How to get OMS alerts in SCOM
During recent events and customer contacts I got a lot of question regarding integrating SCOM with OMS. Also recently with my webinar with Savision it popped up several times. This question actually makes sense because SCOM has already a lot investments in it + is mostly the start of your ITIL process… But how do you actually get alerts in SCOM from OMS? Well by using OMS and Azure Automation of course!
Step 1 Define what you want to forward to SCOM by defining a scenario and a search query
The scenario is key in this stage of the process. You need to define what you are looking for. Alerting in OMS is quite different than SCOM for example. In OMS you need to ask yourself “How many time did X happen in Y time” instead of “If this then that” kind of monitoring in SCOM.
This is very important to find the right search query. In this scenario I’m going to demonstrate the following scenario:
I want to have an alert in SCOM when there are 5 password attempts in the last hour on the administrator account
It’s possible to solve this issue with SCOM but hey we are going to use OMS + Azure automation right?
Step 2 get all the building blocks linked together:
The following high level steps need to be in place for this to work. For the purpose of preparing links are provided:
- OMS workspace with security data in there and security solution added: http://scug.be/dieter/2017/02/24/oms-getting-the-most-out-of-oms-security-features/
- Azure automation account created and connected to your oms workspace: https://www.verboon.info/2017/02/how-to-link-an-oms-workspace-with-an-azure-automation-account/
- Azure Hybrid worker installed and connected to your Azure automation account: https://docs.microsoft.com/en-us/azure/automation/automation-hybrid-runbook-worker
Step 3 Create the Azure Automation runbook
Open the azure portal by going to portal.azure.com and select the subscription where your workspace is configured in.
Select the Automation Accounts logo:
Make sure you select the correct Automation Account
Now you get an overview of all the runbooks which are configured in your automation account. Select Runbooks in the middle bar:
In the next screen choose: “+ Add a runbook”
Choose “Create a new runbook”
Give the new runbook a name and choose Powershell as Runbook type:
Copy the following powershell code in the right window:
param(
[Object]$WebhookData
)
## check whether log source exists ##
$logsourceexist = [System.Diagnostics.EventLog]::SourceExists("OMS");
if ($logsourceexist -eq $false)
## Create the log
{New-EventLog –LogName Application –Source “OMS”}
## Get the content of the webhook
$RequestBody = ConvertFrom-JSON -InputObject $WebhookData.RequestBody
## This is just to show you what’s in it ##
$RequestBody | Export-Clixml -Path C:\Temp\Invoke-OMSAlertDiskCleanup_RequestBody.xml
## You can get all the values! ##
$user = $RequestBody.SearchResults.value.Account[0]
$computer = $RequestBody.SearchResults.value.Computer[0]
$counter = -split (Get-Content C:\temp\Invoke-OMSAlertDiskCleanup_RequestBody.xml | Out-String) | Where-Object { $_ -eq "Account" } | Measure-Object | Select-Object -exp count
## Let’s create this for the SCOM
Write-EventLog –LogName Application –Source “OMS” –EntryType Error –EventID 1 –Message “User: $user has too many failed logon attempts on $Computer. This happened $counter times. ”
Click the Save button and then the Publish button and click yes to publish the runbook to your azure automation account.
Your runbook is now ready to be triggered by our alert in step 4
Step4. Develop the search query in OMS and create the OMS alert
Ok I’m cutting some steps short here. I assume you already have your machine connected to OMS and are sending up your security logs. If not follow these guidelines to get you going: http://scug.be/dieter/2015/05/08/microsoft-operations-management-suite-quickstart-guide/
So let’s see.how we are going to solve this… First of all most of the search queries do not have to be constructed from the ground up. They can just be found in the solutions and tweaked a bit. For example this scenario can easily be extracted from the Security and Audit solution (if you have configured it of course):
Open up the Security and Audit Solution by clicking on the Security and Audit solution:
In the left part of the screen you have “Identity and Access, Click on it to open it
In the middle of the screen you get the amount of failed logons and eureka! Vlab\administrator is in there… Well for demo reasons I had my 5 year old try to login…
So click on the desired account.
The search query window opens and there you have your search query all ready to go…
Type=SecurityEvent AccountType=user AND EventID=4625 Account=’VLAB\Administrator’
Now click on the Alert button on the top left choices to instantly create an OMS Alert which will be our trigger for the process to get the alert in SCOM:
The Create alert window pops open and basically has 3 areas:
- General: This is where you define your criteria for the alert to be fired
- Schedule: This is where you define your frequency of checking + the amount it has to occur within this timeframe
- Actions: This is where you define how you would like to be notified
First things first: The General part:
- Fill in a name for the Alert
- Choose the Severity
- Search query is already filled in and copied from the search query window earlier on.
- Time window this can be no lower than 5 minutes. For demo purposes we set it at 15 min
Note: You already see we have 6 results for the given timeframe so our alert is going to fire.
Second the schedule part:
- Alert frequency is when the search query needs to run. We choose here every 5 min.
- Generate alert based on: Here we define how many results the search query needs to return before we want to be notified. In his scenario there’s no point in alerting when someone mistyped the password just once. That is highly doubtable an attempt to hack.
Third the Actions pane:
- Email notification: Well self explanatory
- Webhook: If you have another application which is taking in a webhook url you can activate it here. In fact calling a runbook is also a webhook but more on that later.
- Runbook: Here you can select a runbook of Azure automation which linked to your workspace. (note I selected a runbook I made earlier on. Select here the name you gave your runbook in step 3)
- Click yes
- select the runbook (note you can not change the automation account the one displayed is linked to your workspace)
Run on (choose hybrid worker)
- Note a small bug is still live in the console. If you close this view after configuring the actions and check the config of the alert this will always highlight Azure although you have selected Hybrid Worker => no panic!
So now we already have the alert which is kicking of our runbook on our Hybrid worker on prem.
At this stage we have:
- An alert which is detected in OMS
- An alert is raised in OMS. This can be checked by clicking the red dot on the bell in the top toolbar of your OMS workspace
3. A runbook is triggered which:
- Extracts the data from the oms alert webhook
- Creates a log file on the azure hybrid worker
- logs the data in the eventlog of the hybrid worker.
Step5. Get the alert in SCOM
So now when we check the eventlog of the Azure hybrid worker on prem we normally find the following alert everytime the OMS automation runbook is triggered by the OMS alert:
Now it’s quite straightforward to get the alert in SCOM by using a standard Monitor (self resetting after a while)
Note: I used a custom targetting to Hybrid Runbook Worker to make sure the monitor is not run on all machines.
and eureka:
The MP I used for reference: http://scug.be/dieter/files/2017/06/OMS.Alerting.MP_.rar
The alerts show up in SCOM triggered by our search query, transferred through OMS alerting, treated by an OMS automation runbook towards our Azure Hybrid runbook worker where it’s picked up by our management pack…