SCOM alert forwarding

Similar Messages

• Enabling SCOM Alert Connector in SCSM

  Hi,
  Had a query regarding the Alert Connector in SCOM that forwards alerts in SCOM to SCSM (Service Manager) to create incidents.
  Currently, we had SCOM and SCSM at the same level i.e 2012 SP1. But, in future we might have to upgrade to R2 so is there any compatibility matrix for the SCOM and SCSM versions for the Alert Connector. Like if we had SCOM on Sp1 and SCSM on R2 would it
  affect or the vice-a-versa.
  Regards,
  Daya Ram

  Hi,           
  System Center 2012 – Operations Manager is supported by Service Manager and Service Manager SP1 for connectors and agents. However, only corresponding System Center versions are supported when you register a data source in the Data Warehouse
  workspace.
  System Center 2012 – Operations Manager agents were not supported with System Center 2012 – Service Manager. However, the agent that is automatically installed by System Center 2012 – Service Manager
  SP1 is compatible with System Center 2012 – Operations Manager and System Center 2012 – Operations Manager SP1. 
  More details:
  Operations Manager Considerations in System Center 2012 - Service Manager
  http://technet.microsoft.com/en-us/library/hh524312.aspx
  Regards,
  Yan Li
  Regards, Yan Li

• Recovery from a SCOM alert - ORCH or task - best practice?

  Hi - wonder if anybody in the "real world" can give me any guidance on this?
  I look after SCOM and have traditionally been tasked with creating recovery scripts for certain custom alerts. I am also involved in the ORCH sphere but not totally responsible. We seem to be creating recovery in SCOM still but not ORCH.
  I would have thought that the idea would be best to monitor for the SCOM alert in ORCH and use the flexibility of the latter to do checks and do a fix.
  Are you limited in ORCH to how many alerts you can monitor or is there reasons to still do in SCOM? Just wondering which way we should really be heading?
  thanks

  I would suggest you keep using both. Recovery scripts in scom work just fine for basic recovery procedures that are performed locally on the monitored node. It is a simple, thus quite reliable framework for responding to incidents. However,
  if your recovery procedure is complex and involves coordination of multiple activities running on different systems, then Orchestrator will be the right tool to handle it.
  Gleb.

• Mapping information to SCOM Alert "Path" field through the connector

  Hello,
  We are using the Oracle Enterprise Manager connector (link to the guide: http://docs.oracle.com/cd/E11857_01/install.111/e14736/toc.htm) to send events from OEM to SCOM.
  According to the Oracle connector documentation, the Target host parameter from OEM can be mapped with one of the SCOM Alert custom fields paramaters.
  The issue is that we need to have this parameter mapped with the SCOM Alert Path field instead of Custom field.
  Is it possible from the SCOM side to accept custom values and assign them to Alert Path field through the connectors?
  Thank you a lot in advance!

  Hi 
  Alert path is read only property for alert, you can not change this parameter. you can use custom field(1 to 9) or Ticket Id for alert.
  Regards
  sridhar v

• SCOM Alerts Connector run as failed

  Hi
  I have setup the SCOM alerts connector in SCSM but after that i starts to get wernings in scom on servers there are in a difrent domain. 
  werning: 
  Description:
  The Health Service cannot verify the future validity of the RunAs account Domain1\SCOMAlertsConnectorUser for management group SCOMMG01. The error is Logon failure: the user has not been granted the requested
  logon type at this computer.(1385L). 
  SCSM and scom is in domain1
  the servers i got the werning on is in Domain2
  what can i do to fix this?

  The connectors runas account must be administrator in SCOM (as I recall). Is that the case for Domain2?
  Cheers,
  Anders Spælling
  Senior Consultant
  Blog:  
  Twitter:   LinkedIn:
  Please remember to 'Propose as answer' if you find a reply helpful

• SCOM Alert Connector - not updating the start time and finish time

  When I am monitoring the status of connectors in service manager console, I found that for SCOM Alert Connector the Start Time and Finish Time are not updating. Previously it was updated daily. As of now, service manager is working fine but would like
  to check will it create any issues? Even I have cliked on Synchronize Now, but there is no update. Please guide me on this to trouble shoot further? Thanks.

  Hi,
  Based on my research, the Start Time and Finish Time values are not updated when an alert connector is synchronized. These values are only updated when alert data is transferred between Operations Manager 2007 and Service
  Manager.
  More details, please refer to the link below:
  http://technet.microsoft.com/en-us/library/hh495609.aspx
  In addition, here is a blog about troubleshooting for SCSM and SCOM alert connector:
  http://blogs.technet.com/b/servicemanager/archive/2010/04/14/troubleshooting-tips-for-your-scsm-scom-alert-connector.aspx
  Regards,
  Yan Li
  Regards, Yan Li

• SCSM to SCOM Alert Connector Error

  Hello,
  Long story short, the SCSM admin created an Alert Connector between SCSM and SCOM, then uninstalled SCSM and started over.  That means I had an orphaned SCSM connector in SCOM.
  In order to set up a new connection, I followed the instructions found in Kevin Holman's blog post:
  http://blogs.technet.com/b/kevinholman/archive/2012/09/28/opsmgr-2012-how-to-delete-an-old-product-connector.aspx
  Now, when I try to re-create a new Alert Connector, I get this error:
  "Found at least one other alert connector in Operations Manager.  Alerts may not be routed as expected if multiple connectors subscribe to the same alert."
  I checked the SCOM server to make sure there were no orphaned connectors by running this SQL code against the OperationsManager database:
  Aside from the copious number of SCVMM connectors, there were six connectors.  Of those six, the previous SCSM connector is marked as "IsDeleted":
  Next, I checked the "Microsoft.SystemCenter.Notifications.Internal" management pack to verify that there are no orphaned subscriptions.  The ONLY alert referenced is for the "Advisor Data Connector".
  At this point, my questions are as follows:
  1) Will the System Center Advisor (now renamed Azure Operational Insights) connector cause the warning message I listed above when setting up an Alert Connector in SCSM?
  2) Is there another orphaned entry in SCOM that I need to check for and remove before setting up the SCSM alert connector? 

  Hi,
  I would like to suggest you remove the subscription that was orphaned. When remove a connector we should remove the subscriptions first.
  And here is a similar thread
  SCSM 2012 Cannot create SCOM Alert Connector        
  https://social.technet.microsoft.com/Forums/en-US/a5d0b921-bb0a-43b8-99ca-8b0112ab3bf0/scsm-2012-cannot-create-scom-alert-connector?forum=connectors                         
  Regards,
  Yan Li
  Please remember to mark the replies as answers if they help and unmark them if they provide no help.

• Multiple SCOM Alerts for the same unique Windows Event

  Multiple SCOM Alerts are being raised for a single Windows event.
  For e.g., below is the event :
  Date and Time: Description:
  12/15/2014 5:15:36 PM Initiating move for database 'xxxdb02' (FromServer=xxxdagnode1.dt.inc, ToServer=, MoveComment=<Null>)
  Log Name:
  Microsoft-Exchange-HighAvailability/Operational
  Source:
  Microsoft-Exchange-HighAvailability
  Event Number:
  306
  Level:
  4
  Logging Computer:
  xxxdagnode1.dt.inc
  User:
  NT AUTHORITY\SYSTEM
  Event Data:
  < DataItem type =" System.XmlData " time =" 2014-12-15T17:15:37.9848250-05:00 " sourceHealthServiceId =" 261D34BA-3596-ABCF-3728-B5A0AC035D90 " >
  < UserData >
  < EventXML >
    < UniqueId > 2014.12.15.05.15.35.285#9#xxxdagnode2#4d0ce477-5f5c-4304-8c59-292a4a8ca809 </ UniqueId >
    < DatabaseName > xxxdb02 </ DatabaseName >
    < DatabaseGuid > 4d0ce477-5f5c-4304-8b59-292a4a8ca809 </ DatabaseGuid >
    < ActiveServer > XXXDAGNODE1.dt.inc </ ActiveServer >
    < ActionCategory > Move </ ActionCategory >
    < ActionInitiator > Automatic </ ActionInitiator >
    < ActionReason > StoreStopped </ ActionReason >
    < AmRole > PAM </ AmRole >
    < PAMServer > xxxdagnode2.dt.inc </ PAMServer >
    < MountFlags > None </ MountFlags >
    < DismountFlags > SkipCacheFlush </ DismountFlags >
    < MountdialOverride > None </ MountdialOverride >
    < FromServer > xxxdagnode1.dt.inc </ FromServer >
    < TargetServer />
    < TryOtherHealthyServers > True </ TryOtherHealthyServers >
    < SkipValidationChecks > None </ SkipValidationChecks >
    < MoveComment > <Null> </ MoveComment >
    </ EventXML >
    </ UserData >
    </ DataItem >
  But three alerts were raised for this event.
  I double checked with the Unique ID for the Windows Event.
  Also the Duplicate alerts show the Same event in the 'Alert Context' field.
  My environment:
  3 SCOM 2012 R2 UR3 Management Servers.
  1 SQL DB Server
  Service Manager Connector is configured for Alert Sync. However this issue also affect the alerts that are not synced.
  Anybody else faced this issue?

  Hi,
  It seems like that you are using rule to monitor this event, unlike monitors, rules can continue to send alerts as long as the condition that caused the alert persists or repeats. Depending on what the rule is checking for, a single issue could possibly
  generate a huge number of alerts. To prevent the noise of too many alerts, alert suppression can be enabled for a rule.
  More details, please check article below:
  http://technet.microsoft.com/en-us/library/hh212847.aspx
  Regards,
  Yan Li
  Please remember to mark the replies as answers if they help and unmark them if they provide no help.

• XCmd Service - SCOM alert - Unpredictable state

  Hey folks,
  I keep get a SCOM alert for an unpredictable state for the xcmd service.
  It says:
  The xCmd Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
  This is only happening on our Server 2008 and 2008 R2 machines.
  Been googling around and cant find a fix. Anyone have an idea?

  Have you checked the product knowledge of the alert? It gives you the answer you are looking for:
  Summary
  This rule generates an alert when the Service Control Manager detects that a service has started with an invalid configuration. It is important to note that even though the Service Control Manager detected an invalid configuration, the service still started
  successfully.
  The service may not be running as expected and may behave in an unpredictable manner. Additionally, the service may not be able to be restarted until the issue is resolved.
  Sample Event:
  This rule generates an alert whenever any of the following events occur and are recorded in the System Event Log:
  The %1 service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
  The Service Control Manager encountered an error that has undone a configuration change to the %1 service. The service's %2 is currently in an unpredictable state. If you do not correct this configuration, you may not be able to restart the %1 service or
  you may encounter other errors. To ensure that the service is configured properly, use the Services snap-in in MMC.
  •
  Source: Service Control Manager; Event ID: 7030The %1 service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
  •
  Source: Service Control Manager; Event ID: 7037The Service Control Manager encountered an error that has undone a configuration change to the %1 service. The service's %2 is currently in an unpredictable state. If you do not correct this configuration, you
  may not be able to restart the %1 service or you may encounter other errors. To ensure that the service is configured properly, use the Services snap-in in MMC.
  Causes
  This alert is generated whenever any of the following conditions occur:
  •
  The service is configured to run interactively but system policy is configured to prevent services from running in this mode.
  •
  An error occurred while attempting to configure the service.
  Resolutions
  There are two possible resolutions for this alert. Refer to the event that generated the alert and select the appropriate set of resolution steps.
  Event ID: 7030
  To resolve this alert, consult with a subject matter expert or the vendor to determine if the service must run interactively on the desktop. If not, follow these steps:
  •
  Open the Services MMC snap-in.
  •
  Double-click the appropriate Service and open that service’s property sheet.
  •
  Click the Log On tab.
  •
  Clear the Allow service to interact with desktop check box.
  If the service must run interactively, you will need to change the “Allow service to interact with desktop” system policy. To do this, perform the following steps:
  HKLM\System\CCC\Control\Windows
  0 - Enabled
  1 - Disabled
  •
  Open the Registry Editor.
  •
  Navigate to the registry value “NoInteractiveServices” at:HKLM\System\CCC\Control\Windows
  •
  Set the value from “0” to “1” 0 - Enabled1 - Disabled
  •
  Open the Services MMC snap-in.
  •
  Select the appropriate Service and restart it.
  Event ID: 7037
  Resolve this alert by doing the following:
  •
  Open the Services MMC snap-in.
  •
  Double-click the appropriate service and open that service’s property sheet.
  •
  Click each of the tabs and verify that the configuration information is appropriate. Update any configuration fields that have incorrect or corrupted data in them.
  •
  Restart the service and check the event log to determine whether another instance of event 7037 has occurred. If not, the issue has been resolved.
  •
  If a new instance of event 7037 occurs, use Sc.exe to examine the service’s advanced configuration settings and then update them as appropriate. Use the
  qc and config commands within Sc.exe to view and configure the service.
  Regards,
  Marc Klaver
  http://jama00.wordpress.com/

• SCOM alerts on disk space C drive only

  Hi,
  My goal is to write a runbook to monitor the SCOM alert on low disk space and then trigger a command to remove a pre-defined list of folders/files on C drive when the free space is below 10%
  On Monitor Alert activity, I have already applied 2 filters
  1. Name Contains Percentage Logic Disk Free Space is low
  2.  Severity Equals Warning (as it has been configured as 10% free space)
  How do I define the filters to trigger this runbook when these new alerts that only happens on C drive
  Thanks,
  Jimmy

  I have tried a filter with  MonitoringObjectDisplayName = C: and  MonitoringObjectDisplayName contains C:, that did not trigger the next activity although I can see that it passed the value of C: to both parameters.
  I am going to try the filter with "Description contains C:" as I did not see the option - "Start with"

• Dump SCOM Alerts to Text File

  Hi Guys, 
  Is there a way to dump scom alerts to a text file? 
  For example, I have created a monitor to detect a particular eventid. I want to dump this information (date/time, hostname, event description etc.) to a text file instead of the usual email or sms alert. 

  For Export SCOM Alerts to txt files, you can refer below links
  https://marckean.wordpress.com/2012/10/17/export-scom-2010-alerts-to-txtcsv-file-using-powershell/
  http://scug.be/dieter/2011/05/11/scom-dump-alerts-to-text-file-and-mail/
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"Mai Ali | My blog:
  Technical | Twitter:
  Mai Ali

• Alert forwarding in DCNM 7.0.2

  I have an issue with DCNM 7.0.2 new install. When configuring event forwarding via email only events that are generated with the severity 'Warning' are forwarded on. Everything else appears to be ignored.
  Has ansone come across this issues.
  All mail settings are correct and test work fine, Have generated 100 warnings by shutting down all VPC ports and I get all those alerts. However if I shout down the VPC peer link I dont get the errors or criticals. Even if I set the alert forward to critical and above.

  Hi Mike !
  Can you help me ? I need your help 
  I can't find the way to send an email alert . All mail setting are correct , but when i click "Apply and test" , nothing happen ? i can send a report , but email alert is not
  Can you send alert with these event ?
  -Interface goes down 
  -CPU higher than threshold
  Please help me , my email is : [email protected] 
  Thank you so much 

• Help to create a SCOM Alert for same event ID on many Windows 2008 servers

  Hi all,
  I 'm a newbie in SCOM and I need to create a alert with information type on 1 event ID on 2 servers. The Event ID is the same on both servers and I don't know which type of monitor I need to create. Can you help me please ?
  Thanks a lot.

  Hi,
  First, should the server appear unhealthy if this event appears? If so, it should be a monitor. If not, it should be a rule (that will only give an alert).
  Go to Authoring and Rules/Monitors. Set the scope to Windows Server. Create the Rule/Monitor and remove the "Enabled by default". In the event expression, use the parameters - these should be pretty straight forward.
  Afterwards, override the rule/monitor for the two servers on which you wish to monitor this event.
  This is pretty rough description, let me know if you need it more detailed.

• Alert forwarding triggers mail notification

  Hi.
  I have configured a new product connector to forward alerts from SCOM to JIRA. The connector works fine, but every time I forward an alert to connector using "Forward to" command from alert context menu, it triggers mail notification subscription
  when connector processes alert. The connector code does not modify alert in any explicit way: just retrieves alerts using GetMonitoringAlerts method of connector and then acknowledges recieved alerts with AcknowledgeMonitoringAlerts call (see code snippet
  below). At the same time I can see "Alert modified by user" comment added to alert's history at forwarding time. Mail notification subscription is configured to pick up all critical alerts with "New" resolution state.
  Is this an expected behaviour? I don't really want to spam operators with unnecessary mail every time an alert gets forwarded to an external system. Any ideas what can cause the issue and how to avoid it?
  Thanks!
  while( $true )
  $alerts = $conn.GetMonitoringAlerts()
  if ($alerts.Count -gt 0)
  $conn.AcknowledgeMonitoringAlerts($( Get-Date ))
  foreach( $alert in $alerts )
  .... send alert info to JIRA ...
  Start-Sleep 60
  Gleb.

  The way I see it the call acknowledgeMonitoringAlerts change something in the alert without changing the resolution state.  Scom process every even on every change so it get re-submit to all the subscription rule.  Since the resolution state
  is still "new", it send a new email.
  You got 2 choice :
  1- you do not update the alert when you transfert it
  or
  2- In you script you update the resolution state of the alert to something else (not "new").
  Ty

• Sending an User an email using SCORCH based on a SCOM alert that his/her account was locked out.

  Hi,
  I am interested in finding a solution for the following topic.
  We would like to send an email to an End-User who's Windows Account has been locked-out. Besides the fact there are measures in place to deal with the situation in general (Monitoring by SCOM 2012 R2, looking for eventid:4740) we would like to notify the
  End-User about this event too.
  So, we have SCOM 2012 R2 in place to collect all the necessary information at a central location, if you will. The tricky part is to take the information and create an email containing the email address of the User who's account was locked-out. That information
  resides within the Description of the Event.
  Having asked around basically everyone is pointing to Orchestrator to do the job. Being new to that topic I wonder if someone else has that type of requirement and maybe already found a solution.
  So key is, SCOM collects the information from all DCs, has a rule to identify EventID4740, than Orchestrator comes into play to take that Alert and send out an email to the user, who's name is part of the Event Description.
  Any ideas are greatly appreciated.

  Hello,
  first you need to setup System Center Orchestrator:
  http://technet.microsoft.com/en-us/library/hh420387.aspx . The current version is System Center 2012 R2 Orchestrator.
  You also need to register, deploy and configure the System Center Integration Pack for System Center 2012 Operations Manager (download of the current version:
  http://www.microsoft.com/en-us/download/details.aspx?id=39622&WT.mc). You need to install The OpsMgr Operantion Console on the Orchestrator Runbook Server that it works, or
  http://blog.coretech.dk/jgs/sco-2012-use-operations-manager-integration-pack-without-installing-opsmgr-console-on-runbook-servers/.
  In the event description of 4740 there's the account name not the email address. If the email addresses for the users are maintained in Active Directory register and deploy the Active Directory Integration Pack for System Center 2012 - Orchestrator (also
  located in the download above).
  With that all you can build a Runbook like that:
  Or do you have or want to write a PowerShell-Workflow for that you can use this with Service Management Automation (SMA), contained in the setup of System Center 2012 R2 Orchestrator.
  Regards,
  Stefan
  www.sc-orchestrator.eu ,
  Blog sc-orchestrator.eu