Introduction:

If MOM global settings have been modified, you may want to update MOM agent settings for all computers.

Procedures:

1. Move server from Unmanaged Computers to Agent-managed Computers

Open MOM Administrator Console, go to Unmanaged Computers, delete all entries that you would like to monitor by MOM. Currently I am leaving all the UPS, AGEE, and Windows NT servers in the Unmanaged Computers folder.

2. Approve manually installed agent in Pending Actions

Refresh Pending Actions, and approve entries with “Approve manual agent installation”. If you are not able to finish this process for some servers, please check that MOM account momacc having access to the servers.

3. Change Control Level from None to Full

After approval, the servers will be in Agent-managed Computers folder, but with Control Level None. We need to change the control level to FULL before we are able to update the agent settings from the Administrator Console.

delete from configuration where
idcomputer=(select idcomputer from computer where name = ’servername’)
and DataCategory=’Management’ and DataName= ‘ManageType’
and DataValue=’Group’

This script has been transformed into Stored Procedure in OnePoint, called Z_ControlLevelNoneToFull (as below). Add coma delimited string as input to change the control level. Example: exec Z_ControlLevelNoneToFull ‘srv1,srv2’.

Code:

a. For computers having more than one entry in MOM database

Some servers have two entries in MOM, which may have been caused by installing MOM agent before joining to domain. I use the following script to remove the old entry, then we can use the above store procedure to change the control level for this server.

select name, idcomputer, * from computer where name = ‘SRV’
delete from computer where name = ‘SRV’ and domain != ‘DomainName’

4. Update MOM Agent Settings

In Administrator Console, Agent-managed Computers, select all computers with control level FULL, right click and click “Update Agent Settings”.

Step 1: Create AGEE Auditing Policy to send Syslog to MOM

1. Go to AGEE configuration tool, root – System – Auditing – Policies – Policies, add new policy.
• In Server IP Address entry, type MOM Management Server IP
• In Port entry, type 514
• In Log Levels, select Emergency, Alert, Critical, Error, Warning, Notice
• Use Log Facility LOCAL1
2. Right click the new policy, and select “Global Bindings…”, tick the checkbox before the new policy. This will make AGEE to send all alerts to MOM.

Step 2: Create a Syslog Port Provider

1. In the left pane of the MOM Administrator console, right-click Providers.
2. On the context menu, click New Provider, specify Application Log as the data provider type, and then click Next.
3. For the provider name, enter Syslog.
4. For the provider log type, select Syslog port, and then click Finish.

Step 3: Create a collection event rule to collect syslog

1. First create a rule group named AGEE rules and associate this rule group with a computer group “Microsoft Operations Manager 2005 Servers”.
2. In the left pane of the MOM Administrator console, expand the rule group, right click Event Rules, and then click New Event Rule.
3. Select Collect Specific Events (Collection), and then click Next.
4. In the list, select the Syslog and then click Next.
5. Enter Collect Syslogs for the name of the rule, ensure that the Enabled check box is selected, and then click Finish.

Step 4: Create an alert event rule

1. In the left pane of the MOM Administrator console, expand the rule group, right click Event Rules, and then click New Event Rule.
2. Select Alert on or Respond to Event (Event), click Next.
3. In the list, select the Syslog and then click Next.
4. In the Criteria Page, click Advanced button, and choose Parameter 1 in field, choose contains substring and enter the Syslog message level (emerg, alert, crit, error, warning, notice, info, and debug ) in value. Click Add to List. (Note, Parameter1 value is the syslog message priority, Parameter2 value is the syslog message text.
5. Click Close and then click next. Check the Generate Alert in the Alert Page and configure the Alert properties.
6. Enter the name AGEE Syslog Emergency for the rule name. Click Finish.
7. Create additional rules for other syslog message level to generate alerts.

Ref:

HOWTO: Configure Microsoft Operation Manager 2000 or 2005 to monitor Unix devices by using Syslog http://support.microsoft.com/kb/555450

Configuring UNIX Computers to Forward Syslog Messages http://msdn.microsoft.com/en-us/library/aa505293.aspx

Situation: HPBOID.exe and HPBPRO.exe are running wild on print servers. This is caused by HP Printer Toolbox, see more details here: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c00601047&jumpid=reg_R1002_USEN.

Requirements: To take preventive action on this issue

Suggestions:

1. Install the HP fix. This may need reboot of the server if the HPBOID.exe and HPBPRO.exe is held by some process. And also if you have hundreds of servers to handle. Have to do this at some stage, I guess, with a detailed plan.

2. Schedule a script to run to loop all of your servers and kill these two processes. Put ServerList.txt in C:\ root or change location in the script. Get a copy of my script at: http://www.ozctx.com/dl/scripts/VBScripts/KillProcess.txt

3. Make MOM to alert you when the processes going wild.

3.1 Make an event rule to generate an event for you when the count of the process goes over your threshold.

* In Rule Groups, Create your own rule group (I guess it is a good idea to put your own rules under one folder for better maintenance)
* Under your own rule group, create another rule group called “Windows Servers", right click the new rule group, click “Associate with Computer Group …", choose the computer groups you need to monitor. In my case, this is “Microsoft Windows 2000 Servers” and “Microsoft Windows 2003 Servers". After you have done this, you will see in the details pane “Bound to Computer Groups:” are populated with your choice.

3.2 Create another Event Rule to catch the custom events
* in Event Rules, create a rule with following details:
** Rule name: Generate Event 90001 - Count Process - HPBOID.exe
** Provider: Schedule every 1 hours (who added this ’s’)
** Response type: Launch a script, then click New, make name “_Count_HPBOID_Process", the underscore can make your own scripts stand out.
(Thank you, Anders Bengtsson, I am copying the script from you, http://www.myitforum.com/forums/m_141782/mpage_1/key_/tm.htm#141782 )

Code:

* Then you have a scheduled script to check the process count for you every hour. If the count goes over the threshold, an event is created in Event Log - Applications.
* Under Event Rule, create another rule to monitor this event id 90001
** Rule Name: Email Alert on Event 90001 - HPBOID Process Count
** Data Provider: Application
** Criteria: with event id 90001
** Schedule: Always process data
** Alert: Generate Alert with severity “Critical Error”
** Response: Send notification to a notification group

Done, you will get email alert as scheduled.

Today I ventured to play with the rules of MOM 2005. Thanks for the previous efforts from my fellow Noobs, I was able to start with minimum hassles.

Some findings:

1. When each rule is defined on MOM, the monitored server will record an Application event ID 21240 declaring receipt of the new rule or configuration. That is great.

2. When a new rule was added, it took quite a few minutes (or 10) for the first incident to be catched. After that, they flooded into my email box. And also it took a few minutes for the rule to stop working as well.

3. I have to tick the checkbox before “Run this response before duplicate alert suppression” for the notification to work. Tried different combinations, this is the only way. For most of my test rules, I haven’t enabled the “Alert Suppression".

4. We can use RE (regular expression) for criteria, so we can do multiple
event ID, etc. This is handy, will try later.

5. Not sure what the event fields mean, they do not fully correspond to the field in Events Log. Such as Full Event Number, User Name.

Reference:

Regular Expressions in MOM 2005 http://msmvps.com/blogs/jfhann/archive/2005/08/15/62762.aspx

Regular-Expressions.info http://www.regular-expressions.info/