SCOM Authoring – Simple Monitoring for IT Admins–Part II

In Part I we have created our Class and Discovery templates. Now let’s add a service monitor and and event log rule. These have proved to be very common ones.

Let’s start with the service monitor. First, a folder in your template project:

image

Call it Monitors. There you will store all your monitors.

Now, let’s add the Snippet template:

image

Now, past this code in there:

<ManagementPackFragment SchemaVersion=”2.0″>
  <Monitoring>
  <Monitors>
    <UnitMonitor ID=”FehseMon.#text(‘AppNameID’)#.Service.#text(‘ServiceNameID’)#” Accessibility=”Internal” Enabled=”true” Target=”FehseClass.#text(‘AppNameID’)#.Application” ParentMonitorID=”Health!System.Health.AvailabilityState” Remotable=”true” Priority=”Normal” TypeID=”Windows!Microsoft.Windows.CheckNTServiceStateMonitorType” ConfirmDelivery=”true”>
      <Category>Custom</Category>
      <AlertSettings AlertMessage=”FehseMon.#text(‘AppNameID’)#.Service.#text(‘ServiceNameID’)#_AlertMessageResourceID”>
        <AlertOnState>Error</AlertOnState>
        <AutoResolve>true</AutoResolve>
        <AlertPriority>Normal</AlertPriority>
        <AlertSeverity>Error</AlertSeverity>
      </AlertSettings>
      <OperationalStates>
        <OperationalState ID=”Good” MonitorTypeStateID=”Running” HealthState=”Success” />
        <OperationalState ID=”Bad” MonitorTypeStateID=”NotRunning” HealthState=”Error” />
      </OperationalStates>
      <Configuration>
        <ComputerName>$Target/Host/Property[Type=”Windows!Microsoft.Windows.Computer”]/NetworkName$</ComputerName>
        <ServiceName>#text(‘ServiceName’)#</ServiceName>
        <CheckStartupType>true</CheckStartupType>
      </Configuration>
    </UnitMonitor>
  </Monitors>
  </Monitoring>
  <Presentation>
    <StringResources>
      <StringResource ID=”FehseMon.#text(‘AppNameID’)#.Service.#text(‘ServiceNameID’)#_AlertMessageResourceID” />
    </StringResources>
  </Presentation>
  <LanguagePacks>
    <LanguagePack ID=”ENU” IsDefault=”true”>
      <DisplayStrings>
        <DisplayString ElementID=”FehseMon.#text(‘AppNameID’)#.Service.#text(‘ServiceNameID’)#”>
          <Name>FehseMon My First App Service #text(‘ServiceNameID’)#</Name>
          <Description />
        </DisplayString>
        <DisplayString ElementID=”FehseMon.#text(‘AppNameID’)#.Service.#text(‘ServiceNameID’)#” SubElementID=”Bad”>
          <Name>Service is not running</Name>
        </DisplayString>
        <DisplayString ElementID=”FehseMon.#text(‘AppNameID’)#.Service.#text(‘ServiceNameID’)#” SubElementID=”Good”>
          <Name>Service is running</Name>
        </DisplayString>
        <DisplayString ElementID=”FehseMon.#text(‘AppNameID’)#.Service.#text(‘ServiceNameID’)#_AlertMessageResourceID”>
          <Name>FehseMon #text(‘ServiceName’)# is down Alert</Name>
          <Description>Service #text(‘ServiceName’)# is down.</Description>
        </DisplayString>
      </DisplayStrings>
    </LanguagePack>
  </LanguagePacks>
 
</ManagementPackFragment>

A few comments about it. This code is strictly related to the previous ones, since it assumes the same application naming structure. The most important part is the target:

image

It will target all objects discovered in the previous class and discovery definitions.

Also, note that I opted by asking am SVCName and an SVCNameID, just to be able to use a stripped version of the Service Name in the monitor ID (no special characters allowed).

image

Let’s create a Snippet Data for this and try it out:

image

image (don’t mind the group Snippets yet. We will talk about this later).

I’m going to use the spooler service:

image

After importing the MP, you will notice that now the objects show as monitored:

image

And if you look at the Health Explorer (don’t forget to unfilter the monitors), you will see:

image

Cool, eh? What is even better is that if you need to monitor 20 services, you can just import a CSV into Visual Studio and the time to do it is basically the same. Much less clicking!

Now, let’s add an event log rule.

Process is the same:

Grab the code (see previous posts on how to do that part. I often look at previous stuff or user the authoring console for some specific parts).

Create the snippet

Add to your project

Build

Import.

 

Let’s see the code:

<ManagementPackFragment SchemaVersion=”2.0″>
  <Monitoring>
    <Rules>
      <Rule ID=”FehseRule.#text(‘AppNameID’)#.EventLog.#text(‘EventDescription’)#” Enabled=”true” Target=”FehseClass.#text(‘AppNameID’)#.Application” ConfirmDelivery=”true” Remotable=”true” Priority=”Normal” DiscardLevel=”100″>
        <Category>Alert</Category>
        <DataSources>
          <DataSource ID=”DS” TypeID=”Windows!Microsoft.Windows.EventProvider”>
            <ComputerName>$Target/Host/Property[Type=”Windows!Microsoft.Windows.Computer”]/NetworkName$</ComputerName>
            <LogName>#text(‘LogName’)#</LogName>
            <Expression>
              <And>
                <Expression>
                  <SimpleExpression>
                    <ValueExpression>
                      <XPathQuery Type=”UnsignedInteger”>EventDisplayNumber</XPathQuery>
                    </ValueExpression>
                    <Operator>Equal</Operator>
                    <ValueExpression>
                      <Value Type=”UnsignedInteger”>#text(‘Event Number’)#</Value>
                    </ValueExpression>
                  </SimpleExpression>
                </Expression>
                <Expression>
                  <SimpleExpression>
                    <ValueExpression>
                      <XPathQuery Type=”Integer”>EventLevel</XPathQuery>
                    </ValueExpression>
                    <Operator>Equal</Operator>
                    <ValueExpression>
                      <Value Type=”Integer”>#text(‘EventLevel’)#</Value>
                    </ValueExpression>
                  </SimpleExpression>
                </Expression>
                <Expression>
                  <SimpleExpression>
                    <ValueExpression>
                      <XPathQuery Type=”String”>PublisherName</XPathQuery>
                    </ValueExpression>
                    <Operator>Equal</Operator>
                    <ValueExpression>
                      <Value Type=”String”>#text(‘Source’)#</Value>
                    </ValueExpression>
                  </SimpleExpression>
                </Expression>
              </And>
            </Expression>
          </DataSource>
        </DataSources>
        <WriteActions>
          <WriteAction ID=”Alert” TypeID=”Health!System.Health.GenerateAlert”>
            <Priority>1</Priority>
            <Severity>2</Severity>
            <AlertName />
            <AlertDescription />
            <AlertOwner />
            <AlertMessageId>$MPElement[Name=”FehseRule.#text(‘AppNameID’)#.EventLog.#text(‘EventDescription’)#.AlertMessage”]$</AlertMessageId>
            <AlertParameters>
              <AlertParameter1>$Data/EventDescription$</AlertParameter1>
            </AlertParameters>
            <Suppression />
            <Custom1 />
            <Custom2 />
            <Custom3 />
            <Custom4 />
            <Custom5 />
            <Custom6 />
            <Custom7 />
            <Custom8 />
            <Custom9 />
            <Custom10 />
          </WriteAction>
        </WriteActions>
      </Rule>
    </Rules>
  </Monitoring>
  <Presentation>
    <StringResources>
      <StringResource ID=”FehseRule.#text(‘AppNameID’)#.EventLog.#text(‘EventDescription’)#.AlertMessage” />
    </StringResources>
  </Presentation>
  <LanguagePacks>
   
    <LanguagePack ID=”ENU” IsDefault=”true”>
      <DisplayStrings>
      <DisplayString ElementID=”FehseRule.#text(‘AppNameID’)#.EventLog.#text(‘EventDescription’)#”>
        <Name>FehseRule #text(‘AppNameID’)# EventLog #text(‘EventDescription’)#</Name>
      </DisplayString>
      <DisplayString ElementID=”FehseRule.#text(‘AppNameID’)#.EventLog.#text(‘EventDescription’)#.AlertMessage”>
        <Name>FehseRule #text(‘App Display Name’)# EventLog #text(‘EventDescription’)# Alert</Name>
        <Description>{0}</Description>
      </DisplayString>
    </DisplayStrings>
    </LanguagePack>
  </LanguagePacks>
</ManagementPackFragment>

In this one, I picked Event ID, Source and Level (0=Information, 1=Error, 2=Warning, don’t ask me why…).

After you create the template (see above), Add a rule.

image

Once you build, there is your new and shiny Custom MP in place!

 

Hope this helps!