Today when I was looking for a list of all my agent managed machines I found the Custom Configuration report, under generic reports. It is a fairly nice report in which you can add a group and then select report fields. For example if you add “Agent Managed Computer Group” as a group you can then choose to display hostname, IP Address and OU. It can also be used to generate a report over all logical disc with special attributes, you configure the forumla for the special attributes in a dynamic group.

There has been some discussions about monitoring log files and how Ops Mgr handle them. I did some tests in my sandbox regarding this. I created a monitor to check log files with pattern “*.log*” in C:\AppLogs\. Ops Mgr is looking for “warning” in all .log files. As soon as I input “warning” in my log file applog.log I get an alert in the console. You can use the variables below to add information to the alert description, for example the filename.

Logfile Directory : $Data/EventData/DataItem/LogFileDirectory$
Logfile name: $Data/EventData/DataItem/LogFileName$
String:  $Data/EventData/DataItem/Params/Param[1]$

If I clear the logfile and then input “warning”, I don´t get an alert. Ops Mgr remember where it read last time and will not read the hole file again, and as I am back on line one now, Ops Mgr consider that line as read. But if I add a couple of more lines Ops Mgr will generate an alert as I am beyond that line where Ops Mgr read last time.

If I add a second log file to the same directory, for example applog2.log, and input “warning” in it I get an alert instant.

Summary: If you want to limit the space that your log file needs, configure your application to use multiple log files, instead of clear the log file. For example configure your application to start a new log file every hour or day. Make sure the application are not updating the old files after a new is created. As long as the log file name patter is the same Ops Mgr will find it and monitor it, without any extra configuration. You can then configure another rule to delete old log files to clear up space.

I have note that sometimes, if you are monitoring a number of files that all are all active, the monitor health state will change after the first new “warning”, if you then get a new “warning” in a log file before the monitor is back to health you will not see that second “warning” in the console. Also note that log file monitors are not case sensitive, so if you configure it to look for Warning it will also trigger on warning.

I have seen a lot of questions about checking all services that are configure to start automatically. This can be done with a script. This script checks if the service is configure to start automatic, if it is and it is not running, a warning event will be written in the local application log. You can then pickup that event with Operations Manager and generate an alert.

strComputer = “.”
Set objWMIService = GetObject(“winmgmts:” _
    & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)

Set colListOfServices = objWMIService.ExecQuery _
        (“Select * from Win32_Service”)

For Each objService in colListOfServices

If (objService.StartMode = “Auto”) and (objService.State = “Stopped”) then

Const EVENT_WARNING = 2
Set objShell = CreateObject(“Wscript.Shell”)
objShell.LogEvent EVENT_WARNING, _
 “Service ” & objService.DisplayName & ” is not running. (” & objService.Name & “)”
End If
Next

Remember to test scripts in a test environment first.

As you might have experience Xplatform component discovery takes a long time. The default value to discover components is set to 3600 seconds, but you can override with a lower value. This is suitable in a sandbox where you want to get the monitoring to work as soon as possible so that you can move on with your other tests.

In the authoring workspace, under Object Discoveries, there are a number of rules to override, for example if you are running SUSE Linux Enterprise 10:

Discover SUSE Linux Enterprise Server 10 Logical Disks
Discover SUSE Linux Enterprise Server 10 Physical Disks
Discover SUSE Linux Enterprise Server 10 Processor
Discover SUSE Linux Enterprise Server 10 Network Adpaters
Discover SUSE Linux Enterprise Server 10 Operating System

If you change the Interval value to 60, it will run the discovery every 60 seconds. Of course this value is not suitable in all environment so please be wise when modifying this. You could also override the interal for computer and operatingsystem to discovery system faster.

Today I have been testing override overrides, when we have two overrides overriding the same setting with different thresholds, for the same target machine.

First I created a monitor to check for event ID 1 in the Application log. With default settings there should be an alert generated with medium alert priority.

I then create a override for “For a specific object of type: Windows Server 2003 Computer”, my DC1 machine. I changed the alert priority to high. I validated my override by generating an alert, and I could see that alert priority now was high.

I then created a second cverride for “For a group…”, a group including my DC1 machine. I changed the alert priority to low. I now I had one override for the DC1 computer and one override for a group including the DC1 computer. The new alert comes with high priority. So far, the newest override is the one Ops Mgr use.

If I do this the other way around, first configure a override for the group and then a override for my DC1 computer object I get the same result, the newest override is the one Ops Mgr use.

When you look at the override properties for a monitor you can see a column named “Enforced”. If I check enforced on my first override (low priority) and then generate an alert I get alert with low priority, in other words if you use the enforced function you can force a override to be applyid.

But what if both overrides has the enforced function enable? When you have enforced a override and you open the overrides summary window you can see two different “Changed value”, in my scenario I can see “Low” and “High”. If I now want to enforce the override with high alert priority, I select it and click Edit, but in the Override Properties window, I see that “Effective Value” is set as a enforced value and in the “Effective Value” column I now see Low.  

Summary. The newest override is the override that Ops Mgr will use. If you enforce a override it will overrite all other overrides and be the one that Ops Mgr use. You cant enforce two overrides for the same target and monitor.

 

 

After a couple of hours in the sandbox with the new cross platform extension beta I must say it is very cool and I think this will end a lot of discussions. There is never a question which product to choose to monitor Microsoft technologies, but I often discuss Linux and non-Microsoft monitoring with customers that are about to but a new monitoring solution. Here are a couple of screenshots from today

• This is the health explorer for a SUSE Linux Enterprise 10 SP1 machine
• This is from the monitoring workspace, my SUSE machine is healthy and green
• This one is showing a alert, something is wrong with the syslog daemon
• This is the health explorer with the syslog error, note the “syslog restart” task
• This one is showing the “syslog restart” task

In the screenshots you can see how I first receive an alert regarding the syslog daemon on my SUSE machine (SLES-10-SP1-i386-DVD1.iso). I then simple restart the daemon from health explorer, really nice!

When working with the cross platform extension there are a couple of commands that are useful commands

• service, stop, start and restart services, for example “service ssl stop” to stop the ssl service. This will generate an alert with default SUSE management pack.
• cat /etc/SuSE-release , show which version of SUSE you are running.
• shutdown -r now , to restart the machine direct (now)
• To troubbleshoot WSMan you can raise the loglevel, edit this file /etc/opt/microsoft/scx/conf/openwsman.conf and change loglevel (4) to 6. You will then see all Ops Mgr connections in /var/opt/microsoft/scx/log/wsman.log . Be aware that this file can grow very rapid. There are also a couple of other related logfiles in /var/opt/microsoft/scx/log

 

Today Microsoft announced a new beta product, the System Center Operations Manager 2007 Cross Platform Extensions, which enable you to manage Unix/Linux systems from Operations Manager 2007. This extension is in beta and you can download it at MSFT Connect website.

Check the MSFT cross platform team blog here.