Using SCOM as a basic configuration audit system – Part 6 monitoring


 

Previous posts on the subject:


Eventually we get to the end of the story, now we miss the most important, but easiest of all components: the compliance checking monitor. As a design choice I targeted the unit monitor to the generic windows operating system class, I set it to disable and used a bunch of overrides to set the correct properties for the different baselines. This way I just have one single monitor that applies to all windows operating system and it is implemented via overrides for the supported baselines. If you need to add a baseline just add a new override for such an operating system (obviously as far as the generic checks we implemented are valid for that operating system, you should recall that we decided to use vbscript to remain as generic as possible).

The monitor itself is just an instantiation of our unit monitor type where we set the alerting part using our handy “Message” property . The script will set the message property to a list of missing fixes or operating system version mismatch or wsh version mismatch. I know this breaks localization in terms of alert description but as long as the alert parameters substitution is implemented the way it is, I can’t see a better way to do this.

        <AlertSettings AlertMessage="QND.Compliance.OS.AlertID">

          <AlertOnState>Warning</AlertOnState>

          <AutoResolve>true</AutoResolve>

          <AlertPriority>Normal</AlertPriority>

          <AlertSeverity>Warning</AlertSeverity>

          <AlertParameters>

            <AlertParameter1>$Data/Context/Property[@Name='Message']$</AlertParameter1>

          </AlertParameters>

        </AlertSettings>

 

Obviously the monitor will contribute to the configuration health model and it will set the health to warning at worst (after all such a configuration mismatch can hardly be considered a service failure). In any case you’re free to adjust the monitor health state to error if you prefer so.

        <OperationalStates>

          <OperationalState ID="Compliant" MonitorTypeStateID="Compliant" HealthState="Success" />

          <OperationalState ID="NonCompliant" MonitorTypeStateID="NonCompliant" HealthState="Warning" />

        </OperationalStates>

 

In the end the while UnitMonitor will look like the following (remember it must be pasted to the monitoring section under Monitors:

 

      <UnitMonitor ID="QND.Compliance.WindowsOS" Accessibility="Public" Enabled="false" ConfirmDelivery="true" Priority="Normal" Remotable="false" 

                   ParentMonitorID="Health!System.Health.ConfigurationState" Target="Windows!Microsoft.Windows.OperatingSystem" TypeID="QND.OSCompliance.MT">

        <Category>ConfigurationHealth</Category>

        <AlertSettings AlertMessage="QND.Compliance.OS.AlertID">

          <AlertOnState>Warning</AlertOnState>

          <AutoResolve>true</AutoResolve>

          <AlertPriority>Normal</AlertPriority>

          <AlertSeverity>Warning</AlertSeverity>

          <AlertParameters>

            <AlertParameter1>$Data/Context/Property[@Name='Message']$</AlertParameter1>

          </AlertParameters>

        </AlertSettings>

        <OperationalStates>

          <OperationalState ID="Compliant" MonitorTypeStateID="Compliant" HealthState="Success" />

          <OperationalState ID="NonCompliant" MonitorTypeStateID="NonCompliant" HealthState="Warning" />

        </OperationalStates>

        <Configuration>

          <OSVersion></OSVersion>

          <QFEList>Ignore</QFEList>

          <WSHVersion>5.7</WSHVersion>

          <ScriptTimeout>300</ScriptTimeout>

          <IntervalSeconds>14400</IntervalSeconds>

          <SyncTime />

        </Configuration>

      </UnitMonitor>

 

By default the monitor will run every 4 hours and will just check for wsh version.

 

To complete the monitor we need the alert string resource and the corresponding display strings. Under the monitoring section of the management pack just add the definition for the resource string

  <Presentation>

    <StringResources>

      <StringResource ID="QND.Compliance.OS.AlertID"/>

    </StringResources>

  </Presentation>

Then in the language pack section add the corresponding string

        <DisplayString ElementID="QND.Compliance.OS.AlertID">

          <Name>Windows OS not compliant with minimum version and QFEs</Name>

          <Description>The Windows OS isn’t compliant with the minimum baseline required for monitoring.

          {0}

          Check the alert context for more information.</Description>

        </DisplayString>

Finally don’t forget the display string for the monitor itself

        <DisplayString ElementID="QND.Compliance.WindowsOS">

          <Name>Prerequiste compliance for monitoring</Name>

        </DisplayString>

And we better add some knowledge base as well, we must add the knowledge base in the KnowledgeArticles section in our language pack:

 

<KnowledgeArticle ElementID="QND.Compliance.WindowsOS" Visible="true">

          <MamlContent>

            <maml:section xmlns:maml="http://schemas.microsoft.com/maml/2004/10">

              <maml:title>Summary</maml:title>

              <maml:para>The monitor check for Operating System compliance in terms of:</maml:para>

              <maml:list>

                <maml:listItem>

                  <maml:para>Operating System version</maml:para>

                </maml:listItem>

                <maml:listItem>

                  <maml:para>Windows Scripting Host Version</maml:para>

                </maml:listItem>

                <maml:listItem>

                  <maml:para>QFEs installed</maml:para>

                </maml:listItem>

              </maml:list>

              <maml:para>Missing requirements can impair the monitor capabilities and/or effects agent and operating system performance </maml:para>

            </maml:section>

            <maml:section xmlns:maml="http://schemas.microsoft.com/maml/2004/10">

              <maml:title>Configuration</maml:title>

              <maml:para>Proper overrides have been defined for each operating system version, the list of requirements can be adjusted using custom overrides</maml:para>

            </maml:section>

            <maml:section xmlns:maml="http://schemas.microsoft.com/maml/2004/10">

              <maml:title>Causes</maml:title>

              <maml:para>Fix are not installed or operating system has not been updated to the proper service pack level</maml:para>

            </maml:section>

            <maml:section xmlns:maml="http://schemas.microsoft.com/maml/2004/10">

              <maml:title>Resolutions</maml:title>

              <maml:para>Install the missing prerequisites</maml:para>

            </maml:section>

            <maml:section xmlns:maml="http://schemas.microsoft.com/maml/2004/10">

              <maml:title>External</maml:title>

              <maml:para>

                For an up to date list of requirements check: <maml:navigationLink>

                  <maml:linkText>Things to make and do for agent health</maml:linkText>

                  <maml:uri href="https://nocentdocent.wordpress.com/2009/10/15/strongly-recommended-non-opsmgr-patches/" />

                </maml:navigationLink>

              </maml:para>

            </maml:section>

          </MamlContent>

        </KnowledgeArticle>

 

Now that the monitor is set up let’s build the overrides for the specific baselines, the overrides need first to enable the monitor

      <MonitorPropertyOverride ID="QND.Compliance.Win2008.Enable.OR" Context="Win2008!Microsoft.Windows.Server.2008.OperatingSystem" Enforced="false" 

                               Monitor="QND.Compliance.WindowsOS" Property="Enabled">

        <Value>true</Value>

      </MonitorPropertyOverride>

 

and the to set the proper monitor parameters, typically the minimum OS version required

      <MonitorConfigurationOverride ID="QND.Compliance.Win2008.OSVer.OR" Context="Win2008!Microsoft.Windows.Server.2008.OperatingSystem" Enforced="false" 

                                    Monitor="QND.Compliance.WindowsOS" Parameter="OSVersion">

        <Value>6.0.6002</Value>

      </MonitorConfigurationOverride>

 

and the comma separated list of required QFEs:

      <MonitorConfigurationOverride ID="QND.Compliance.Win2008.QFE.OR" Context="Win2008!Microsoft.Windows.Server.2008.OperatingSystem" Enforced="false"

                                    Monitor="QND.Compliance.WindowsOS" Parameter="QFEList">

        <Value>KB968967,KB981936,KB2458331</Value>

      </MonitorConfigurationOverride>

 

The overrides section must be added just after the monitoring section, the complete section should look like this:

    <Overrides>

      <MonitorPropertyOverride ID="QND.Compliance.Win2008.Enable.OR" Context="Win2008!Microsoft.Windows.Server.2008.OperatingSystem" Enforced="false" 

                               Monitor="QND.Compliance.WindowsOS" Property="Enabled">

        <Value>true</Value>

      </MonitorPropertyOverride>

      <MonitorConfigurationOverride ID="QND.Compliance.Win2008.OSVer.OR" Context="Win2008!Microsoft.Windows.Server.2008.OperatingSystem" Enforced="false" 

                                    Monitor="QND.Compliance.WindowsOS" Parameter="OSVersion">

        <Value>6.0.6002</Value>

      </MonitorConfigurationOverride>

      <MonitorConfigurationOverride ID="QND.Compliance.Win2008.QFE.OR" Context="Win2008!Microsoft.Windows.Server.2008.OperatingSystem" Enforced="false"

                                    Monitor="QND.Compliance.WindowsOS" Parameter="QFEList">

        <Value>KB968967,KB981936,KB2458331</Value>

      </MonitorConfigurationOverride>

      <MonitorPropertyOverride ID="QND.Compliance.Win2008R2.Enable.OR" Context="Win2008!Microsoft.Windows.Server.2008.R2.OperatingSystem" Enforced="false" 

                               Monitor="QND.Compliance.WindowsOS" Property="Enabled">

        <Value>true</Value>

      </MonitorPropertyOverride>

      <MonitorConfigurationOverride ID="QND.Compliance.Win2008R2.OSVer.OR" Context="Win2008!Microsoft.Windows.Server.2008.R2.OperatingSystem" Enforced="false" 

                                    Monitor="QND.Compliance.WindowsOS" Parameter="OSVersion">

        <Value>6.1.7600</Value>

      </MonitorConfigurationOverride>

      <MonitorConfigurationOverride ID="QND.Compliance.Win2008R2.QFE.OR" Context="Win2008!Microsoft.Windows.Server.2008.R2.OperatingSystem" Enforced="false" 

                                    Monitor="QND.Compliance.WindowsOS" Parameter="QFEList">

        <Value>KB981314,KB981936</Value>

      </MonitorConfigurationOverride>

      <MonitorPropertyOverride ID="QND.Compliance.Win2008R2SP1.Enable.OR" Context="Microsoft.Windows.Server.2008.R2.SP1.OperatingSystem" Enforced="false"

                               Monitor="QND.Compliance.WindowsOS" Property="Enabled">

        <Value>true</Value>

      </MonitorPropertyOverride>

      <MonitorConfigurationOverride ID="QND.Compliance.Win2008R2SP1.OSVer.OR" Context="Microsoft.Windows.Server.2008.R2.SP1.OperatingSystem" Enforced="false"

                                    Monitor="QND.Compliance.WindowsOS" Parameter="OSVersion">

        <Value>6.1.7601</Value>

      </MonitorConfigurationOverride>

      <MonitorConfigurationOverride ID="QND.Compliance.Win2008R2SP1.QFE.OR" Context="Microsoft.Windows.Server.2008.R2.SP1.OperatingSystem" Enforced="false"

                                    Monitor="QND.Compliance.WindowsOS" Parameter="QFEList">

        <Value>ignore</Value>

      </MonitorConfigurationOverride>

    </Overrides>

If you want to use the 2008 R2 SP1 baseline, don’t forget to add an override to enable the discovery at the top of the overrides list:

      <DiscoveryPropertyOverride ID="QND.Compliance.Win2008R2SP1Discovery.Enable.OR" Context="Win2008!Microsoft.Windows.Server.2008.R2.OperatingSystem" Enforced="false"

                               Discovery="QND.Compliance.Win2008R2SP1.Discovery" Property="Enabled">

        <Value>true</Value>

      </DiscoveryPropertyOverride>

 

Are we all set? Not yet, we miss one last monitor, the monitor that sets the dependency of the healthservice configuration health to the compliance check we just implemented. By default we set it as disabled, but you can change it via an override or modifying the management pack code.

      <DependencyMonitor ID="QND.Compliance.OSPrereq.DM" Accessibility="Public" Enabled="false" Target="SC!Microsoft.SystemCenter.HealthService"

                         ParentMonitorID="Health!System.Health.ConfigurationState" MemberMonitor="QND.Compliance.WindowsOS"

                         RelationshipType="QND.Compliance.HealthServiceReferenceOperatingSystem" Priority="Normal" Remotable="true">

        <Category>ConfigurationHealth</Category>

        <Algorithm>WorstOf</Algorithm>

      </DependencyMonitor>

 

Ok one last display string:

        <DisplayString ElementID="QND.Compliance.OSPrereq.DM">

          <Name>OS Prerequisite compliance</Name>

        </DisplayString>

And… the knowledge article associated to the management pack:

 

        <KnowledgeArticle ElementID="QND.AgentCompliance" Visible="true">

          <MamlContent>

            <maml:section xmlns:maml="http://schemas.microsoft.com/maml/2004/10">

              <maml:title>Summary</maml:title>

              <maml:para>This set of rules checks for Operating System and Operations Manager Agent configuration compliance</maml:para>

            </maml:section>

            <maml:section xmlns:maml="http://schemas.microsoft.com/maml/2004/10">

              <maml:title>Configuration</maml:title>

              <maml:para>By default the non compliance status is not projected to the agent (health service) health state, to enable such a projection turn on the  QND OS Prerequisite Compliance dependency monitor</maml:para>

            </maml:section>

            <maml:section xmlns:maml="http://schemas.microsoft.com/maml/2004/10">

              <maml:title>External</maml:title>

              <maml:para>

                <maml:navigationLink>

                  <maml:linkText>Things to make and do for agent health</maml:linkText>

                  <maml:uri href="https://nocentdocent.wordpress.com/2009/10/15/strongly-recommended-non-opsmgr-patches/" />

                </maml:navigationLink>

              </maml:para>

            </maml:section>

          </MamlContent>

        </KnowledgeArticle>

That’s it, you can find the complete unsealed management pack here:

https://skydrive.live.com/embed?cid=558EC647EEF17F8D&resid=558EC647EEF17F8D%211112&authkey=AEY4_JajC8QqAB0

 

As usual use it at your own risk.

By the way, this project focused on OpsMgr agent required hotfixes, but the same technique can be used for other baselines. For example we used it to track hyper-v hosts compliance with “the better to install” fixes for such an environment.

 

Now that we finished the monitoring and alerting part and now that alerts are starting to flow into our OpsMgr console we probably want a way to have a report with all the non-compliant systems. This is going to be a tough job and it will be the subject of the following posts. (they will take a little longer since my vacation has finished).

– Daniele

This posting is provided "AS IS" with no warranties, and confers no rights.

About these ads
  1. #1 by jewe on March 12, 2012 - 11:11 pm

    Thanks Daniele for sharing,
    It’s just the “stuff” I needed

  2. #2 by David Payne on March 7, 2012 - 4:49 am

    First… Thank you for filling a major gap with this and ACS knowledege.

    The skydrive link does not appear to valid. Is there another link to the MP for SCOM basic configuration audit?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 266 other followers

%d bloggers like this: