider (use test-netconnection from SCOM MS to test connectivity over whatever port(s) vendor requires.

ServiceNow CallerID GUID

4) Production and Test URL’s (also required for network connectivity tests)

5) Access to SNOW UI to verify required fields and values for the script parameters.

Update incident script and begin testing.

Download script from GitHub repo https://github.com/theKevinJustin/SCOM-SNOWIncidents

Download script, and copy to monitoring repository

Copy to SCOM management servers (MS)

NOTE Path, to run from management server

Update script, with pre-reqs above –

Credential Manager stored ID

For more detail, look at parameter examples below to verify UI.

Update with customer/ServiceNow SNOW subscription specific values:

##Company## (customize SNOW short_description)

##Team## (customize SNOW short_description)$Channel = “Direct”
$ServiceNowURL=”https://##ServiceNowURL##/api/now/table/incident”
#$Proxy = “##CustomerProxyURL##”
$CallerID = “##GUID##”

# Test New-SNOWIncident.ps1

# Depending on how you want to randomly choose an incident

Lab example

$Alerts = get-scomalert -resolutionstate 0 | where { $_.Name -like “System Center*” }

Gather Critical, New alerts

$Alerts = get-scomalert -ResolutionState 0 -severity 2

Debug for warning alerts

$Alerts = get-scomalert -ResolutionState 0 -severity 1

# Debug

$Alerts[0] | fl ID,Name,Description,Severity,MonitoringObjectDisplayName

.\New-SNOWIncident.ps1 -AlertName $Alerts[0].Name -AlertID $Alerts[0].ID -Impact 4 -Urgency 4 -Priority 3 -AssignmentGroup “System Admin” -BusinessService “System Management” -Category Support -SubCategory Repair -Channel Direct

Example output

PS C:\Users\scomadmin\Desktop> .\New-SNOWIncident.ps1 -AlertName $Alert.Name -AlertID $Alert.ID -Impact 4 -Urgency 4 -Priority 3 -AssignmentGroup “System Admin” -BusinessService “System Management” -Category Support -SubCategory Repair -Channel Direct

TEST ServiceNow URL specified.

CredentialManager PoSH Module Installed, ModuleBase = C:\Program Files\WindowsPowerShell\Modules\CredentialManager\2.0

The System Center Management Health Service 5E04F804-8B71-6EB6-0101-DCBB58022498 running on host 16DB02.testlab.net and s

erving management group with id {E39F5F53-9FBB-9D7F-4BFE-5F0324630AE5} is not healthy. Some system rules failed to load.

16DB02

Warning

impact 4

urgency 4

priority 3

ServiceNow Credential NOT stored on server

Deciding ‘Event Collection vs. Alert’ rule

Question example of two cartoon people discussing something. Both have thought bubble cartoons looming overhead.

Ever run through an event log scenario deciding ‘event collection vs. alert rule’ is the way to filter out the needle from the haystack? There’s a few ways to do this with Monitoring tools. If you’re cloud centric, a KQL query (assuming you’re collecting the event logs, if you’re using Operations Manager (SCOM), there’s a few ways to consume the events. SCOM ACS is basically a DB for collecting Security events, and typically is an unused feature in SCOM by most customers. Kevin Holman’s had many blog posts for ACS, testing the filter, as well as a management pack (MP) fragment (blog here, GitHub fragment library here).

Let’s walk through criteria deciding ‘event collection vs. alert rule’:

Do the event(s) happen often? If so, how often?
Can you filter the event description to limit the amount of gathered event?
Do you need match count or samples before action required? (i.e. count x events in y time)
Is there a regulatory or compliance requirement to collect every event?
Is this something you want to visualize with PowerBI?
For better visualizations, would the EventID help view/sort data in a tabular output? i.e. Think PowerShell property) as well as TimeRaised/TimeGenerated, and Event Description

Example – DC Security events

When there is a regulatory requirement to collect events, we need to decide ‘event collection vs. alert rule, and IF we can filter for specific pieces of the event. Holman has examples of alert parameters, and dynamic data, which are very useful to get the needles out of the haystacks. Depending on your goals, use event parameters, or leverage CustomFields in the alert to build required fields.

Depending on the requirements, event collection is useful to collect related EventID’s with RegularExpressions. Use Event rules WHEN action is required. Leverage Regular expressions help filter what we collect (via event collection or alert rule. By extension, utilize CustomFields in the alerts to help the presentation or SQL query towards a PowerBI report.

Let’s talk about regular expressions examples for rules (or monitors)

MatchesRegularExpression

<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type=”String”>EventDescription</XPathQuery>
</ValueExpression>
<Operator>MatchesRegularExpression</Operator>
<Pattern>^(Security ID:.*admin*)|^(Security ID:.*[des]a*)$</Pattern>
</RegExExpression>
</Expression>

<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type=”UnsignedInteger”>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>MatchesMOM2005BooleanRegularExpression</Operator>
<Pattern>^(4625|4740)$</Pattern>
</RegExExpression>
</Expression>

Contains example

<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type=”String”>EventDescription</XPathQuery>
</ValueExpression>
<Operator>ContainsSubstring</Operator>
<Pattern>Proactive DailyTasks ADDS Monitors close automation for</Pattern>
</RegExExpression>
</Expression>

<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type=”String”>Params/Param[2]</XPathQuery>
</ValueExpression>
<Operator>ContainsSubstring</Operator>
<Pattern>dnsserver</Pattern>
</RegExExpression>
</Expression>

DoesNotContain example

<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type=”String”>EventDescription</XPathQuery>
</ValueExpression>
<Operator>DoesNotContainSubstring</Operator>
<Pattern>None</Pattern>
</RegExExpression>
</Expression>

Holman MP Fragment example of specific EventID:

<Rule ID=”Rule.StateChangeAlerts” Enabled=”true” Target=”SCOMMagementServer.Class” ConfirmDelivery=”true” Remotable=”true” Priority=”Normal” DiscardLevel=”100″>
<Category>EventCollection</Category>
<DataSources>
<DataSource ID=”DS” TypeID=”Windows!Microsoft.Windows.EventCollector”>
<ComputerName>$Target/Host/Property[Type=”Windows!Microsoft.Windows.Computer”]/NetworkName$</ComputerName>
<LogName>TestAPP</LogName>
<AllowProxying>false</AllowProxying>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type=”UnsignedInteger”>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type=”UnsignedInteger”>600</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type=”String”>PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type=”String”>APP Test Log Monitoring</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID=”CollectToDB” TypeID=”SC!Microsoft.SystemCenter.CollectEvent” />
<WriteAction ID=”CollectToDW” TypeID=”SCDW!Microsoft.SystemCenter.DataWarehouse.PublishEventData” />
</WriteActions>
</Rule>

Lastly, let’s talk about the use of CustomFields to add additional data to the alert, but NOT in the event description (Holman’s blog here)

For the tabular view of alert data (from PowerShell as with SQL query of Alerts view, we might need to display the data, such as EventDisplayNumber, TimeRaised, Message, (alternate is Parameters, or UnformattedDescription). Additionally, check alert output details, from the SCOM MS in PowerShell via get-SCOMAlert -name “MonitorDisplayNameHere” | fl | more

Leverage Custom Fields to add

EventID $Data/EventDisplayNumber$

Event Category $Data/EventCategory$

Happy Authoring!

Additional links

How to collect events – but not ALL the events?

https://learn.microsoft.com/en-us/answers/questions/69667/scom-event-collection-rule

Positive SSL by Comodo SSL

Verify OMS Managed Computers

Ever wondered what objects are setup for OMS?

Maybe you’ve seen lots of errors on servers you don’t expect ?

It’s possible someone chose a group or nearly all managed computers in your SCOM environment.

How do we verify, or change what computers send data to OMS from SCOM?

1) Look for a group
In SCOM console, monitoring tab

Look for the ‘advisor’ group
Maybe someone put a group in there

2) Verify OMS members

In the SCOM console, Administration tab
Click on Managed Computers
See middle pane for what is currently set up

Update OMS Managed computers

In the SCOM console, Administration tab
Click on Managed Computers
See middle pane for what is currently set up

Click the ‘Add a computer/group’ link on the tasks pane (right side)

Add computers or groups

Add keyword, click search, highlight and click Add

Click OK when done updating members

Optionally, highlight the member, click delete

Verify the Advisor MP’s on computer

Go to server (added or removed)

If added, look for 1201 events in the Operations Manager Log

If removed, look for 1204 events in the Operations Manager Log

Enjoy!!

Configure ‘TEST Holman’s Command Channel’ subscription

SCOM Navigation steps:

Configure New-SNOWEvent command channel in SCOM

Configure ‘TEST SNOW Event Creation’ SCOM Notification command channel

SCOM Navigation steps:

Create new channel for New-SNowIncident.ps1

Configure ‘TEST SNOW Event Creation’ SCOM Notification command channel

SCOM Navigation steps:

CHANNEL New-SNowEvent.ps1 via POWERSHELL

Additional Documentation to Create SCOM subscribers

Save .ps1 file(s) to SCOM MS

Save LogAlert.ps1

Save New-SNowEvent.ps1

Save New-SNowIncident.ps1

Configure ‘Test LogAlert.ps1 SCOM Command Channel’

SCOM Navigation steps:

Configure ‘ServiceNow SNOW Event Creation Channel’

SCOM Navigation steps:

Configure ‘ServiceNow SNOW Incident creation channel’

SCOM Navigation steps:

Begin script testing

Create new SCOM Command Channels

Verify SCOM alert updated for ServiceNow REST injection

Be aware of issues

Additional information

Verify SCOM notification account

SCOM Notifications Event Log troubleshooting

Additional SCOM Notifications documentation

SNOW Incident short_description field is the title of the incident

Examples of short_description titles

SNOW Incident fields

Additional information

Last month’s blog showcased the ServiceNow API/Connector for SCOM

Depending on your customer use cases, this may not be the preferred choice.

ServiceNow connector options:

Stay tuned…

SNOW prerequisites

Update incident script and begin testing.

# Test New-SNOWIncident.ps1

Let’s walk through criteria deciding ‘event collection vs. alert rule’:

Example – DC Security events

Holman MP Fragment example of specific EventID:

Leverage Custom Fields to add

1) Look for a group In SCOM console, monitoring tab

2) Verify OMS members

Verify the Advisor MP’s on computer

1) Look for a group
In SCOM console, monitoring tab