I don’t want to say much more about this poll at the moment because I somehow think that I influence readers with my introductory articles. I think, the questions speak for themselves. So, be a worthy 4sysops citizen and fulfill your voting obligations.

Note that you can select more than one answer. Feel free to tell us what monitoring solution you are using in a comment below.

Note: There is a poll embedded within this post, please visit the site to participate in this post's poll.

• SCOM 2012 review – Part 8: Dashboards (0)
• SCOM 2012 review – Part 7: Linux and JEE monitoring (4)
• Notifications and Custom Commands in Nagwin/Nrpe (0)
• SCOM 2012 review – Part 6: Application Performance Monitoring (APM) (1)
• SCOM 2012 review – Part 5: Network Monitoring (0)

While monitoring systems like SCOM collects vast amounts of data, it’s not a matter of collecting the data; it’s a matter of filtering and displaying the right data to the right people at the right time.

There are three primary ways of doing this, you can have alerts that tell you that something is wrong and needs attention, reports showing historical data and dashboards that show actionable, real time data in a visual fashion that can be personalised.

Whereas earlier versions of SCOM had Views and simple dashboards, SCOM 2012 takes it to a whole new level. No longer do you need to group objects before creating a view and the new wizard for creating dashboards makes it very easy to display exactly the right information in the right way. There’s no programming necessary to create your own dashboards.

The wizard is available in both the native console and the web console and the resulting dashboards can be displayed in the Console, the Web Console and SharePoint 2010 (see below) and they look identical in all three environments. SCOM 2012 can have nested dashboards where drilling down into particular data lead to another dashboard.

Creating custom Dashboards is not only useful, it’s also very easy with the new wizard.

There are three steps to creating a dashboard in SCOM 2012: first select a layout based on the number of cells or columns desired; then add a widget in each cell (types include Alert, Performance and State) and finally configure each widget with a particular scope and criteria as well as display preferences. The Performance widget can now display data from either the Operational or DataWarehouse databases; increasing its usefulness. Apart from the comprehensive built in dashboards third party management packs can add feature packs to support their own widgets. Both SQL Server and Hyper-V have dashboards in the works.

For each cell define what widget you want and configure it’s properties.

To extend the reach of SCOM to non-IT personnel dashboards can now be integrated into SharePoint 2010 using a web part. If the people who are going to view the dashboards aren’t SCOM users the web part can be configured to user shared credentials. The integration works with SharePoint Server 2010 Standard and Enterprise as well as the free Foundation version. In the latter case you can only deploy the web part in the same domain as the web console and you won’t be able to use shared credentials.

The web part comes in the Microsoft.EnterpriseManagement.SharePointIntegration.wsp and is installed using the install-OperationsManager-DashboardViewer.ps1 PowerShell script. The web part is linked to a web console so you’ll need to obtain the exact URI for the dashboard you want displayed by navigating to it in the Web console and copying it from the address bar. If you get an error message that the ticket has expired you need to synchronise the clocks on the server running the Web console and the SharePoint server, they can’t be more than five seconds apart.

The final dashboard in all its glory, best of all it looks the same in all three environments.

Personalisation of dashboards by a user are now stored in the database and thus roam with the user to different PCs and environments, in SCOM 2007 R2 they were stored in the registry on the local machine and thus didn’t follow the user. Dashboards in the web console all have a distinct URL, this also makes it easy to disseminate information to non-technical users, as they can simply bookmark particular dashboards.

The most popular built in dashboard might be the new Management Group Health Dashboard console, also known as the “coffee break”, so named by the developers because it’s designed to give SCOM operators a quick overview of the health of their environment, thus answering the question “can I take a coffee break?”. It monitors both the infrastructure and the functions delivered by the SCOM system.

Conclusion

Although there’s no native support for Windows clustering and we’d like to see deeper monitoring of clustered Java applications in JEE overall SCOM 2012 is a thorough revamp with some very useful new features. The simplified infrastructure and no-brainer High Availability will be welcome in all but the smallest environments while the network monitoring should make all IT Pros troubleshooting lives easier. The extended *nix monitoring and JEE monitoring will be handy in the right environment but perhaps the most intriguing feature will be seeing how SC Orchestrator will glue the entire Systems Center suite together.

Resources

Official SCOM blog

Operations Manager 2012 on the Connect site (Windows Live ID login required)

• Poll: Are you currently using a monitoring solution? (11)
• SCOM 2012 review – Part 7: Linux and JEE monitoring (4)
• Notifications and Custom Commands in Nagwin/Nrpe (0)
• SCOM 2012 review – Part 6: Application Performance Monitoring (APM) (1)
• SCOM 2012 review – Part 5: Network Monitoring (0)

Unix and Linux monitoring in SCOM 2012

Monitoring Unix and Linux (*nix) machines is necessary in larger environments because there’s almost always some *nix servers; even in mostly Windows shops and SCOM 2012 brings some very important improvements. The Unix/Linux monitoring covers HP-UX 11i v2 / v3 on PA-RISC and IA64, Sun Solaris 9 on SPARC as well as 10 on SPARC and x86, Red Hat Enterprise Linux 4, 5 and 6 on both x86 and x64, Novell SUSE Linux Enterprise Server 9 on x86, 10 SP1 and 11 on both x86 and x64 along with IBM AIX 5.3, 6.1 and 7.1 on POWER.

SSCOM 2102 Linux monitoring

Compared to SCOM 2007 R2; the 2012 version drops support for Solaris 8; Solaris 11 being very new might make it into RTM, there’s also added support for the iNode filesystem. Preliminary scaling numbers indicate that you can have up to 6000 Unix / Linux computers per management group if you have 50 consoles open, 10 000 per MG if you have 25 open consoles.

SCOM 2007 R2 uses two accounts for monitoring *nix, the Monitoring account is used for 85-90% of the monitoring and was an unprivileged account whereas the Action account that’s used for Syslog gathering and agent maintenance needs to have root credentials on managed systems. SCOM 2012 “fixes” this issue that has caused major issues for security conscious *nix administrators by adding support for sudo and SSH keys.

Sudo support means that a standard account can be setup on managed machines with exactly the required amount of permissions and the latter ensures that all agent maintenance that’s done via SSH is secure. SSH keys need to be in Putty format, if you’re using OpenSSH the keys need to be converted with PuttyGen.

SCOM 2012 also adds new templates for customized monitoring, the new Process Monitor lets you monitor by count (number of processes for instance) and identifies processes by command line arguments (instead of all processes being called “java” for instance) as well as accepting regular expression input for filtering.

Java Enterprise Edition monitoring in SCOM 2012

Brand new in SCOM 2012 is comprehensive support for monitoring Java Enterprise Edition (JEE, formerly known as J2E) application servers. The four most common platforms are supported; IBM Websphere 6.1 and 7; RedHat JBoss 4.2, 5.1 and 6; Oracle Weblogic 10g Rel3 and 11g Rel1; and the open source Apache Tomcat 5.5, 6 and 7 on both Windows and Linux with Websphere also supported on AIX and Weblogic on Solaris.

When you’ve imported the Java Management packs matching your environment the application servers will be automatically discovered and standard monitoring will let you know if the application server is running and if resource utilization is within defined thresholds.

If deeper monitoring is needed Microsoft offers an Open Source Java Management Extension (JMX) application called BeanSpy (known during the beta period as JMX Extender) that you load on the application server, it reports to SCOM via either HTTP or HTTPS, with our without basic authentication. BeanSpy being Open Source should allay fears that some companies might have about Microsoft code running on their application servers.

BeanSpy communicates with MBean counters (which are a bit like performance counters in Windows but more feature reach) to monitor individual applications running, frequency and time spent on memory garbage collection as well as over performance of the application server. Memory garbage collection is particularly important as the application is unresponsive during this period.

For custom monitoring SCOM 2012 offers two templates for building your own monitoring management packs; one for Monitoring and one for Performance; both lets you monitor any simple MBean property.

In the next part in the SCOM 2012 review series we’ll look at the vastly improved Dashboard functionality in SCOM 2012 and how to integrate DashBoards into SharePoint.

• Poll: Are you currently using a monitoring solution? (11)
• SCOM 2012 review – Part 8: Dashboards (0)
• Notifications and Custom Commands in Nagwin/Nrpe (0)
• SCOM 2012 review – Part 6: Application Performance Monitoring (APM) (1)
• SCOM 2012 review – Part 5: Network Monitoring (0)

What’s better than being able to check on server health status through the Nagios monitoring views? Having Nagios notify you of server health status automatically! If you have ever had a server fail, shut down, or hang—only to learn about it later from disgruntled users—you’ll understand why this feature is so valuable.

Creating and Managing Contacts

Nagios can notify you of certain changes or issues in server configuration that may occur. Sometimes you want different alerts sent to different email addresses. For example, you may want to send alerts about a database server’s health to the DBA, and send all other alerts to the systems administrator. To define a single contact, navigate to your ICW root and go to folder /etc/nagios/nagwin. Open the contacts.cfg file in your favorite text editor. Let’s get started on defining contacts. A contact definition has the following form:

define contact {   
contact_name           systems_admin_1; short name of contact
usegeneric-contact     default contact template
alias                  Johnny Bernard Doe; full name
email                  jdoe@mycompany.com; email address
}

The “use” directive informs Nagios of which contact you would like to use. For now, use the default generic-contact option; we will explore contact templates in a bit.

Once you create several contacts, you may want to group them together, like you would with an email alias. Suppose we have four contacts: two admins and two DBAs. We might want to create two contact groups: sysadmins and dbadmins.

define contactgroup {    
contactgroup_name sysadmins;                 system alias
alias Systems Administrators;                full name of alias
members systems_admin_1,systems_admin_2;     comma separated list
}
define contactgroup {
contactgroup_name                            dbadmins;
alias                                        Database Administrators;
members                                      dba_1,dba_2;
}

Configuring Notifications

Nagios allows the administrator to configure notifications at different levels of granularity, including, but not limited to:

• Who is being notified
• Type of notification event (host status vs. service)
• How severe the event is (from service flapping to host downtime)
• When the event occurs

Notification options are defined in the templates.cfg file using host, service, and contact template directives. You can find an exhaustive list of directives with explanations here, but let’s start out by exploring some simplistic templates and directives.

Contact Templates

Contact templates allow us to define shared notification attributes for different contacts. Some contact template directives include:

• service_notification_period: When the contact can receive service notifications
• host_notification_period: When the contact can receive host notifications
• service_notification_options: What kinds of service notifications the contact receives
• host_notification_options: What kinds of host notifications the contact receives
• service_notification_commands: How service notifications are handled
• host_notification_commands: How host notifications are handled

We can put together an “admin” contact that receives only host notifications on a 24×7 basis and for all types of notification events:

define contact {    
name                             generic-admin-contact;
service_notifications_enabled    0; don’t enable service notes    
host_notifications_enabled       1;    
host_notification_options        d,u,r,f,s; all   
host_notification_commands       notify-host-by-email; send email
register                         0; because this is a template
}

Note that we can also define these options on a “per contact” basis; the only difference is that these directives would be specified in the contacts.cfg definition for that contact rather than in the templates.cfg contact template definition.

Host Templates

Host templates enable administrators to define some shared notification options for different host templates. Consider the default Windows Server template. By now, most of the directives should be fairly self-evident because they are so similar to the contact template directives:

define host {
name                   windows-server; alias
use                    generic-host; base template definition
check_period           24 x 7;
check_interval         5;
retry_interval         1;
max_check_attempts     10;
check_command          heck-host-alive; typically use this notification_period
notification_interval  30;
notification_options   d,3;
contact_groups         admins;
hostgroups             windows-servers;
icon_image             win40.png
register               0; because it’s a template
}

Imagine we wanted to create a Windows DB server template that had all of the attributes of the Windows Server template, with two exceptions: you want notifications to be pushed to only those in the dbadmins group, and you want to change the notification options to include all states. You would add the following definition:

define host {
name                   db-windows-server; new name
use                    windows-server; base template
notification_options   d,r,u,f,s; new options
contact_groups         dbadmins; new group to notify
}

Service Templates

Service templates allow you to configure how services will be handled with regard to notifications. We will not be covering these directives in the interest of your time, but they are explained in several other guides online.

End Result

Once you have configured your contacts, contact groups, and notification templates to your liking, restart the Nagwin_Nagios service in services.msc. Upon restart, your configuration will kick in. You can verify any contacts you’ve created in the Configuration -> Contacts section of the Nagios web administration interface.

• Poll: Are you currently using a monitoring solution? (11)
• SCOM 2012 review – Part 8: Dashboards (0)
• SCOM 2012 review – Part 7: Linux and JEE monitoring (4)
• SCOM 2012 review – Part 6: Application Performance Monitoring (APM) (1)
• SCOM 2012 review – Part 5: Network Monitoring (0)

Troubleshooting application performance issues is a very difficult area, often requiring intimate knowledge of the workings of a particular program. Is the problem in the code, the server hardware, the server software or in the network? Developers need deep insight and detailed logs to debug whereas IT Professionals need standard metrics across all applications and a way to easily pinpoint in which tier the problem might lie.

Microsoft acquired AVIcode in late 2010; this product is designed to look for performance problems in application code without requiring instrumentation to have been built in by the developers. The standalone AVIcode product version 5.7 will be the last as it’s now integrated into SCOM as Application Performance Monitoring (APM).

If you’re a current user of AVIcode 5.7 be aware that its management packs won’t work in SCOM 2012 (templates still work though) ; also APM will only work with .NET / web applications, not stand alone executables and it will only monitor IIS 7 / 7.5 not IIS 6. On the upside the infrastructure is totally integrated in SCOM, there’s no separate database and if it’s monitoring a Server 2008/2008 R2 machine with the IIS management pack the agent will automatically be deployed, although it’s not activated. Another improvement is that you can set an overall SLA for all web applications rather than having to configure monitoring for each individual application, the SLA can then be tweaked for particular programs as needed.

For corporations with many IIS web applications the power of APM might just be the feature that justifies the upgrade to SCOM 2012.

When the interceptors are activated and loaded into IIS the server will require a restart, after that, even if you add additional applications to be monitored; only the particular app pool needs to be recycled.

The beauty of the integration becomes apparent when you see network, hardware and OS monitoring right next to the application performance information, making it much easier to zero in on exactly where the problem lies. The actual monitoring is done in the Diagnostics and Advisor consoles. Similar events are grouped and it also lists Session events or “what else did the user do when this problem happened”. Performance counters are also displayed; 15 minutes of OS and hardware data leading up to the event to let you easily determine if the problem is the underlying platform or in the application code. All of this data enables the IT Pro to communicate facts when liaising with developers and DBAs.

The separate Application Diagnostics and the Application Advisor web consoles is probably where developers are going to spend their time troubleshooting, without having to deal with a full SCOM console.

APM can monitor both the server side of an application and the client side (IE only at this stage but support for other browsers is coming) which gives visibility into performance and reliability. The synthetic transaction feature already in SCOM on the other hand gives insight into availability and together the two provided excellent data on overall application performance. APM monitoring carries minimal overhead, as a rule of thumb is uses about 100 MB of memory and increases the CPU load by 5%.

Today there’s no explicit support for APM monitoring of SharePoint 2010 although that is coming and there’s no way to put Advisor reports into a dashboard as there’s no widget for it yet. What’s more concerning is that there won’t be built in support to use APM to monitor cloud applications in Azure at RTM, although this support is “on the roadmap”.

In the next part of this series we’ll examine what’s been improved in the native Unix/Linux monitoring that debuted in SCOM 2007 R2 as well as the brand new Java Application Server monitoring.

• Poll: Are you currently using a monitoring solution? (11)
• SCOM 2012 review – Part 8: Dashboards (0)
• SCOM 2012 review – Part 7: Linux and JEE monitoring (4)
• Notifications and Custom Commands in Nagwin/Nrpe (0)
• SCOM 2012 review – Part 5: Network Monitoring (0)

Because big organisations often separate the network administration from server operations it can sometimes be difficult to efficiently narrow down if a particular problem is due to the network, the OS, the application or hardware. The new native Network monitoring feature is designed to increase visibility and help IT admins solve problems quicker, it’s not designed to replace specialist network monitoring tools that are probably already part of the network administrator’s toolkit.

Whilst SCOM 2007 R2 offers basic network device monitoring it doesn’t extend to the port level (unless you manually do the work for each individual device based on its Object Identifier (OID)). SCOM 2012 offers support for SNMP 1.0, 2.0 and 3 (but not Netflow) and works with both IPv4 and IPv6. Initial device discovery requires IPv4 addresses on devices so if you have a pure IPv6 network with no IPv4 address allocation this will be an issue. Devices in this context can be switches, routers, load balancers and firewall as well as any other network connectivity gadget that responds to SNMP monitoring.

Make sure your discovery rule(s) is properly scoped to find all the devices you want as you can only have one rule per server.

Discovery of devices can either be explicit where you define (by IP address or ranges) the devices; or recursive in which case SCOM 2012 will glean information from one device to attempt to find other devices. During discovery all SNMP community strings you’ve entered for a Run As account are tried until a correct one is found, be aware that some devices will generate an SNMP trap if too many invalid credentials are tried. The SNMP stack is now native to SCOM 2012 in contrast to SCOM 2007 R2 which used the SNMP stack of the OS. To monitor across firewalls you need to allow SNMP (UDP) and ICMP bi-directionally and port 161 and 162 have to be open (including on the Windows Firewall on management servers). SCOM provides the required firewall rules for Windows Firewall but doesn’t enable them by default.

Beyond the basic monitoring there’s extended monitoring where processor and memory utilization and memory fragmentation along with other device specific objects are tracked if the device is supported by SCOM 2012. To date there are more than 80 vendors on the list and over 800 devices, see the Excel spread sheet here. When a device supports SNMTP traps for system changes (card added, changes to chassis configuration) SCOM 2012 will listen for them. The supported information for each interface depends on how the device manufacturer has implemented monitoring; Management Information Base (MIB) based on RFC 2863 and MIB-II RFC 1213 provides deeper information.

Deep information about each monitored device is only a mouse click away.

In strictly controlled environments where even read only SNMP monitoring is restricted you can opt for ICMP only which will let you know whether a device is responsive or not. If a node is down, all other monitoring is suppressed so that you’re not flooded with alerts about ports and links being down.

But the coolest part of Network Monitoring has to be the port stitching feature that shows which agent monitored node is connected to each port. SCOM will also discover all VLANs and what switches participate in each VLAN, note that only connected ports will be monitored unless you manually add ports to the Critical Network Adapters Group in which case it will always be monitored. For routers it will identify which Cisco Hot Standby Router Protocol (HSRP) groups they participate in. The end result is clear network diagrams that show exactly what systems are connected to witch switch port as well as visually indicating where a problem might lie.

SCOM 2012 has over 200 new items of knowledge for network monitoring and will report on packet errors per switch port for instance. At RC the recommended scalability numbers are about 500 devices per Management Server and about 2000 devices per Management Group; however there’s a comprehensive sizing guide forthcoming. Be aware that you can only have one discovery rule per Management Server so make sure it encompasses all the devices you need to find.

There are four dashboards built in for network monitoring with the Network Vicinity Dashboard providing a visual representation of connected devices within one hop to the selected node, you can increase the number of hops up to five. Be aware that this dashboard won’t identify teamed NICs as such, nor will it show Unix / Linux computers and VMs will be associated with the same network device as the host; the Hyper-V switch does show up as an SNMP device.

The Network Summary Dashboard lets you easily spot the device with the slowest response, highest CPU or interfaces with the highest utilization, most send/receive errors or nodes with the most alerts. From this dashboard you can then pivot into the Network Node Dashboard that lets you view availability statistics for the last 24 or 48 hours, last seven days or last month; this dashboard also shows other utilization statistics for the node. The Network Interface Dashboard drills down to an individual port and lets you see packet statistics for the last 24 hours as well as alerts and interface properties.

There are also five new network monitoring reports and some new tasks in the console such as opening a Telnet session to a device, doing a quick SNMP “get” or performing an SNMP walk of a device. Note that if you’ve authored management packs for network monitoring in SCOM 2007 R2 these will need updating to work with the new functionality, see here for more information.

In the next part of this eight part SCOM 2012 RC overview we’ll look at another crucial piece of the IT puzzle that needs monitoring – applications.

• Poll: Are you currently using a monitoring solution? (11)
• SCOM 2012 review – Part 8: Dashboards (0)
• SCOM 2012 review – Part 7: Linux and JEE monitoring (4)
• Notifications and Custom Commands in Nagwin/Nrpe (0)
• SCOM 2012 review – Part 6: Application Performance Monitoring (APM) (1)

Root Management Server (RMS) in SCOM 2007

Because of the unique role that the RMS plays in SCOM 2007 R2 it’s a single point of failure. It’s the connection point for consoles / web consoles, it runs the configuration service, it handles connectors and health aggregation as well as role based access control. The way to build High Availability (HA) in SCOM 2007 R2 is to cluster the RMS server which is operationally and technically complex and also relies on an active / passive model with the associated hardware and licensing costs. There’s also the option to manual promote a secondary management server to RMS in a disaster situation but this isn’t straightforward.

SCOM 2012 high availability

SCOM 2012 changes the game by doing what Exchange and other Microsoft applications have already done by providing HA out of the box. Management servers are pooled and automatically share the load, no server is more important than any other and simply by having several of them availability is ensured. Each server runs the configuration service and they store their data in the database instead of in an XML configuration file / memory like SCOM 2007 R2 did (this file could be up to several GB in large environments), leading to quicker start-up of each management server.

Failover is not instantaneous and it can take up to two minutes whilst the pool reloads managed instances. All management servers should be located in the same datacentre (less than 5ms latency) and you should deploy Gateway servers in other locations. These servers connect SCOM to branch offices or untrusted domains and can also be in resource pools but you can’t mix Management and Gateway servers in the same pool.

In SCOM 2007 R2 the RMS has special characteristics and some current management packs (Exchange 2007 and 2010 are examples, a full list is forthcoming from Microsoft) rely on a RMS to report to. Since there isn’t an RMS server in SCOM 2012 one management server is assigned the RMS Emulator role to provide compatibility with these MPs. This role can be manually moved between management servers (using the PowerShell cmdlet Set-SCOMRMSEmulator) and there’s a management pack coming that will automate the failover of the role. Management Groups don’t rely on the RMS emulator; it’s there for backwards compatibility with MPs.

SCOM 2012 Resource Pool

Know that all management servers are treated as having equal capacity; differences in processors and memory capacity are not taken into account so it’s best to plan on having all servers identical. Different workloads are also not taken into account and are simply distributed amongst the available servers in a pool. There’s are three default pools ; All Management Server Resource Pool, the Notification Pool and an AD Integration pool but you can create your own pools for specific monitoring situations.

The three built in Resource Pools

Roles within a pool can be manually controlled, this is suitable for instance if you have a hardware text/SMS alerting device connected to a particular management server, there’s no point in failing that function over to a server without the hardware attached. Cross platform (Unix/Linux) monitoring and network device monitoring is also targeted at pools rather than individual management servers.

SCOM 2012 maintenance mode

An issue in SCOM 2007 R2 is when you put a management server into maintenance mode, because the workflow to take the server out of maintenance mode after the designated time is also running on that server it never automatically comes out of maintenance mode, in SCOM 2012 the workflow is moved to the All Management Servers resource pool negating the need to manually take a server out of maintenance mode.

The new Silverlight based web console is your friend when you’re away from your monitoring station.

The new home on the web for all management packs is http://systemcenter.pinpoint.microsoft.com and for those who’ve been less than impressed by the Pinpoint site and finding management packs in the past it’s good to know that the above address is focused solely on System Center.

In the next part of this SCOM 2012 RC technical review series we’ll look at my favourite new feature: Network Monitoring, what’s required and how it works.

• Poll: Are you currently using a monitoring solution? (11)
• SCOM 2012 review – Part 8: Dashboards (0)
• SCOM 2012 review – Part 7: Linux and JEE monitoring (4)
• Notifications and Custom Commands in Nagwin/Nrpe (0)
• SCOM 2012 review – Part 6: Application Performance Monitoring (APM) (1)

Interoperability in SCOM 2012

Because a modern enterprise is heterogeneous SCOM sometimes needs to integrate with other monitoring solutions such as IBM Tivoli, HP OpenView and others. In SCOM 2007 R2 this is accomplished with connectors, but these are not supported in SCOM 2012. The integration between SCOM and other management systems will now be accomplished through System Center Orchestrator 2012.

The different programs in the System Center suite are essentially different applications with little integration in the current version. System Center Orchestrator 2012 is about to change this in the 2012 wave by providing Integration Packs (IP) for each of the major Systems Center applications including SCOM. The SCOM IP can create and interact with Alerts and Monitors as well as start and stop maintenance mode.

There’s also IPs for System Center Service Manager (SCSM) that can create incidents automatically based on alerts in SCOM for instance; the IP for System Center Virtual Machine Manager (SCVMM) will push information about VMs, services, private clouds and hosts into SCOM. In a future review here at 4sysops we’ll look at this approach for integrating the System Center suite and if it’ll provide the tight glue that many have asked for.

PowerShell in SCOM 2012

The good news is that SCOM now comes with full PowerShell 2.0 support and a host of new cmdlets. The less good news is that there will be a learning curve as the new cmdlet nouns have “SCOM” in their names; the old cmdlets still seem to work however. There are also new cmdlets for monitoring Unix and Linux machines (see part seven), these rely on PowerShell 3.0 (in CTP at the time of writing) for easy scripting and background operations.

To execute PowerShell cmdlets you have to establish a connection to a management group, this can either be persistent so you can run multiple cmdlets or a temporary connection allowing you to run a single command.

A new cmdlet that might come in very handy is Export-SCOMEffectiveMonitoringConfiguration that looks at a specific monitored instance (or a list), finds the monitors, rules and overrides that apply to it and exports the effective monitoring to a csv file.

The main console in SCOM 2012 follows the familiar System Center look and is easy to work with.

Consoles in SCOM 2012

Sysadmins familiar with SCOM 2007 R2 will feel right at home in the console, apart from some cosmetic changes (the “Actions” pane is now the “Tasks” pane and is split into two tabs, one for actions and one for help) it’s almost identical. The Web console on the other hand has received a major Silverlight overhaul and is now a joy to work with. Note that the Web console provides a monitoring workspace only although you can create dashboards in it with the same functionality as in the full console (see part eight) .You’ll need a 32 bit version of Word 2010 to edit custom information in the Knowledge Base, Office 2010 x64 won’t work.

In the next part of this series we’ll look at the flagship feature of SCOM 2012; built in High Availability as well as how the new Resource Pools work.

• Poll: Are you currently using a monitoring solution? (11)
• SCOM 2012 review – Part 8: Dashboards (0)
• SCOM 2012 review – Part 7: Linux and JEE monitoring (4)
• Notifications and Custom Commands in Nagwin/Nrpe (0)
• SCOM 2012 review – Part 6: Application Performance Monitoring (APM) (1)

Upgrading to Operations Manager 2012

Only SCOM 2007 R2 can be upgraded to Operations Manager 2012 so if you’re on an earlier version you have to upgrade to this level first. If you’re an early adopter and trialled the beta it can be upgraded to the current Release Candidate and it in turn is supported for upgrade to RTM. You can’t however upgrade from the beta directly to RTM, nor can you upgrade to RC from a SCOM 2012 beta that was originally upgraded from SCOM 2007 R2.

The most important prerequisite however is that all SCOM 2007 R2 management servers that you want to upgrade are 64 bit on x64 hardware and run 2008 R2 SP1 as the OS. If this isn’t the case in your environment, fear not, you can spin up a new server and start the upgrade from there. If you’re doing your upgrade this way back up your encryption keys from the current RMS and restore them on the new SCOM 2012 server.

The general sequence for an upgrade is: secondary management servers, gateways and agents first, then the Root Management Server (RMS). If any management servers or gateways are still 2007 R2 the final RMS upgrade will be blocked. If agents are still 2007 R2 this will be highlighted during the RMS upgrade but it won’t block the upgrade. Be aware that these agents won’t be able to report to SCOM until they have been upgraded to SCOM 2012 agents.

If yours is a smaller environment with a single SCOM 2007 R2 server you can either upgrade in place (provided your server meets the hard- and software requirements) or you can set up another management server and start the upgrade from there. If you upgrade in-place be aware that you have to upgrade all the agents before they’ll report to SCOM 2012.

To assist with your upgrade plan there are clickable flow diagrams on TechNet that clarifies what options you have, the same page also provides links to checklists with step by step instructions. There’s also an upgrade helper Management Pack (MP) that walks you through the upgrade and gives you an overview of what parts of your infrastructure has been upgraded.

Once your environment has been upgraded to Operations Manager 2012 you can take advantage of the new reporting functionality.

Further points for your upgrade planning includes backing up the databases, disabling notifications to prevent false alarms and stopping connectors to avoid false tickets being generated as well as making sure agents don’t report directly to the RMS as your upgrading it. Most importantly, check the event log for any problems, you can’t upgrade away from problems so ensure your SCOM environment is healthy before you upgrade.

If you used Operations Manager to deploy agents they will show up as pending upgrade in the console and you can push out the upgrade from SCOM; if you use an alternate method of deploying agents (such as SCCM) you have to upgrade them using your chosen deployment method but it’s simple MSI file so that should be easy. The native consoles are version specific so if you need both the old and the new console on a machine upgrade to the SCOM 2012 console and then reinstall the SCOM 2007 R2 console afterwards.

Depending on the size of your environment you may have a mix of SCOM 2007 R2 and SCOM 2012 management groups and servers in your environment for some time so be aware that the SCOM 2012 agent will communicate with SCOM 2007 R2 servers. The reverse isn’t true however so an important step in your upgrade process will be upgrading agents to the 2012 version. The new Control Panel applet makes it easy to identify which management groups an agent reports to and adding and removing of management groups from agents can now be centrally controlled via scripts.

The new scriptable control over agent assignments will be a boon in large environments as will the Control Panel applet for troubleshooting.

Management packs that work in SCOM 2007 R2 should work in Operations Manager 2012 because the MP schema is unchanged. The few exceptions are where third party management packs require new modules on the agent, new MP templates or new view types due to API changes; or if they attempt to create or update other MPs or elements within other MPs.

In the next part of this series we’ll look at PowerShell enhancements in SCOM 2012, interoperability with other platforms as well as improvements in the Console.

• Poll: Are you currently using a monitoring solution? (11)
• SCOM 2012 review – Part 8: Dashboards (0)
• SCOM 2012 review – Part 7: Linux and JEE monitoring (4)
• Notifications and Custom Commands in Nagwin/Nrpe (0)
• SCOM 2012 review – Part 6: Application Performance Monitoring (APM) (1)

Long gone are the days when monitoring your IT environment meant waiting for the phone to ring and your users tell IT that something wasn’t working. Keeping an eye on your infrastructure is important for businesses of all sizes and Systems Center Operations Manager (SCOM) has been very good at providing that visibility for Microsoft’s platforms for many years, the current version (2007 R2) added native cross platform support for Linux and Unix.

SCOM 2012 – Main Console

The new kid on the block is SCOM 2012, currently in Release Candidate and it adds some really cool features for network monitoring, High Availability (HA), application monitoring and dashboards. In this eight part article we’ll dive into these and other improvements; giving both sysops with SCOM experience and other IT admins insight into what SCOM 2012 can bring to your environment.

Article Parts:

1. SCOM 2012 Installation
2. Upgrading to SCOM 2012
3. Interoperability, PowerShell and Consoles in SCOM 2012
4. Infrastructure improvements in SCOM 2012
5. Network Monitoring in SCOM 2012
6. Application Performance Monitoring in SCOM 2012
7. Unix and Linux monitoring and Java Enterprise Edition monitoring in SCOM 2012
8. Dashboards in SCOM 2012 and Conclusion

SCOM 2012 Installation

The overall installation experience for SCOM has been improved; the most obvious change is that the operational and data warehouse databases are created during the installation, in earlier versions they had to be created prior to the SCOM installation. The pre-requisite checker is also built into the installation wizard; this simplifies the overall installation process. Any problems during the steps in the installation wizard are highlighted and the error message is copied to the clipboard. Credentials that you define are tested from within the wizard to make sure they work before proceeding to the next screen.

SCOM 2012 – The Installation Wizard has been improved, providing for a smoother setup experience.

The installation program will assign the Administrators group on the local computer to the Operations Manager Administrators role which is a change from SCOM 2007. During installation you specify the management server action account and the Configuration service and Data Access service, and although it’s not recommended from a security standpoint you can use the same account for both roles. The former should be a domain-based account and not a domain admin account. The latter account is used to read and update information in the operational database and can either be assigned to Local System or a domain account, where the management server and the databases are on separate servers it has to be a domain based account.

Make sure you plan your accounts for SCOM 2012 correctly.

All SCOM 2012 servers (Management Servers and Gateway Servers) are supported to run as Virtual Machines with the recommendation to run the SQL server database on physical servers or virtual servers with direct attached disks for performance reasons. VM snapshots are not supported for use in conjunction with SCOM 2012. Management and gateway servers have to run on Windows Server 2008 R2 SP1, recommended memory is 2GB or more with a 2.8 GHz CPU. Prerequisite software is PowerShell 2.0, Windows Remote Management (WinRM), Core XML Services and .NET Framework 3.5 SP1 as well as .NET Framework 4.

The SQL Server backend has to run either 2008 SP1 x64 or later or 2008 R2; on a server with at least 4 GB of memory, with database collation set to SQL-Latin1_General_CP1_CI_AS and full text search enabled. If you need to provide high availability for the SQL Server databases both the Operational database, the Reporting data warehouse and the Audit collection database are recommended and supported on separate Active-Passive clusters as long as no other SCOM 2012 services run on these servers. Other supported configurations (but not recommended due to potential SQL performance issues) include Active-Active clusters and putting the Operational, Data Warehouse and Audit Collection databases on the same cluster, see here for more details.

The Data Warehouse database is now a required component in your SCOM environment, it was optional in SCOM 2007 R2, but it can be shared between Management Groups. The Operational database retains data for seven days by default, the Data Warehouse for 400 days by default.

The Windows agent comes in both a 32 and 64 bit version, as well as a 64 bit Itanium version, the 32 bit version can’t be installed on an x64 OS. The RC limits on objects and monitored items are 3000 agent monitored computers reporting to a management server and 2000 agent monitored computers to a gateway server but expect these figures to change for RTM.

In the next part of this SCOM 2012 RC overview we’ll look at how you can upgrade from your current SCOM environment and in which order this has to be done as well as the help available for your upgrade planning.

• Poll: Are you currently using a monitoring solution? (11)
• SCOM 2012 review – Part 8: Dashboards (0)
• SCOM 2012 review – Part 7: Linux and JEE monitoring (4)
• Notifications and Custom Commands in Nagwin/Nrpe (0)
• SCOM 2012 review – Part 6: Application Performance Monitoring (APM) (1)

One of the duties of many Windows systems administrator is network management. That is, you may be called to detect, diagnose, troubleshoot and resolve network interface slowdowns.

As your network grows in complexity to include multiple line-of-business (LOB) Web applications, load-balancing configurations, and the like, interface troubleshooting and performance monitoring can easily become extremely cumbersome and complex.

Monitoring an interface with SolarWinds Real-Time Bandwidth Monitor

To assist us in this effort, SolarWinds gives us the Real-Time Bandwidth Monitor. This is a free utility that enables us to monitor network bandwidth utilization statistics for multiple interfaces in real time.

Setting up interface bandwidth monitoring

The Real-Time Bandwidth Monitor software can be installed on any modern 32- or 64-bit edition of Windows desktop and server operating systems.

However, it should be noted that because the interface polling and statistics gathering in this product relies upon Simple Network Management Protocol (SNMP), you need SNMP turned on for any device you will be monitoring, which it will be by default for your network devices.

In some cases, you will prefer to have an SNMP server in place in your domain prior to using this tool.

For instance, you can fire up Server Manager in Windows Server 2008 R2 and install the SNMP Server feature, as shown in the following figure.

Windows Server 2008 R2 – Install SNMP Server feature

Once you have SNMP Server installed, you can configure SNMP-related metadata like the community name and trap destinations by modifying the properties of the SNMP Service Windows service. This process is depicted in the following screen capture.

SNMP Service Windows service

Upon first launch of the application, you are asked to create a monitor. This task includes three pieces of information:

• The IP or hostname of a device (desktop PC, server, switch, router, wireless access point, etc.)
• The SNMP version in use on your network (1,2, or 3)
• The SNMP credentials (community name for SNMPv1 and v2; username, context, and authentication method for SNMPv3)

Configuring the device

The next step in the setup process is selecting the desired interface. If you are connected to a switch, then you will be able to monitor individual port IDs; if you are connected to a Windows server, you can choose among physical and virtual network interfaces.

Selecting an interface to monitor

We are almost finished. The final step in the configuration process is setting threshold values. The percentages that you specify for warning and critical values enable the Real-Time Bandwidth Monitor to give you feedback regarding degrees of bandwidth utilization.

Note in the following screenshot that you can also limit the chart date to a particular time interval or data points (sampling is performed at the half-second rate). Click Launch Monitor to start the monitor. Yes, you can have more than one monitor running on a host computer simultaneously.

Setting threshold values

Monitoring an interface

As you can see in the following screenshot, the monitoring screen is a resizable dialog box that is laid out in a very easy-to-understand manner. Inbound and outbound traffic on the selected interface are color-coded, as is the data line if it exceeds a threshold value.

Monitoring an interface

The line chart is active; you can analyze data points simply by hovering your mouse over them. This is shown in the following screen capture.

Analyzing a data point

You can make use of another of SolarWinds tools (this one is not free) called WAN Killer to simulate loads through monitored network interfaces.

While we are on the subject of related SolarWinds software, the Real-Time Bandwidth Monitor is a “smaller sibling” to their enterprise Orion Network Performance Monitor (NPM) software. NPM is a one-stop solution for automatically discovering and monitoring interfaces in your LAN and WAN environments. You can download a free demo from SolarWinds if you are so interested.

Conclusion

In summary, the SolarWinds Real-Time Bandwidth Monitor gives us systems/network administrators the ability to visualize network bandwidth utilizations on our interfaces. This data is extremely important not only for troubleshooting speed and access problems, but also for application performance tuning and enhancing the overall health of our network. Please feel free to leave your questions in the comments portion of this post.

Real-Time Bandwidth Monitor

• Poll: Are you currently using a monitoring solution? (11)
• FREE: Zenmap: Windows GUI for nmap (0)
• SCOM 2012 review – Part 8: Dashboards (0)
• SCOM 2012 review – Part 7: Linux and JEE monitoring (4)
• Notifications and Custom Commands in Nagwin/Nrpe (0)

Spiceworks is a great free network inventory and monitoring tool that is very useful for administrators and help desk staff. Spiceworks supports hardware and software inventory, facilitates network monitoring, and offers help desk functionality. For a more detailed feature list, please read this overview of Spiceworks’s functionality. In this article, I will help you get started quickly with Spiceworks.

Spiceworks

Requirements

First, make sure you have a user that has full administrator rights to all resources in your network. You have to provide that user for the Spiceworks scanning utility. Since the tool can also scan VMware virtual machines, you might need the corresponding login information.

Second, make sure you have exception rules in your firewalls to allow the following: Ping, Windows Management Instrumentation (WMI), and RDP. I suggest doing this using Group Policies so you’ll be sure everything is configured properly on all PCs.

Third and finally, you need to make sure that the WMI service is enabled and running on all computers. This is likely the most important part, as Spiceworks uses this service to get all of its information.

Spiceworks installation

After you download the latest version, execute the installer on either a server or a powerful PC. The reason for this is that Spiceworks does require quite some processing power depending on the size of your network.

1. Specify the port on which you’d like it to run (port 80 is the default setting).

2. Accept the terms and choose the installation path.

3. Start up the application (via the shortcut).

4. If your firewall asks, allow Spiceworks to access your network; the corresponding executables are spiceworks-httpd.exe and spiceworks-finder.exe.

5. If you already have a Spiceworks account, you still need to create a new user unless you want to copy the database information of an existing installation.

Spiceworks login information

6. Click “Inventory” to start scanning your network.

Spiceworks start screen

7. Enter the range of your network.

Network range

8. Provide the credentials for the different account types. Here is where you need to supply the administrator credentials for Windows, Unix, and switches/printers (via SNMP). “Unix” is the one you want to use to detect VMware virtual machines. If you use different passwords for your network devices, just provide the one that is the most used. You can go into the configuration later to provide logins for specific devices.

Spiceworks scan settings

9. Allow some time for the scan to execute.

Spiceworks scan results

10. If many error messages are displayed, try to determine what caused them. Usually Spiceworks will give you a good starting point, like indicating that a certain port is not available.

11. If only a few errors occurred, you can start browsing your inventory.

12. I suggest that you run Spiceworks as a service. To do so, right-click the Spiceworks icon at the bottom right and click “preferences.” Check “Spiceworks is running as a service” and provide the user/password. Running Spiceworks as a service will allow it to scan even if you are not logged on to the corresponding computer.

Spiceworks service preferences

Now you can start to explore the possibilities of this powerful network tool. You can set up email properties, monitors, and alerts. Almost everything is customizable; you just need to search a little. If problems come up, the Spiceworks community is a great resource for help. You also have access to a variety of Spiceworks extensions.

• Poll: Are you currently using a monitoring solution? (11)
• SCOM 2012 review – Part 8: Dashboards (0)
• SCOM 2012 review – Part 7: Linux and JEE monitoring (4)
• Notifications and Custom Commands in Nagwin/Nrpe (0)
• SCOM 2012 review – Part 6: Application Performance Monitoring (APM) (1)

You probably know Event Viewer, a baked in Windows tool. For sophisticated event log analysis, you often need additional tools. Some of the tools discussed here are applications, and some are websites.

EventID.NET

I have a paid subscription for EventID.NET, and use this database for event ID searches. The site is a repository of almost all Windows event IDs and offers in-depth write ups, screenshots, and links to external sources. A one year subscription for an individual costs $29 USD.

EventID.net -Search for event IDs

ServerFault.com

The consistently useful ServerFault.com website has served me well since its inception. It is a crowd-sourced community of experts based on a Digg type voting system, in which a poster asks questions based on issues they are confronted with, usually scenario based, with Event IDs.

ServerFault.com – Question and answer site for admins

Experts-Exchange.com

Experts-Exchange.com is another community site which is not limited to any platform or architecture. It has a similar voting system as Serverfault.com and issues awards based on the helpfulness of the “experts”.

Notice that Experts-Exchange.com is not free. After the 30-day free trial, prices vary from $12.95 USD for the monthly plan to the the two year plan for $189.95 USD.

Experts-Exchange.com – Tech support from experts

ManagEngine EventLog Analyzer

I have used many of ManageEngines free tools, and EventLog Analyzer is my favorite. The tool works with Unix/Linux/Windows and can be configured to give real time alerts and offers sophisticated reporting features. The holy grail of all IT logging is the centralized logging ability. EventLog Analyzer can also collect logs from devices such as routers, web services and FTP servers. The free version supports up to 5 hosts. The Professional Edition starts at $395 USD for 10 hosts. Check out the price list for other configurations.

Eventlog tool ManageEngine EventLog Analyzer

GFI EventsManager

GFI EventsManager provides similar features as the ManageEngine product offering real time alerts and support for SNMPv2 traps. I like the auto archive feature and its search filters. GFI doesn’t offer a free edition but you can download a free trial. For a Server and 10 clients, GFI EventsManager costs $440 USD.

Event log tool GFI EventsManager

Netikus.net EventSentry

EventSentry offers quite a few interesting features that go far beyond event log monitoring and analysis: Compliance tracking, package managing, compliance tracking, log file monitoring, system health monitoring, and web reports. EventSentry Light is its free version and is a must-have tool for every admin doing event log analysis. Check out the comparison table to get an overview of the capabilities for its free and full version. A configuration with 10 hosts will cost you $698 USD. The complete price list can be found here.

Event log tool – Netikus.net EventSentry

Do you know any other good event log analysis tool?

• Poll: Are you currently using a monitoring solution? (11)
• SCOM 2012 review – Part 8: Dashboards (0)
• SCOM 2012 review – Part 7: Linux and JEE monitoring (4)
• Notifications and Custom Commands in Nagwin/Nrpe (0)
• SCOM 2012 review – Part 6: Application Performance Monitoring (APM) (1)

Submitted by Eugene Rublovka

Verax NMS supports network elements (CISCO, Juniper, Adva, Foundry , etc.), applications (MySQL, Oracle RDBMS, Microsoft Internet Information Server, Apache Tomcat, IBM WebSphere, etc.), and data center elements (IP cameras, power supplies, etc.) in a single, integrated system.

Network and application monitoring – Verax NMS – Sensor summary

The Rich Internet Application (RIA) front-end GUI is a differentiator, as well as built-in business reports (users can design their own), plugin based architecture (SDK available) and rules engine (for event processing and IT automation).

Network and application monitoring – Verax NMS – Business Reports

Verax NMS

• Poll: Are you currently using a monitoring solution? (11)
• SCOM 2012 review – Part 8: Dashboards (0)
• SCOM 2012 review – Part 7: Linux and JEE monitoring (4)
• Notifications and Custom Commands in Nagwin/Nrpe (0)
• SCOM 2012 review – Part 6: Application Performance Monitoring (APM) (1)

In the first guide we installed Nagwin on a Windows host, configured the process, and set up an additional Windows host for monitoring. In this guide we will explore how to use Winrpe – a Nagios monitoring client for Windows – to check on all kinds of server health indicators including CPU load, memory allocation, and error events in the Windows Event Log.

Installing and configuring Winrpe

Like Nagwin, Winrpe is an Open Source port of a Nagios client (nrpe) that is maintained by the folks at ITeF!x. It is available for download on SourceForge. You will need to download and install Winrpe on each Windows host you would like to monitor. The installer will ask you for the installation path and the service account Winrpe will use. The path isn’t as important but be sure to note the service account name and randomly-generated password. Once the installation is complete, you will have a new Start menu folder with entries:

1. nrpe.cfg
2. Web site
3. Documentation
4. Uninstall NRPE

You will want to open the shortcut to nrpe.cfg with your favorite text editor and being chipping away at nrpe configuration. Nrpe comes with a default configuration but you will need to tweak it according to your needs. Let’s look at the more important directives:

• allowed_hosts: Informs nrpe of hosts that are allowed to connect to the daemon. This list should include the IP address of your Nagios server and always the loopback address, 127.0.0.1
• command_timeout: The amount of time nrpe will try to execute a given command before it gives up, or times out. I like to use a setting of 20 seconds for newer systems and 60 seconds for older systems, but your mileage may vary.
• connection_timeout: The amount of time nrpe will wait for a TCP connection to be established. You may want to set this to a fairly high value (60-120 seconds), especially if you are monitoring hosts across a site-to-site VPN or the Internet.
• include and include_dir: Used for including directives (usually commands) from another file. This is great if you have a shared config file for multiple hosts; for example, you may have a shared drive at \\fileserver\winrpe\base.cfg and other clients use this base configuration. Include_dir includes all config files in a directory.

Command Directives

Command directives define commands that Nagios can use to access nrpe. The basic format is as follows:

command[ALIAS]=actualcommand.exe --params -w # -c #

The ALIAS is what Nagios will use to access your command. The actual command is placed on the right of the equals sign and indicates what the alias does. All command paths are relative to the ICW\bin folder and you will find that Winrpe pleasantly includes some useful tools in that folder.

Winrpe foder

• check_nrpe: Verifies that nrpe is installed and listening on a host
• check_pdm: Checks processor, disk, and memory
• check_winevent: Checks Windows Event Log entries
• check_winfile: Checks for the presence and attributes of Windows files
• check_winprocess: Checks Windows processes
• check_winservice: Checks Windows services

In addition, you can specify warning and critical values for each command. For example, if your command checks for error events, you might set only a critical value of 0, meaning that if your system has experienced any error events in the past 24 hours (>0) it will be marked as critical.

We will define a sample command here for CPU load since most administrators would be interested in that sort of thing.

command[pdm_cpuload]=check_pdm.exe --processor -w 50 -c 80

• Our alias is pdm_cpudload
• The command definition is the built-in utility check_pdm.exe
• We have one parameter, which is processor
• The warning level is 50 (percent)
• The critical level is 80 (percent)

This command definition is usually included by default in your nrpe.cfg file so you can see it in action. It will check CPU load when requested, issuing a warning at 51% and a critical alert at 81%.

Once you have setup your nrpe.cfg file to your liking, go ahead and start the nrpe service through services.msc on your host. You may want to make this an automatic service.

Winrpe on Windows 64-bit

For some reason Winrpe does not play well on 64-bit Windows environments and it will eventually stop working. So, you need to create a scheduled task to execute the following batch script every 15 minutes or so (adjust as necessary):

net stop "Nrpe"
taskkill /F /IM nrpe.exe
net start "Nrpe"

Winrpe restart

As you can see, this simply stops the nrpe service, kills the associated process, and starts the service again. Not the most elegant solution, but it’s the only one that I’ve found to work!

Configuring the Nagios Server

It’s time to wire everything up. Return to your Nagios Server and navigate to the ICW\etc\nagios\nagwin directory. Open the hosts.cfg file in your text editor and find your host definition. Below the host definition we will add a new service definition for that host.

define service {

This will define a new service for host fileserver. The service_description is what will appear for that row in your Nagios administration server, and the check_command is the command in nrpe (on your client) that you would like to run. In this case, it’s check_nrpe!pdm_cpuload.

Finally, you will need to restart your Nagwin_Nagios service to reflect these changes. When you restart Nagios and login to the administration console, you will see the following line item in your “Services” section:

Restart Nagwin_Nagios service

In the next guide we will explore Nagios notifications and contacts.

Winrpe

• Poll: Are you currently using a monitoring solution? (11)
• SCOM 2012 review – Part 8: Dashboards (0)
• SCOM 2012 review – Part 7: Linux and JEE monitoring (4)
• Notifications and Custom Commands in Nagwin/Nrpe (0)
• SCOM 2012 review – Part 6: Application Performance Monitoring (APM) (1)

Nagios is one of the most popular Open Source IT infrastructure monitoring tools available. Originally developed to monitor network hosts for uptime, latency, and health, Nagios has been extended to perform a variety of functions through its plugin interface. Though it is Open Source and generally intended for the Linux crowd, the folks at IteF!x have developed a port of Nagios for Windows – or Nagwin – to allow a Windows host to run the Nagios process.

Nagwin – A complete Nagios implementation for Windows

Installing Nagwin

Nagwin uses several packages to acheive Nagios functionality on Windows, including lightweight versions of Cygwin (a Linux API for Windows), PHP, Perl, Blat (SMTP server), and Nginx (web server). Thankfully all of these are included in the download for Nagwin at SourceForge.

Once you download the installer, unzip and run the resultant Nagwin_1.2.0_Installer executable to get started. During the installation, you will be prompted for where you want to put the “ICW” folder (the cygwin root). I like to put this directly on the hard drive so it is easy to get to “C:\ICW,” but this is a matter of personal taste. Next, you will be prompted to enter a service account name and password. Accepting the defaults here is fine unless you would rather use an existing service account. The password that is prepopulated is randomly generated and if you accept defaults you should save this password somewhere safe. Click “Install” to proceed.

Configuring the Nagios process

Assuming you want Nagios to start automatically when your server starts, you should run the MMC console “services.msc” and scroll down to where all of the Nagwin services are. By default, these are manual startup services. If you go to Properties for each service you can configure them for an automatic startup. If they are running already, go ahead and stop them.

By default, the Nagios admin account (nagiosadmin) has the password “nagios” and that will not do, so let’s go ahead and change it. In a command prompt window, navigate to the ICW directory that you chose in the installation, then navigate to the “bin” folder. Now, run the command, replacing the italicized bit with your desired password:

htpasswd2 -b /etc/nginx/htpasswd nagiosadmin your_password_here

You can create additional accounts but that’s what we will use for now. You can also change the port that is used to access the web management interface. By default, this is port 80, but you will probably want to change it to a lesser known (and less likely to conflict) port. I chose port 81 but you can choose any TCP port that is not already in use. To do so, navigate to the folder “\etc\nginx\nginx.conf” under the ICW directory and find the “server” block. Now change the “listen” directive from 80 to whatever you desire.

Configuring Nagios to monitor a host

Now the real work begins. Let’s assume that our Nagios server is located at 10.1.1.14 in a 10.1.1.0/24 subnet, and that we want to monitor another Windows host located at 10.1.1.10 (called “fileserver”) on the same subnet. To monitor the host we simply define a new host in the file “\etc\nagios\nagwin\hosts.cfg” and restart (or start) the Nagios process. First, open the hosts.cfg file in your favorite text editor (if it does not exist, create the hosts.cfg file in the “\etc\nagios\nagwin” directory). Using our example above, the host configuration is as follows:

# Define a host for the local machine

Note: alias is simply what Nagios calls the host, and in many cases it is appropriate to have the alias match the host_name. The important pieces here are the use, host_name, and address directives.

That’s it! Now we need to start all of our Nagwin services (there are four) in services.msc.

Once you have started these services, navigate to http://localhost:PORT_NUMBER and login using the username “nagiosadmin” and the password you defined earlier. Go to “Hosts” and voilà! Our newly defined host should appear along with “localhost” (where the Nagios process is located). You will notice that it provides detail regarding packet loss, latency (ping), and host uptime. Nagios saves this information in a repository that allows systems administrators to check the health of hosts as well as connectivity.

Nagwin – Connectivity

In the next guide we will learn about Winrpe, a small daemon installed on Windows hosts to provide more detailed information about their health – CPU load, memory information, event logs and statuses – so that the Nagios process can probe these services and provide the administrator the information he or she needs to nip Windows host problems in the bud.

Nagwin

• Poll: Are you currently using a monitoring solution? (11)
• SCOM 2012 review – Part 8: Dashboards (0)
• SCOM 2012 review – Part 7: Linux and JEE monitoring (4)
• Notifications and Custom Commands in Nagwin/Nrpe (0)
• SCOM 2012 review – Part 6: Application Performance Monitoring (APM) (1)

Author: Vitaly Dvorak

SXR software raffles three licenses of their employee monitoring software StatWin Server Enterprise each worth $399 USD. You can monitor up to 25 employees with this license. The deadline of this contest is July 26, 2011. If you want to take part in this in raffle, please send an email with the subject StatWin to .

StatWin Enterprise employee monitoring

StatWin Server Enterprise monitors employee activity on network computers. The program allows the PC administrator to keep a check on users by capturing visited websites, recording keystrokes and mouse clicks, capturing ICQ, MSN, Outlook, Bat messages and more. Over a specified period of time, the program can take screenshots of the computer screen and save images to the selected destination. Collected statistics on employee activity is transferred from client computers to the server automatically.

The program also offers tools for remote administration of clients, remote installation, launch, shutdown and uninstallation of clients, automatic submission of collected data about user activity from clients to the server, as well as automatic notification of the administrator about events on clients in real time. StatWin Server Enterprise is a complete employee monitoring solution for enterprises, offices and educational institutions.

The program runs under Windows 7 / Vista / XP / 2008 / 2003 / 2000 (32-bit, 64-bit). The free 30-day demo version can be downloaded without registration

• Poll: Are you currently using a monitoring solution? (11)
• FREE: PhoneFactor – Mobile phone based two-factor authentication (1)
• How to disable USB drive use in an Active Directory domain (0)
• Service Account best practices – Part 2: Least Privilege implementation (0)
• SCOM 2012 review – Part 8: Dashboards (0)

NETIKUS.NET has released a new version of EventSentry Light, a free real-time event log monitoring solution for Windows. EventSentry 2.92 has a few new features, which is why I updated the article. The first part is a general introduction about the tool’s monitoring capabilities and at the end you will find a list of the enhancements in version 2.91 and 2.92. Also note that the free light version lifted some important limitations, which makes it interesting for complex environments. You will also learn more about this at the end of the article.

The Windows event logs are the first place to check when something goes wrong on a Windows machine. But even more important is to keep a constant eye on the event logs, to ensure you that you will be informed immediately about upcoming problems or if Windows or your applications enter certain states you want to be informed about. Vista and Windows 7 come with a significantly improved event log system, and the most important enhancement of EventSentry 2.91 is the full support for this sophisticated logging environment.

The Windows Event Viewer has also been improved, but if you want to monitor event logs on multiple machines then you still need a third-party tool such as EventSentry. Moreover, EventSentry Light has additional monitoring capabilities. For example, it supports environment monitoring (temperature, motion etc.), third-party log file monitoring, and system health checks. With the latter feature, you can monitor the availability of Windows services or processes, performance, disk space, and more. EventSentry Light also includes basic network monitoring capabilities using pings and TCP connections.

I will now give you a basic idea of EventSentry Light’s structure, although I will only scratch the surface of this sophisticated tool. I also recommend watching these screencasts if you want to dig deeper. This is a faster and more convenient way of learning than poring over the manual.

Essentially, EventSentry Light works like a central filter to extract important information from all the event logs in your network. It collects the data, extracts the information that is relevant to you, and notifies you about them. The data is collected by the EventSentry agent that can be easily deployed using the management console. The agent uses filters where you can specify which Windows events are of interest you.

These filters are grouped in packages that can be assigned to computers individually or to computer groups. One limitation of the free version is that you can only work with one package with a maximum of four filters.

Once the data is collected, the information can be forwarded to you as e-mail or as pop-up messages on your desktop, Jabber, or pager. The light version only supports these four notification methods. Note that the full version supports 15 different notification types.

EventSentry Light now includes a SNMP trap daemon, an easy way to receive SNMP traps via email or other notification methods. Performance and environment alerts now include an attached chart, visualizing performance of a given time period. For example, when the CPU exceeds a certain limit, the alert email will contain an attached chart so you can see an exact history without having to access the reporting interface.

Hardware monitoring was also improved, USB storage device changes are now monitored, as is the S.M.A.R.T. status of hard drives.

• Support for “new” Vista/Windows Server 2008 R2/Windows 7 event log subsystems
• NTP Monitoring
• Embedded scripts
• Customize SMTP emails
• Service monitoring distinguishes between services and drivers
• Improved package management
• File monitoring detects Alternate Data Streams
• Jabber action supports chat rooms
• Improved event log filtering capabilities
• Software Monitoring uninstall events include more information
• Windows updates are now monitored on Vista, Windows Server 2008 R2, and Windows 7
• More customization for file monitoring

The list below gives you an overview of the limitations that were lifted in EventSentry 2.91.

• SNPP (pager) notification available
• Shutdown/kill process action available
• Create 2 groups (increased from 1)
• Create 4 filters (increased from 3)
• Monitor 4 services (increased from 3)
• Configure 2 application schedules (increased from 1)
• Monitor 3 performance counters (increased from 2)

Note that free version is now on the same release schedule as the commercial edition and updates for EventSentry will immediately be applied to EventSentry Light as well. Previously, the free version always lagged behind the full version. Please, check out this comparison table regarding the differences between the light and full editions.

EventSentry Light

• Poll: Are you currently using a monitoring solution? (11)
• SCOM 2012 review – Part 8: Dashboards (0)
• SCOM 2012 review – Part 7: Linux and JEE monitoring (4)
• Notifications and Custom Commands in Nagwin/Nrpe (0)
• SCOM 2012 review – Part 6: Application Performance Monitoring (APM) (1)

The new event log viewer that came with Windows Vista is a major improvement that every Windows admin should appreciate. The filter and search features are great. However, one tiny feature is missing. You can’t filter the output according to a full text search through its GUI. You can only use Event Viewer’s search function to find specific terms in the event log message. But this means that you have to jump from entry to entry, which can be a bit cumbersome in some situations. Of course, you can also write your own parser. If you don’t like to mess with XML, however, you should have a look at EVT LogParser.

The free event log parser allows you to load saved event logs and then filter the output according to the event ID, event sources, event type, and a keyword in the message text. The latter feature is the only thing you can’t do with the Windows Event Viewer.

To save events, you have to select one of the Windows logs and then click “Save all events.” You can also use Event Viewer’s own filter and then use this output for your search in EVT LogParser.

Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 save event logs in the evtx format, which you can load into EVT LogParser when you run the tool on one of those Windows versions. If you use EVT LogParser on Windows XP, you can only load the old evt format because the event log parser uses the API of LogParser.dll to parse event logs.

You also can’t load evt files on Windows versions that work with the evtx format. However, you can convert the evt format to evtx if you have some old saved event logs that you would like to parse. You can load the evt file in Event Viewer on Windows 7 (or Vista) and save it as an evtx file. If you have many evt files you want to convert, you can use the Windows command tool WevtUTIL. The programmer of EVT LogParser has more information on his blog.

EVT LogParser

• Poll: Are you currently using a monitoring solution? (11)
• SCOM 2012 review – Part 8: Dashboards (0)
• SCOM 2012 review – Part 7: Linux and JEE monitoring (4)
• Notifications and Custom Commands in Nagwin/Nrpe (0)
• SCOM 2012 review – Part 6: Application Performance Monitoring (APM) (1)

Windows 7 comes with sophisticated monitoring capabilities, but sometimes a simple solution is just what you need. SuperbarMonitor is a simple, portable monitoring tool that can display several monitors in the Windows 7 taskbar. You can monitor the CPU usage, disk usage, memory, and battery status. You can also use the tool for volume control. So if you want to keep an eye on operating system parameters, you don’t have to reserve a place in your precious screen space for your monitoring tool.

Each monitor has its own executable. For instance, if you only want to monitor the CPU usage, you just have to launch the corresponding program. With a single click on the taskbar icon, you can configure the few options that each of the monitors supports. For example, you can set high and critical levels where SuperbarMonitor will change the color of the indicator.

The monitoring tool only works for Windows 7. I also tried it on Windows Server 2008 R2, but the indicators in the taskbar didn’t work. However, this could have been because I tried SuperbarMonitor in a virtual environment.

The SuperbarMonitor homepage is in German, but the user interface of the monitors is in English. To download the tool, click “neue Version.” The Google “translate” is more or less understandable. You won’t need any instructions anyway. Just extract the ZIP file and run one of the executables.

SuperbarMonitor

• Poll: Are you currently using a monitoring solution? (11)
• SCOM 2012 review – Part 8: Dashboards (0)
• SCOM 2012 review – Part 7: Linux and JEE monitoring (4)
• Notifications and Custom Commands in Nagwin/Nrpe (0)
• SCOM 2012 review – Part 6: Application Performance Monitoring (APM) (1)