Friday, September 12, 2008

So how do I know what my xpath query should be to pull data from an event into a SCOM alert?

I've been developing a rule to monitor SQL Server events from System Center Operation Manger 2007 (SCOM) and have been having great difficulty finding the appropriate xpath query to the data. The xpath query is often different for each datasource an alert is created for and documentation is very difficult to find. The most helpful source of answers to questions for me has been the SCOM newsgroups at microsoft (microsoft.public.opsmgr.authoring).

I recently asked a question about the propery xpath query for information from a WMI Event-based rule and a very helpful person, Mike Eisenstein, pointed me the right direction. I wanted a way to determine this structure myself without having to resort to the newsgroup every time I turned around. I decided to create a tool to capture alerts and write the alert context to a file for reference.

I chose to write my tool in PowerShell and created it as an Output Connector to SCOM. Now this version is a bit of a hack, but it works for me so far :)

[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.EnterpriseManagement")
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.EnterpriseManagement.ConnectorFramework")
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.EnterpriseManagement.Common")
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.EnterpriseManagement.Monitoring")
[System.Reflection.Assembly]::LoadWithPartialName("System.Threading")

$mg = new-object Microsoft.EnterpriseManagement.ManagementGroup "yourRMSHere"
$cfAdmin = $mg.GetConnectorFrameworkAdministration()
$guid = New-Object System.Guid "{01386f22-fbec-4c85-9ce5-da706786e69e}"

$info = New-Object Microsoft.EnterpriseManagement.ConnectorFramework.ConnectorInfo
$info.Description = "Test Connector"
$info.DisplayName = "Test Connector"
$info.Name = "Test Connector"
$connector = $cfAdmin.Setup($info,$guid)
$connector.Initialize()

#
# Subscribe to the Custom Category
$any = [Microsoft.EnterpriseManagement.Administration.AlertSubscriptionConfigurationType]::Any
$config = New-Object Microsoft.EnterpriseManagement.Administration.AlertChangedSubscriptionConfiguration($any)
$config.ExpirationStartTime = [DateTime]::Now
$config.Criteria = '<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<Property>Severity</Property>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>2</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<Property>Priority</Property>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>2</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<Property>Priority</Property>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>1</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</Or>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<Property>Category</Property>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>Custom</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<Property>ResolutionState</Property>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>0</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<Property>ResolutionState</Property>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>255</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</Or>
</Expression>
</And>'
$subscription = New-Object Microsoft.EnterpriseManagement.ConnectorFramework.MonitoringConnectorSubscription 'AlertSubscription',$connector.Id, $config
$subscription.DisplayName = 'Alerts Subscription'
$subscription.Description = 'Subscription that only gathers alerts from the Custom Category'
trap {
Write-output $("TRAPPED-1: " + $_.Exception.GetType().FullName);
Write-output $("TRAPPED-1: " + $_.Exception.Message);

}
$cfAdmin.InsertConnectorSubscription($subscription)

$one = 1
$fileCounter = 0
while ($one -eq 1) { # yup, loop forever
$alerts = $connector.GetMonitoringAlerts()
if ($alerts.Count -gt 0) {
$connector.AcknowledgeMonitoringAlerts($alerts)
}

foreach ($alert in $alerts) {
[xml]$context = $alert.Context
$context.Save("c:\temp\Alert_Context_" + $fileCounter + ".xml")
$fileCounter = $fileCounter + 1
}

# Sleep for a minute
[System.Threading.Thread]::Sleep(60000)
}
Modify yourRMSHere to a value appropriate to your install. Note that the script doesn't volunteer to terminate and does not clean up after itself, yet, in SCOM. To clean up a few things need to be done:
$connector.Uninitialize()
In your Scom console, delete the subscription from the Product Connector
$cfAdmin.Cleanup($connector)
Note: This is not for the faint at heart, but you probably wouldn't be be here if you are.

I'll address the analysis of the resultant file after I am more certain I have the interpretation down myself. I'm currently working with a sample-size of a single rule.
Posted by at No comments:
Labels: , , ,

Thursday, June 12, 2008

SCOM Override report and uigenerated names on monitors/reports

System Center Operations Manager (SCOM) 2007 lacks any reports on the effective rules or monitors applied to the environment. I feel comforted by being able to see what I've got enabled. I decided to make all my custom monitors and rules as disabled in sealed management packs and enable them in overrides placed in other management packs. This is pretty much the best practice that I see everybody say you should use.

When you author your overrides in the SCOM console and then go run the handy Override report, all the Affected Elements have an obfuscated name similar to uigenerated and is less than helpful.

Solution?
  • Export the management pack that contains the overrides
  • Edit the xml and find the <LanguagePack ... > element
  • Modify the IsDefault attribute to be true instead of false.
  • Modify the version of the management pack at ManagemetPack|Manifest|Identity|Version
  • Save and Import the management pack
This does not resolve the issue of the Targets being obfuscated. I did not find an easy solution for that, but had to create a custom version of the stored procedure and report to fix it.
Posted by at 1 comment:
Labels: ,

Friday, June 6, 2008

So you want to generate an alert from an Event Log on a cluster?

So you've got a shiny new installation System Center Operations Manager (SCOM) 2007 and some services running on a Cluster you want to monitor. One might think it would be a simple matter of creating a rule and targeting the cluster.

One would be wrong.

The xml of the management pack has to be edited to include the 1 element added to the configuration of the datasource for the rule. For example:

.
.
.
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Application</LogName>
 <AllowProxying>1</AllowProxying> <!-- This is it here -->
 <Expression>
 .
.
.

This is necessary only if the service generating the event logs is NOT cluster-aware. Applications like SQL Server are cluster-aware and will emit their messages with their computer name set properly. If the application is not cluster-aware, it will use the cluster-node that it's running on as it's computer name.
Posted by at 1 comment:
Labels: ,

So you want to base an Alert off an Event Log message in a Clustered Environment?

So you've got a shiny new installation System Center Operations Manager (SCOM) 2007 and some SQL Servers that are Clustered. One might think it would be a simple matter of creating a rule and targeting the cluster.

One would be wrong.

The xml of the management pack has to be edited to include the 1 element added to the configuration of the datasource for the rule. For example:

.
.
.
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Application</LogName>
 <AllowProxying>1</AllowProxying> <!-- This is it here -->
 <Expression>
 .
.
.

Posted by at No comments:

Hello

Welcome to my little corner of the blogsphere. Who knows what this will turn into. I mainly created this to share any insights I may gain into the workings of Microsoft's System Center Operations Manager (SCOM).
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)