ConfigMgr SMS role alerts

Microsoft Endpoint Configuration Manager
Microsoft Endpoint Configuration Manager

It’s that time to figure out the ConfigMgr SMS role alerts – If you are monitoring your SCCM/MECM environment, then you get role failure alerts.  Many times, the Operations Helpdesk, NOSC, NOC, SOC, etc. will get alerts when various roles fail on the Configuration Manager platform.  The common ask is why, what do you see, etc.  Much like Exchange, ConfigMgr internalizes the checks that are seen in the console as registry keys or events documenting said degraded component/feature.  Helping the MECM administrator understand the failure is key to decoding how to notify administrator, and when the helpdesk needs to act on ‘ConfigMgr SMS role alerts’.

 

Example – MECM/SCCM looks at replication probe action state $Config/RoleName$

Example MECM Service Monitor for role alerts
Example MECM Service Monitor for role alerts

 

The role check is based on a variable of the RoleName in a registry key that the application updates.

 

MECM Monitor Config
MECM Monitor Config

 

This is the origin of ConfigMgr SMS role alerts

HKLM:SOFTWARE\Microsoft\SMS\Operations Management\SMS Server Role\$Config/RoleName$\Availability State

 

Decoder ring:

1 is critical state

2,3,4 are warning states

 

If more details are needed, download SCCM/MECM Management Pack for SCOM here

Use Tyson’s SCOM Helper pack to unseal, and inspect XML.

 

Once you know the origin of the ConfigMgr SMS role alerts, you can begin tuning the MECM alerts to your environment.  Understanding role alerts will help both teams understand MECM application health.  First, use MECM application health to trend alerts/outages.  Second, leverage maintenance mode schedules, or MM scripts to NOT monitor for common administration tasks.  From my experience, the alerts are the result of MECM Admins maintaining the application – common actions like building application/package lists, cleanup actions, site maintenance, backups, etc.  Lastly, set up a subscription to notify after the tuning discussion.  See my blog on building a subscription for more details.

WebConsole APM hotfix for SCOM2012R2 and above

Vaccination Record - SCOM hotfix released for WebConsole/APM on SCOM2012R2 and above
Vaccination Record

SCOM hotfix released for WebConsole/APM on SCOM2012R2 and above, time for another SCOM shot!  Don’t forget your vaccination card 🙂

 

Let’s get started.  Time to fix the vulnerability for ‘SCOM hotfix released for WebConsole/APM on SCOM2012R2 and above’.  Read the support article, and assess what versions you have in your sandbox and production.  Once assessed, it’s time to test/implement/verify the fix applied.

 

Support article

https://support.microsoft.com/en-us/topic/update-for-idor-vulnerability-in-system-center-operations-manager-kb5006871-0e3a513a-ad80-4830-8984-2fc5a40ee7f7

 

 

SCOM WebConsole Hotfix links

(support.microsoft.com articles)

Specific support article for SCOM2019 UR3 Hotfix

SCOM2019 UR3 Hotfix support.microsoft.com article link

Specific support article for SCOM2016 UR10 Hotfix

SCOM2016 UR10 Hotfix support.microsoft.com article link

Specific support article for SCOM2012R2 UR14 Hotfix

SCOM2016 UR10 Hotfix support.microsoft.com article link

 

# Download (same EXE has all 3 SCOM versions)

https://download.microsoft.com/download/3/e/e/3eec1274-64d5-4285-84b9-c50800eb2dd2/KB5006871.EXE

 

 

Hotfix updates two paths on SCOM management server with the WebConsole role

Paths updated

(don’t forget to add File Version property to your display)

NOTE Drive letter depends on where you installed SCOM (typically D:)

 

SCOM2019 paths

D:\Program Files\Microsoft System Center\Operations Manager\WebConsole\AppDiagnostics\Web\bin

D:\Program Files\Microsoft System Center\Operations Manager\WebConsole\AppDiagnostics\AppAdvisor\Web\Bin

SCOM2016 paths

D:\Program Files\Microsoft System Center 2016\Operations Manager\WebConsole\AppDiagnostics\Web\bin

D:\Program Files\Microsoft System Center 2016\Operations Manager\WebConsole\AppDiagnostics\AppAdvisor\Web\Bin

 

Screenshot of paths

AppDiagnostics File Path - SCOM hotfix released for WebConsole/APM on SCOM2012R2 and above
AppDiagnostics File Path
AppDiagnostics AppAdvisor File Path - SCOM hotfix released for WebConsole/APM on SCOM2012R2 and above
AppDiagnostics AppAdvisor File Path

 

Just in case you forgot how to add properties in Windows Explorer…

In the columns (Name, Date modified, etc,) right click > More

Add file property - SCOM hotfix released for WebConsole/APM on SCOM2012R2 and above
Add file property

Hit F to move down to the F named details > hit check box for ‘File Version’ or click on File Version and hit space bar

Click on OK

Add file property File Version - SCOM hotfix released for WebConsole/APM on SCOM2012R2 and above
Add file property File Version

 

Sort by ‘Date Modified’ Column

Verify File Version - SCOM hotfix released for WebConsole/APM on SCOM2012R2 and above
Verify File Version

 

File versions AFTER installing hotfix

Depending on which SCOM version you’re running, the path stays pretty much the same, and you want to verify that files were updated for the ‘SCOM hotfix released for WebConsole/APM’

SCOM2019

UR3 = 10.19.10505.0 > Hotfix file version = 10.19.10550.0

SCOM2016

UR10 = 7.2.12324 > Hotfix file version = 7.2.12335.0

Standard UR10 files are 8.0.10918.0

 

Voila > SCOM hotfix complete

Notify your Security team you’ve patched, because sometimes the scanner software isn’t accurately updated (where Security needs to open a case with their vendor!)

 

Complete:  Patched environment for ‘SCOM WebConsole/APM on SCOM2012R2 and above’

Which subscription was the trigger?

Hello Again,

Surprise!

I am back, as a rusty nail, and back to make lemonade from lemons!

Rusty Nail through Lemon

Rusty Nail through Lemon

 

Ever run into an email you don’t want to get, but have difficulty finding

the subscription entry?

 

Do you get a subscription Email, and that channel has the Notification ID, but you’re not sure what subscription sent the alert email?

 

Let’s start with the notification email

Example

Notification subscription ID generating this message:

{AA0C1081-D04F-F5CA-DEB7-92B9ECA619E2}

 

On SCOM MS > Open PowerShell

Get-SCOMNotificationSubscription

 

Example

PS C:\windows\system32> Get-SCOMNotificationSubscription -ID

“BD52BB72-3FDE-9D7F-6214-B9A47A311896”

 

Configuration     :

Microsoft.EnterpriseManagement.Administration.AlertChangedSubscriptionConfiguration

ManagementGroup   : SCOMTestLab

Name              : Subscription168e29fd_a8e5_4ee4_956f_d9591b845475

DisplayName       : AD DailyTasks Report

Description       : +CRITERIA = Alert Name Contains ‘Proactive DailyTasks AD

Team Report’     +RESOLUTIONSTATE = (0)

New    +SUBSCRIBERS = AD team, USER Kevin Justin via EMAIL     +CHANNEL = SMTP Email

Actions           : {SMTPAction_a6a5314d_83f5_47c0_910a_e60040b4c808}

ToRecipients      : {USER <blank> via EMAIL, USER <blank> via EMAIL, USER

<blank> via Email, USER <blank> via EMAIL…}

CcRecipients      : {}

BccRecipients     : {}

Enabled           : True

Id                : bd52bb72-3fde-9d7f-6214-b9a47a311896

ManagementGroupId : 001b9265-3c9f-816c-aa36-a8687c05be8e

 

Get-SCOMNotificationSubscription | ? { $_.ID -eq

“BD52BB72-3FDE-9D7F-6214-B9A47A311896” }

 

Example

PS C:\windows\system32> Get-SCOMNotificationSubscription | ? { $_.ID -eq “BD52BB72-3FDE-9D7F-6214-B9A47A311896” }

Configuration     :

Microsoft.EnterpriseManagement.Administration.AlertChangedSubscriptionConfiguration

ManagementGroup   : SCOMTestLab

Name              : Subscription168e29fd_a8e5_4ee4_956f_d9591b845475

DisplayName       : AD DailyTasks Report

Description       : +CRITERIA = Alert Name Contains ‘Proactive DailyTasks AD

Team Report’     +RESOLUTIONSTATE = (0)

New    +SUBSCRIBERS = AD team, USER Kevin Justin via EMAIL     +CHANNEL = SMTP Email

Actions           : {SMTPAction_a6a5314d_83f5_47c0_910a_e60040b4c808}

ToRecipients      : {USER <blank> via EMAIL, USER <blank> via EMAIL, USER

<blank> via Email, USER <blank> via EMAIL…}CcRecipients      : {}

BccRecipients     : {}

Enabled           : True

Id                : bd52bb72-3fde-9d7f-6214-b9a47a311896

ManagementGroupId : 001b9265-3c9f-816c-aa36-a8687c05be8e

 

Update the subscription

Depending on the subscription criteria, you may need to adjust the classes, or rules/monitors, or even the criteria (properties)

 

Example

Using Subscription Description for more details into what is filtered, who alert is delivered to, and the channel used

SubscriptionDescription

 

Example

Expanding Subscription Criteria to see details into what criteria is filtered for subscription

SubscriptionCriteria

SubscriptionCriteria

See previous blogs for the best practice / how to set up subscriptions to show useful data without all the clicks

Subscription set up guide

Docs article How to Create Notification Subscriptions | Microsoft Docs

SCOM 2016 web console hot fix released

Burglar stealing a monitor
Security hotfix for SCOM 2016 web console released before your information is stolen

SCOM 2016 web console hot fix

Security teams may be contacting you for CVE-2020-1331 vulnerability on the 2016 web console.  In my example, the Tenable scanner listed ALL SCOM management group servers – under SCOM2016/2019).

NOTE KB does not install on server, so does not show up under ‘Installed Updates’

 

 

Background

HotFix DLL comes with a readme to replace the DLL for the SCOM 2016 WebConsole role

If you don’t already know this, the roles each get their own directory on your SCOM server

Security scanners run scripts to help validate if system is vulnerable.  It is possible that the scanner is just looking for some string for the install of SCOM, NOT the actual role that is vulnerable.

 

SCOM 2016 typically installs @ (‘\Program Files\Microsoft System Center 2016’)

SCOM 2019 typically installs @ (‘\Program Files\Microsoft System Center’)

 

 

Identify SCOM roles

Open PowerShell window to identify roles

cd “D:\Program Files\Microsoft System Center 2016\Operations Manager”

 

 

Resolve Web Console vulnerability

High level steps

Download the KB here

Execute KB

Copy dll and readme file

Backup DLL and replace

Reboot server

Contact Security Team to re-scan server

 

Mitigate vulnerability

Download the KB here

Extract downloaded the KB

Click Run to extract, and list extraction path

Click Run for Security Warning pop-up
Click Run for Security Warning pop-up

Copy Windows Explorer Path you want to extract to, and paste in the path

Example

S:\MonAdmin\MSDN images\SCOM\2016\WebConsole HotFix

Enter path to extract Hot Fix
Extract Hot Fix

 

Copy current DLL & replace with hotfix DLL

Open PowerShell window (as admin)

# Backup DLL

# Change Drive letter if you hopefully installed SCOM on D: drive (non-system drive)

copy “C:\Program Files\Microsoft System Center 2016\Operations Manager\WebConsole\MonitoringView\bin\Microsoft.EnterpriseManagement.OperationsManager.MonitoringViews.dll”  “C:\Program Files\Microsoft System Center 2016\Operations Manager\WebConsole\MonitoringView\bin\Microsoft.EnterpriseManagement.OperationsManager.MonitoringViews-old.dll”

# Replace DLL

copy “C:\MonAdmin\Microsoft*.dll” “C:\Program Files\Microsoft System Center 2016\Operations Mana
ger\WebConsole\MonitoringView\bin”

 

# Verify

cd “D:\Program Files\Microsoft System Center 2016\Operations Manager\WebConsole\MonitoringView \bin”

gci Microsoft.EnterpriseManagement.Operations*.dll

 

Sample screenshot from Windows Explorer view of Bin directory for replaced DLL – Same size, only timestamp changes July Page 4

Windows Explorer window showing DLL's
Windows Explorer window showing DLL’s

Reboot server

 

Test WebConsole functionality

Verify from SCOM Console > Administration Tab > Settings > Web

Find Console URL
Find Console URL

Example

http://16ms01/OperationsManager

 

Contact Security Team to re-scan SCOM asset(s)

 

 

References

CVE-2020-1331 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1331

 

Microsoft Support article

https://support.microsoft.com/en-us/help/4566040/prevent-javascript-injection-in-operations-manager-2016-web-console

Tenable forum post https://community.tenable.com/s/question/0D53a000074LGapCAG/plugin-137369-security-updatesfor-microsoft-system-center-operations-manager

 

Build FluentD conf file

Build trust one block at a time

Ready to build out a FluentD conf file?

 

Let’s build a FluentD conf file.  We can use the docs site for another example.  And now, let’s build a simple FluentD configuration file. Paste the XML code below, and save as <yourlogfile>.conf

Create custom log file to test

cd /etc/opt/microsoft/omsagent/scom/conf/omsagent.d/
# vi <yourlogfile>.conf

vi mylog.conf

# Example conf file

<source>
# Specifies input plugin. Tail is a fluentd input plugin – http://docs.fluentd.org/v0.12/articles/in_tail
type tail
# Specify the log file path. Supports wild cards.
path /var/log/mylog
# Recommended so that Fluentd will record the position it last read into this file.
pos_file /home/omsagent/fluent-logging/mylog.pos

# Used to correlate the directives.
tag scom.log.mylog

format /(?<message>.*)/
</source>

<filter scom.log.mylog>
type filter_scom_simple_match
regexp1 message 911
event_id1 911
</filter>

<match scom.log.mylog>
#Disable mutual Auth
enable_server_auth false

# Output plugin to use
type out_scom
log_level trace
num_threads 5

# Size of the buffer chunk. If the top chunk exceeds this limit or the time limit flush_interval, a new empty chunk is pushed to the top of the
queue and bottom chunk is written out.
buffer_chunk_limit 5m
flush_interval 15s
# Specifies the buffer plugin to use.
buffer_type file
# Specifies the file path for buffer. Fluentd must have write access to this directory.
buffer_path /var/opt/microsoft/omsagent/scom/state/out_scom_common*.buffer
# If queue length exceeds the specified limit, events are rejected.
buffer_queue_limit 10
# Control the buffer behavior when the queue becomes full: exception, block, drop_oldest_chunk
buffer_queue_full_action drop_oldest_chunk
# Number of times Fluentd will attempt to write the chunk if it fails.
retry_limit 10
# If the bottom chunk fails to be written out, it will remain in the queue and Fluentd will retry after waiting retry_wait seconds
retry_wait 30s
# The retry wait time doubles each time until max_retry_wait.
max_retry_wait 9m
</match>

Save (:wq!)

 

# Restart Agent

/opt/microsoft/omsagent/bin/service_control restart

# Check for errors – see blog

grep -i error /var/opt/microsoft/omsagent/scom/log/omsagent.log

# Test strings into your logfile

# Options

echo test >> /var/log/mylog

echo 911 error >> /var/log/mylog

# mimic syslog or messages syntax

echo `date +”%b %e %H:%M:%S”` MYLOG 911 test string. Call 911 >> /var/log/mylog

 

Please stay tuned for more management pack options to alert on the strings.  Refer to the part1/2 blogs for more details on unit testing for alerts.

OMSAgent FluentD debunked – Configure Linux FluentD – part2

Are you stoked and fired up to Configure Linux FluentD - part2 !?

Now to begin – OMSAgent FluentD debunked

Configure Linux FluentD – part2 –> see part one (1) here)

 

 

First, my thanks to Mike Johnston@Microsoft (CSS SEE SME) to help validate my steps and testing, to configure Linux FluentD on an Ubuntu server!  Are you ready to bust a myth – OMSAgent FluentD debunked

 

If you’re starting fresh, or just joining, start with Part 1.  And Part 1 configures packs and assumes SCOM agent is installed and working.  Because it’s time to use the feature, we need to get the agent configured and tested.

 

Part one (1) quick summary

    • Verify pre-reqs – SCOM Linux Management packs for Linux/Universal Linux (2019 @ 10.19.1082.0), UNIX/Linux Log File monitoring (2019 @ 10.19.1008.0)
    • Linux server has SCOM Agent installed, configured, and updated (sudoers configured) – GUI blog here
    • Use docs.microsoft.com article

 

Load Sample Log monitoring pack

This piece is missing in the doc, but the content development team has this covered in a subsequent docs article.  We need to load a sample log monitoring pack to the SCOM management group, so we can test functionality.

Configure FluentD part 2 - This is a picture of the SCOM console GUI showing the OMED pack installed from the Admin tab > Management Packs > Installed Management Packs > with omed in the 'look for:' bar

Grab the file here, otherwise you can copy/paste from the docs article pretty easily.

 

 

Verify OMED service running on Management Server

It’s now time to enable the OMED service on the management server, and we can start with the docs subsection

Navigation steps from SCOM console (GUI)

    1. From the Operations console, go to Monitoring>Operations Manager>Management Server>Management Servers State.
    2. Select the management server in the Management Servers state.
    3. From Tasks, select Health Service Tasks>Enable System Center OMED Server

 

Steps to set/start service PowerShell (as admin)

# Verify service startup type is automatic

get-Service OMED | select -property Name,Starttype

# Example output

PS C:\Users\admin> Get-Service OMED | select -property name,starttype
Name StartType
—- ———
OMED Automatic

# Set startup type

 

# Start OMED service on SCOM management server (MS)

start-service OMED

 

Now we’re ready to test the UNIX agent!

 

 

Configure SCOM/OMSagent on Linux server

And now it’s time to switch to the agent side.  I’m assuming that you’ve already configured the SCOM agent on the Linux server.  So it’s time to verify the SCOM and OMSAgent is configured and working.  Let’s go back to the docs subsection for our sanity check, because we need to create folders, and set ownership, etc.

 

Create files and set permissions
mkdir /etc/opt/microsoft/omsagent/scom/conf/omsagent.d
mkdir /etc/opt/microsoft/omsagent/scom/certs
mkdir /var/opt/microsoft/omsagent/scom/log
mkdir /var/opt/microsoft/omsagent/scom/run
mkdir /var/opt/microsoft/omsagent/scom/state
mkdir /var/opt/microsoft/omsagent/scom/tmp
mkdir /home/omsagent/fluent-logging
# NOTE – This location is flexible for the path to use for log file position files
chown omsagent:omiusers state
chown omsagent:omiusers run
chown omsagent:omiusers log
chown omsagent:omiusers tmp
chown omsagent:omiusers /home/omsagent/fluent-logging

Verify SCOM certificate

Configuring FluentD requires the SCOM management server (MS) has signed the certificate on the UNIX server.  The docs article tells you to generate a new certificate for FluentD, which requires the management server.

Overview

Sign the certs on the agent > copy to MS > sign > copy back to agent

Step by step instructions
    1. Generate certs

/opt/microsoft/scx/bin/tools/scxsslconfig -c -g /etc/opt/microsoft/omsagent/scom/certs/

2. Rename certificates

cp -p omi-host-server.domain.pem to scom-cert.pem

cp -p omikey.pem to scom-key.pem

 

3. Copy certs to MS (sftp/ssh via WinSCP, or your app of choice)

 

4. Sign certs on MS via scxcertconfig -sign

 

Open PowerShell (as admin)

Go to your SCOM management server directory (hopefully d:)

cd ‘D:\Program Files\Microsoft System Center\Operations Manager\Server’

scxcertconfig -sign scom-cert.pem

scxcertconfig -sign scom-key.pem

 

5. Copy certs back to agent from MS (sftp/ssh via WinSCP, or your app of choice)

 

6. Verify the SCOM certificate shows your Management Server (MS) in the DC= line in the certificate

openssl x509 -in scom-cert.pem -noout -text

Verify SSL certificate - openssl syntax, verify the DC= portion is from the SCOM management server (MS)

 

7. Restart omsagent

As the ALLINONE server is one of my 2019 SCOM labs, I can verify that my cert is now signed by the management server (MS).  Time to load the certificate, and then restart the agent to see if we have any errors

# Restart Agent

/opt/microsoft/omsagent/bin/service_control restart

 

 

Verify omsagent.log errors

Verify any errors from the omsagent.log

Depending on where you are with your UNIX/Linux commands, this may help provide some context or use case examples.

My example –

First error after restart was ‘permission denied’.   FluentD runs under the omsagent ID, and needs to have access to whatever log – at least read (4).  For the syslog example, I made omsagent the owner, and omiusers the group.   The smarter, security hat on, choice is to leave as root and make it read capable, or add omsagent to the root group

Configure FluentD part 2 - fluentd permission denied alerts on /var/log/syslog

 

Search /var/opt/microsoft/omsagent/scom/log/omsagent.log for errors.  Commands build on another, from simpler to more complex.  Don’t worry if UNIX/Linux is new, I’m all about examples, so hope that helps bridge the gap!

 

# Tail omsagent.log for progress

# Option 1 Continual output updates from file

tail -f /var/opt/microsoft/omsagent/scom/log/omsagent.log

# Option 2 – get last 10 lines

tail /var/opt/microsoft/omsagent/scom/log/omsagent.log

 

# Option 3 – get last 100 lines

tail -100 /var/opt/microsoft/omsagent/scom/log/omsagent.log

# Option 4 – Get a little fancier – search for a string

grep string /var/opt/microsoft/omsagent/scom/log/omsagent.log

# Option 5 – Specific example = error, case insensitive (-i)

grep -i error /var/opt/microsoft/omsagent/scom/log/omsagent.log

 

# Option 6 – egrep strings and -v to exclude what you don’t want to see

grep -i error /var/opt/Microsoft/omsagent/scom/log/omsagent.log |egrep -v “Permission denied|stacktrace”

 

Verify FluentD config files

Verify FluentD conf files and omsagent.conf has INCLUDE line

The INCLUDE lines allows a directory for a ‘Gold depot’ to control what log files are monitored on destination linux servers.  The goal is a standard repository (gold depot ) to simply copy the conf file you want for logfile/app/daemon, restart agent, and you’re off to the races monitoring that log file.

 

Verify omsagent.conf includes directory

grep -i include /etc/opt/Microsoft/omsagent/scom/conf/omsagent.conf

# If there’s output, make sure that omsagent.d path exists

# Verify permissions show omsagent:omiusers

ls -al /etc/opt/Microsoft/omsagent/scom/conf | grep omsagent

 

10. Back to step 8’s problem, to fix the FluentD conf files, so we can test!  Step 9 verified that FluentD is configured via the omsagent.conf, and also for specific configuration files (.conf) in omsagent.d directory.

ls -al output list of the omsagent.d directory and oms config specific files for various log files

Next, we need to restart the agent to verify configuration, and any errors are seen on the FluentD side.

My error for ‘out_scom’ plugin was already used by some other test conf files.

grep -i error /var/opt/Microsoft/omsagent/scom/log/omsagent.log |grep “Permission denied” |tail

 

Example of omsagent.log where we have traced an event for our mylog

OMSAgent FluentD debunked - omsagent.log permission denied opening logfile errors for /var/log/syslog

Mike explained that my error was due to having multiple FluentD conf files using the same buffer path for ‘out_scom’.  I searched the conf files to see who had ‘out_scom’ and removed one of my old test files from months back when I was testing the feature.

# Example of errors in the omsagent.log

Tail of the omsagent.log where we want to look for errors

 

Don’t forget to restart the omsagent for reading in the new file changes

# Restart Agent

/opt/microsoft/omsagent/bin/service_control restart

 

 

I’ll cover building a fluentd conf file in another blog post for brevity.

 

 

Time to test for alerts!

Time to test our FluentD conf file and append entries into the log file!

Starting simple again

# Options

echo test >> /var/log/mylog

echo 911 error >> /var/log/mylog

# Echo entries into test logfile to mimic syslog or messages

echo `date +”%b %e %H:%M:%S”` MYLOG 911 test string. Call 911

# Verify

tail /var/log/mylog

Switch over to SCOM management server, and look for alerts

Navigate to the Monitoring Tab > Active alerts

OMSAgent FluentD debunked - scom console alerts for fluentd test patterns

 

 

References for more information

In case you need a refresher on all the date options… Found CyberCiti FAQ helpful

Configure FluentD part 2 - output of the date command formatting like syslog or messages

All because the goal is to make the echo statement better for testing closer test/UAT examples on string matches, etc.

echo `date +”%b %e %H:%M:%S”` MYLOG 911 test string. Call 911

And what does it look like?

OMSAgent FluentD debunked - tail of created /var/log/mylog that shows various echo options

 

Service Map – Setting up SCOM management group

 

It’s time to get my SCOM MG running Service Map

Nothing like seeing what an application actually does, mapping ports a server is using, and who the server talks to!

From the docs site – https://docs.microsoft.com/en-us/azure/monitoring/monitoring-service-map-scom

 

Download Management Pack

Let’s start with the pack download

Download Management Pack

 

 

Install Management pack

Choose your preference

PowerShell (as admin)

Import-SCOMManagementPack -FullName “S:\monadmin\backup\$date”

In case you need help – TechNet article

 

Lab Example

Import-SCOMManagementPack -FullName “S:\MonAdmin\SCOM\Management packs\Service Map – Blue Stripe for SCOM – OMS\v1.0.0.6\Microsoft.SystemCenter.ServiceMap.mpb”

 

 

Import via SCOM Console

 

 

 

Configure the Service Map integration

In SCOM Console, click on Administration Tab

Navigate to the Operations Management Suite, and expand for the Service Map selection

 

Click ‘Add workspace’

Paste in your Tenant ID, Application ID, and Service Principal Key that you set up prior

Click Next

 

 

Verify Workspace Information
Click Next

 

 

Two options – if you don’t have any Windows Computer based groups in your MG, skip down to Server Selection

 

If there are Machine Groups to add, click ‘Add/Remove’

 

 

Click Next to select individual servers

Click Add

Click OK to close window

 

 

Click Next to move to next window

 

NOTE

  • Speed to fetch information is based on a rule see docs site
  • In the Server Selection window, you configure the Service Map Servers Group with the servers that you want to sync between Operations Manager and Service Map. Click Add/Remove Servers.

For the integration to build a distributed application diagram for a server, the server must be:

  • Managed by Operations Manager
  • Managed by Service Map
  • Listed in the Service Map Servers Group

 

From <https://docs.microsoft.com/en-us/azure/monitoring/monitoring-service-map-scom>

 

 

Setup proxy if needed

Click Add Workspace

 

 

 

 

 

Use Service Map

Time to Use the tool – https://docs.microsoft.com/en-us/azure/monitoring/monitoring-service-map

 

 

 

Verifying Servers specified in Service Map

Verify group

SCOM Console > Authoring Tab > Groups

Look for > Service Map

View Group members or look at Explicit tab

 

 

 

Troubleshooting

On Management Server (MS), Operations Manager Event log

PowerShell

get-eventlog -logname “Operations Manager” -newest 25

 

# This command will help if you get stuck on the workspace

get-eventlog -logname “Operations Manager” -Source “Operations Manager” -newest 25 | ? {$_.eventID -eq 6400 } |fl

 

GUI

Filter by Error,Warning

 

 

Install Azure Log Analytics Service Map Dependency Agent

 

 

To make all this work, sometimes, it seems like a slot machine, deposit your quarter, and hope you hit the jackpot!

 

 

So to get started, you probably have a list of computers where you have the MMA agent, and want to install Service Map to see how and who the computers are talking (to)

 

Login to Azure Portal

Click on Log Analytics

Click on your Subscription

Click on Service Map

Click on the Download link for Windows or Linux

Save file

 

 

Take saved file and copy to computer

 

 

 

 

GUI method

If you want a PowerShell method, Daniel Orneling has a great blog and Gallery TechNet script that will help

 

Docs site link has more details

Execute the InstallDependencyAgent-Windows.exe

 

Answer yes for UAC elevation

 

Click I Agree

 

Click Finish

 

 

 

Verify Agent installed

 

NOTE: If installing for SCOM, it's based on the Rule 'Microsoft.SystemCenter.ServiceMapImport.Rule'

https://docs.microsoft.com/en-us/azure/monitoring/monitoring-service-map-scom#configure-rules-and-overrides

 

PowerShell

get-eventlog -logname “Operations Manager” -Source “HealthService” -newest 25 | ? {$_.eventID -eq
1201 } |fl

get-service MicrosoftDependencyAgent

 

 

 

Event Viewer

Azure Log Analytics Service Map Planning and Pre-reqs

My grandfather said two things:

An ounce of prevention is worth a pound of manure

Death and taxes are part of life

 

Planning out a deployment is a good thing.

My best friend would say “No one plans to fail, they just fail to plan”

 

 

This will be a multi-part blog – breaking out the high level steps, and my experience getting the solution set up.

 

What do we need for Service Map?

  • Azure connectivity
    • Setup Log Analytics workspace on MMA/SCOM agent article
    • Troubleshooting onboarding issues KB,
      • Check for Events in Operations Manager event logs blog
  • Computers in scope for visualization
    • What computers (Windows or Linux)
    • Pricing FAQ
  • Dependency agent installed on computers
  • Azure Service Principal
    • (think of it as an SSH shared key ID/password for Azure Apps to communicate)
    • Docs article

 

High level steps

  1. Overview blog
  2. Install the MMA agent blog
  3. Install the dependency agent blog
  4. Configure Azure Service Principal blog
  5. Configure Service Map on SCOM blog

 

What ID’s is SCOM using

Ever need to audit what ID’s SCOM is using?

Maybe you have to figure out how someone else setup SCOM.

Did they set up SCOM as recommended for best practices with different AD accounts per role?

 

If the ID’s are not logged during install, it’s a little more difficult to figure out what ID was used.

  • Domain Account for ALL services,
  • Enter in the unique DOMAIN\OMAA, DOMAIN\OMDAS, DOMAIN\OMREAD, DOMAIN\OMWRITE

 

Try these PowerShell commands to find what SCOM is using.

 

ON MS (from PowerShell (don’t need admin unless you’re restarting services)

$Services = ( Get-WmiObject -Class Win32_Service )

$Services | ? { $_.Name -eq “OMSDK” -OR $_.Name -eq “cshost” -OR $_.Name -eq “HealthService” } |

ft name,Startname,StartMode

 

 

 

ON SCOM DB’s, Reporting (from PowerShell (don’t need admin unless you’re restarting services)

$Services = ( Get-WmiObject -Class Win32_Service )

$Services | ? { $_.DisplayName -like “*SQL*” } | ft name,Startname,StartMode

 

 

Source https://blogs.technet.microsoft.com/heyscriptingguy/2012/02/15/the-scripting-wife-uses-powershell-to-find-service-accounts/