Tag: fragment

Deciding ‘Event Collection vs. Alert’ rule

Question example of two cartoon people discussing something. Both have thought bubble cartoons looming overhead.

 

Ever run through an event log scenario deciding ‘event collection vs. alert rule’ is the way to filter out the needle from the haystack?   There’s a few ways to do this with Monitoring tools.   If you’re cloud centric, a KQL query (assuming you’re collecting the event logs, if you’re using Operations Manager (SCOM), there’s a few ways to consume the events.   SCOM ACS is basically a DB for collecting Security events, and typically is an unused feature in SCOM by most customers.  Kevin Holman’s had many blog posts for ACS, testing the filter, as well as a management pack (MP)  fragment (blog here, GitHub fragment library here).

 

 

Let’s walk through criteria deciding ‘event collection vs. alert rule’:

  1. Do the event(s) happen often?  If so, how often?
  2. Can you filter the event description to limit the amount of gathered event?
  3. Do you need match count or samples before action required?  (i.e. count x events in y time)
  4. Is there a regulatory or compliance requirement to collect every event?
  5. Is this something you want to visualize with PowerBI?
  6. For better visualizations, would the EventID help view/sort data in a tabular output?   i.e. Think PowerShell property) as well as TimeRaised/TimeGenerated, and Event Description

 

Example – DC Security events

When there is a regulatory requirement to collect events, we need to decide ‘event collection vs. alert rule, and IF we can filter for specific pieces of the event.  Holman has examples of alert parameters, and dynamic data, which are very useful to get the needles out of the haystacks.  Depending on your goals, use event parameters, or leverage CustomFields in the alert to build required fields.

 

Depending on the requirements, event collection is useful to collect related EventID’s with RegularExpressions.   Use Event rules WHEN action is required.  Leverage Regular expressions help filter what we collect (via event collection or alert rule.   By extension, utilize CustomFields in the alerts to help the presentation or SQL query towards a PowerBI report.

 

Let’s talk about regular expressions examples for rules (or monitors)

 

MatchesRegularExpression

<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type=”String”>EventDescription</XPathQuery>
</ValueExpression>
<Operator>MatchesRegularExpression</Operator>
<Pattern>^(Security ID:.*admin*)|^(Security ID:.*[des]a*)$</Pattern>
</RegExExpression>
</Expression>

<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type=”UnsignedInteger”>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>MatchesMOM2005BooleanRegularExpression</Operator>
<Pattern>^(4625|4740)$</Pattern>
</RegExExpression>
</Expression>

 

Contains example

<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type=”String”>EventDescription</XPathQuery>
</ValueExpression>
<Operator>ContainsSubstring</Operator>
<Pattern>Proactive DailyTasks ADDS Monitors close automation for</Pattern>
</RegExExpression>
</Expression>

<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type=”String”>Params/Param[2]</XPathQuery>
</ValueExpression>
<Operator>ContainsSubstring</Operator>
<Pattern>dnsserver</Pattern>
</RegExExpression>
</Expression>

 

DoesNotContain example

<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type=”String”>EventDescription</XPathQuery>
</ValueExpression>
<Operator>DoesNotContainSubstring</Operator>
<Pattern>None</Pattern>
</RegExExpression>
</Expression>

Holman MP Fragment example of specific EventID:

<Rule ID=”Rule.StateChangeAlerts” Enabled=”true” Target=”SCOMMagementServer.Class” ConfirmDelivery=”true” Remotable=”true” Priority=”Normal” DiscardLevel=”100″>
<Category>EventCollection</Category>
<DataSources>
<DataSource ID=”DS” TypeID=”Windows!Microsoft.Windows.EventCollector”>
<ComputerName>$Target/Host/Property[Type=”Windows!Microsoft.Windows.Computer”]/NetworkName$</ComputerName>
<LogName>TestAPP</LogName>
<AllowProxying>false</AllowProxying>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type=”UnsignedInteger”>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type=”UnsignedInteger”>600</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type=”String”>PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type=”String”>APP Test Log Monitoring</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID=”CollectToDB” TypeID=”SC!Microsoft.SystemCenter.CollectEvent” />
<WriteAction ID=”CollectToDW” TypeID=”SCDW!Microsoft.SystemCenter.DataWarehouse.PublishEventData” />
</WriteActions>
</Rule>

 

Lastly, let’s talk about the use of CustomFields to add additional data to the alert, but NOT in the event description (Holman’s blog here)

For the tabular view of alert data (from PowerShell as with SQL query of Alerts view, we might need to display the data, such as EventDisplayNumber, TimeRaised, Message, (alternate is Parameters, or UnformattedDescription).  Additionally, check alert output details, from the SCOM MS in PowerShell via get-SCOMAlert -name “MonitorDisplayNameHere” | fl | more

 

Leverage Custom Fields to add

EventID       $Data/EventDisplayNumber$

Event Category    $Data/EventCategory$

 

Happy Authoring!

 

Additional links

How to collect events – but not ALL the events?

 

https://learn.microsoft.com/en-us/answers/questions/69667/scom-event-collection-rule

Positive SSL by Comodo SSL
Positive SSL by Comodo SSL

PowerShell Monitor Fragment with Run As

Stop!

 

Ever need to run a PowerShell command (or script) as a specific ID?

Maybe you need to know when the command fails to catch degraded application health?

 

Let’s work into the scenario with a MP Fragment

 

Download the latest fragments here

Load Test MP fragment

Shout to Tyson Paul for his initial MP with 2016, catch his blog here!

 

This should help speed up building the MP if you have Visual Studio 2013 or 2015 with Visual Studio Authoring Extensions (VSAE).  Read Kevin Holman’s blog if this is new

 

Download the latest fragments here

 

Quicker method To build the MP as MP fragment, update the following:

  1. Import MP Fragment into Visual Studio for MP
  2. Replace variables in fragment
    1.   ##CompanyID##
    2.   ##AppName## – LoadTesting
    3.   ##ClassID## – WindowsServer
    4.   ##OSVersion## – 2012 = 6.2, 2012R2 = 2012.R2, 2016 = 100
    5.   ##MPReferenceID## – MWS2M for 2012, MWS2RM for 2012R2
    6.   ##RuleGUID##
  3. Obtain Rule names for Override Targets and Report rule GUID’s for the report parameters section

          get-scomrule | ? { $_.DisplayName -like “System Processor Queue Length*” } | fl ID,DisplayName,Name

          get-scomrule | ? { $_.DisplayName -like “Current Disk Queue Length*” } | fl ID,DisplayName,Name

          get-scomrule | ? { $_.DisplayName -like “Current Disk Queue*” } | fl ID,DisplayName,Name

          get-scomrule | ? { $_.DisplayName -like “Current Dis*k Queue*” } | fl ID,DisplayName,Name

          get-scomrule | ? { $_.DisplayName -like “*Current Disk Queue*” } | fl ID,DisplayName,Name

          get-scomrule | ? { $_.DisplayName -like “*Average Disk Seconds Per Transfer*” } | fl ID,DisplayName,Name

          get-scomrule | ? { $_.DisplayName -like “*Logical Disk Idle Time*” } | fl ID,DisplayName,Name

          get-scomrule | ? { $_.DisplayName -like “*Processor Time Total*” } | fl ID,DisplayName,Name

          get-scomrule | ? { $_.DisplayName -like “*Memory Available Megabytes*” } | fl ID,DisplayName,Name

          get-scomrule | ? { $_.DisplayName -like “*Network Adapter Bytes Total*” } | fl ID,DisplayName,Name

          get-scomrule | ? { $_.DisplayName -like “*Memory Pages per Second*” } | fl ID,DisplayName,Name

          get-scomrule | ? { $_.DisplayName -like “*System Processor Queue Length*” } | fl ID,DisplayName,Name

  1. Save and Import MP into environment
  2. Get Report parameter value for group ID

          get-ScomGroup | ? { $_.DisplayName -like “*Load Testing Group*” } | fl ID,DisplayName

  1. Update ##TargetGroupID##, MP version
    1. Save MP, and import into environment
  2. From SCOM Console, Authoring Tab
    1. Update group with explicit members
    2. Verify Group members
  3. From SCOM Console, Monitoring Tab
    1. Verify Performance view has performance counters
  4. From SCOM Console Reporting Tab (this may take a few minutes to push report to Reporting server)
    1. Open report and run
    2. Export data for analysis

Load Test MP with Report

Read below if you want a specific MP for load testing

 

I don’t know about you, but I’ve come across the situation where you need to compare performance.

 

This MP should help validate performance, whether to validate physical versus virtual, or a new Server Farm, storage performance between environments, etc.

 

Shout to Tyson Paul for his initial MP with 2016, catch his blog here!

 

 

Let’s start with the MP shell

 

Check out the upcoming Gallery download for MP’s and fragments here

NOTE: GUID’s will vary to your environment

 

To build the MP, you will need to update the following:

 

Pack ID to include the OS version

 

Add Reference for OS Monitoring MP (can use Visual Studio (VS) MP alias if VS is available for use in your environment)

Class Type ID with OS version

Discovery ID and Target with OS Version

 

Overrides ID with OS Version, and Target with OS MP Rule name and reference

Use the OS Monitoring MP to help with the rule names

The far right of the Override lists the Rule that must match to the OS MP

 

View ID with OS Version

 

Folder Item Element ID and ID

 

MP Display Strings with OS Version

 

Save and Import MP without the Report parameter to see what Group ID SCOM assigns the Load Test group

 

 

Part 2 – include report after group is imported

Don’t forget to update MP version under Identity!

Get Report parameter value for group ID

From PowerShell

          get-ScomGroup | ? { $_.DisplayName -like “*Load Testing Group*” } | fl ID,DisplayName

Alternatively, obtain from SQL SSMS

          select [ManagedEntityDefaultName],[ManagedEntityRowId]

          FROM [vManagedEntity]

          where [ManagedEntityDefaultName] like ‘%load%’

          order by displayname

SSMS Output

 

In MP XML, update View Target GUID to your Group ID

 

Add Report section, and update parameter values Rule GUID

 

PowerShell commands to run from MS or console installed machine

The GUID’s needed for the report parameters section

 

get-scomrule | ? { $_.DisplayName -like “System Processor Queue Length*” } | fl ID,DisplayName,Name

get-scomrule | ? { $_.DisplayName -like “Current Disk Queue Length*” } | fl ID,DisplayName,Name

get-scomrule | ? { $_.DisplayName -like “Current Disk Queue*” } | fl ID,DisplayName,Name

get-scomrule | ? { $_.DisplayName -like “Current Dis*k Queue*” } | fl ID,DisplayName,Name

get-scomrule | ? { $_.DisplayName -like “*Current Disk Queue*” } | fl ID,DisplayName,Name

get-scomrule | ? { $_.DisplayName -like “*Average Disk Seconds Per Transfer*” } | fl ID,DisplayName,Name

get-scomrule | ? { $_.DisplayName -like “*Logical Disk Idle Time*” } | fl ID,DisplayName,Name

get-scomrule | ? { $_.DisplayName -like “*Processor Time Total*” } | fl ID,DisplayName,Name

get-scomrule | ? { $_.DisplayName -like “*Memory Available Megabytes*” } | fl ID,DisplayName,Name

get-scomrule | ? { $_.DisplayName -like “*Network Adapter Bytes Total*” } | fl ID,DisplayName,Name

get-scomrule | ? { $_.DisplayName -like “*Memory Pages per Second*” } | fl ID,DisplayName,Name

get-scomrule | ? { $_.DisplayName -like “*System Processor Queue Length*” } | fl ID,DisplayName,Name

 

 

Verification

  1. From SCOM Console, Authoring Tab
    1. Update group with explicit members
    2. Verify Group members
  2. From SCOM Console, Monitoring Tab
    1. Verify Performance view has performance counters
  3. From SCOM Console Reporting Tab (this may take a few minutes to push report to Reporting server)
    1. Open report and run
    2. Export data for analysis

Basic Admin ‘How-to’ Series

443053-royalty-free-rf-clip-art-illustration-of-a-cartoon-businessman-carrying-a-heavy-manual

This is a series of blog posts to help with SCOM best practices, and things that make SCOM easier to administer.

 

Associate MPX files in Notepad++ blog

Backup management packs via PowerShell blog

Get to know your monitor blog

Load Test MP with Report blog

Load Test MP Fragments blog

Maintenance Mode PowerShell blog

Manage DB storage with DWdataRP blog

Managing Subscriptions blog

PowerShell Rule/Monitor/PerfCounter MP and Fragments blog

Registry Key discovery MP Fragment clarification blog

Run As PowerShell monitor fragment blog

Sealing Management packs with 2012R2 and 2016 blog

Subscriptions blog

Subscription Set up Guide blog

Uncommon MP Fragments blog

Verifying Overrides blog

 

Best Practices

Agent Management pack KH Blog

Enable proxy as a default KH blog

How to be heard blog

Manage alerts/events/performance KH Blog

Office Analytics (find where all the time goes) blog

Optimize SQL blog

Recommended Registry tweaks KH blog

SCOM Agent Version Addendum KH blog

Set SCOM Agent to remotely managed KH Blog

SQL Engineering Blog

SYSTEM CENTER 2016 Operations Manager – Anti-Virus Exclusions blog

Update VMM MP’s for SCOM when SCVMM patched blog

 

Tools

MP Viewer blog

Download Notepad++ here

Kevin Holman blog on extracting scripts from MP’s using Transform tool from codeplex

Test fire events using EventLog Explorer here

Alternate tool to fire any events here