OMS – HTTP Data Collector API 403 (Forbidden)

Few weeks ago Microsoft released the Azure Log Analytics HTTP Data Collector API, which allows you to shoot JSON data into OMS Log Analytics. This is awesome news, because now anything is possible. This means, you are able to use (m)any script languages to send any data to OMS for further analytics and you are able to use all the nice OMS goodies like alerting, view designer for building awesome dashboards, query language for some deep dive into your data etc. I had been playing with this API on my Linux box to see what it is capable of. I use a PowerShell test script on Linux, which I knew worked before. All of a sudden I received this error…


I was wondering, because I was sure this script and my workspace is working fine. Actually I modified the script from this blog post here Azure Log Analytics HTTP Data Collector API. If I check the error code it says that workspace ID or connection key needs to be valid.


After a minute I got an idea and compared the time on my Linux box…


..and the one on my client…2 there is a deviation of 40 minutes. I corrected the time on my Linux machine and all of a sudden the data submission worked fine. I was wondering, what the maximum allowed deviation will be . I went back in time in 5 minutes steps and after I reached a 15 minute time difference I received the same error. If I put the time back just 14 minutes, the script worked fine.

Conclusion: If you are playing with the Azure Log Analytics HTTP Data Collector API  make sure your clock is set correctly otherwise you will receive a 403 error.

SCOM 2016 – What’s New UNIX/Linux Series: File System Discovery e.g. Exclude /tmp

A little pain in SCOM 2012 R2 was, that as soon you installed the UNIX/Linux management packs for your distribution all UNIX/Linux folders were discovered on the file system. This could be lead to a huge list of monitored directories e.g. /tmp, /var… which was not intended to be. To overcome this problem, you would have needed to create a group, add the objects and disable the discovery rule for this group. The override parameters in SCOM 2012 R2 looked like this…

…the discovery itself…


…and the properties…


In SCOM 2016 there is a new option which let’s you exclude directories using regular expressions. The override parameters in SCOM 2016 look like this…


As you can see there are two options, either override by file system name or by file system type.

How does this work? Let’s see…

Continue reading

SCOM 2016 – What’s New UNIX/Linux Series: Monitors and Rules Running (Any) Script e.g. Perl

One new feature I am very excited about is to run any sort of script on the UNIX/Linux agent. In SCOM 2012 R2 you had the option to run shell commands for performance rules and monitors. In SCOM 2012 R2 the monitor dialog looks like this…


…and the rules wizard shows options for creating shell command based alert and performance rules…


The problem was, that you were restricted to “one-liner” command which executed either the full command or you used the command to execute a script on the host. Now, in SCOM 2016 the awesome news are, that you are able to put any sort of UNIX/Linux scripts into your monitors and rules. The new wizard for monitors looks like this…image

…and the additional script options for alert and performance rules…image

As you can see,  we got these new options:

  • UNIX/Linux Script Three State Monitor
  • UNIX/Linux Script Two State Monitor
  • UNIX/Linux Script (Alert) Rule
  • UNIX/Linux Script (Performance) Rule

I think this a really awesome step for SCOM. In the past I had a few cases where I would have needed such new capabilities. How does it work? Let’s see…

Continue reading

SCOM 2016 – What’s New UNIX/Linux Series: Agent Task Running Script e.g. Perl

I assume you are familiar with creating SCOM tasks and you know there are tasks that are executed on the SCOM console side (console task) and such that are executed on the agent (agent task). In the past you had only few options, like running commands on Windows and UNIX/Linux or scripts only on Windows agents. The task options looked like this in SCOM 2012 R2…


In SCOM2016 you are now able to run scripts on UNIX/Linux agent using all kind of script languages (any), that are installed on the target machine.


To prove that it works I created a simple task called Perl Ping

Continue reading

SCOM 2016 – What’s New UNIX/Linux Series: Discovery Wizard Provide RunAs Account

I just want to start a short series “SCOM 2016 – What’s New Unix/Linux” where I show you what’s new in SCOM 2016 from a UNIX/Linux perspective. We start of with the discovery wizard. In SCOM 2012 R2 when you discovered the UNIX/Linux systems you always had to provide the credentials for deploying the agent.

In SCOM 2012 R2 it looked like this…


In SCOM 2016 you are able to select a RunAs account, which will be used for deployment. Actually the UNIX/Linux Agent Maintenance Account and the UNIX/Linux Action Account credentials will be used for discovery and installation of the agent.


This a very convenient for deploying a large amount of agents, so you don’t have to provide the credentials all the time. Nice!

OMS – Linux Agent Send Remote Syslog Messages to OMS


As you know OMS can receive syslog messages from its Linux agents. Well this is nothing special anymore, but there might be use cases where you cannot install a Linux agent or you might have some network devices which need to send syslog messages to OMS because you want to do some deep inspection of the data. How would you handle such situation? Well, one way would be to configure a centralized syslog server. This means you “promote” a Linux server as syslog server and this will be the “target” node for the other devices / systems. After that, configure the surrounding systems to “shoot” their events to the syslog server. I will show you how to do that in this demo.


The Linux agents supports e.g. rsyslog or syslog-ng uploading all events from all facilities with a severity of warning or higher. In my example I will use SUSE Enterprise Server  12 which hast rsyslog installed. The default collected event configuration looks like this…


I have installed two Linux systems, SUSE01 and SUSE02. SUSE01 is acting as syslog server, collecting all the events and sending it to OMS. SUSE02 is configured as “client” which will send the events to SUSE01. How did I do that? Let’s see first we will configure SUSE02 (client).

I will not show you how to install Linux nor how to install the OMS Linux agent, because there are enough posts on the internet. Make sure your firewall is also configured for the required ports.


First you need to prepare your OMS workspace. In OMS you need to configure what facility you would like to get into your workspace. Make sure you configured your workspace, where you have your agent connected to, according to your need. If you need help, check this article here. In my case I added user and local7 facility to my workspace and deployed it to my agents…imageAfter that, we are ready to configure SUSE02 (client).

Continue reading

System Center Universe Europe 2016 – Speaker

This year I am very proud again, to be part of System Center Universe Europe 2016 at Conference at August 24-26 in Berlin.

System Center Universe is a community conference with a strong focus on systems management and virtualization topics such as cloud, datacenter and modern workplace management.  We present top content with top presenters around Microsoft System Center, Microsoft Azure, Office 365, Microsoft Hyper-V and more and want to build the number one conference for those kind of topics across Europe.

I will have two sessions about different topics, the first session will cover the latest about SCOM 2016 and OMS in a Linux world. I will present together with my colleague Stefan Johner (@JohnerStefan) a demo packed session, about the latest and greatest features in both technologies.

The session will be on Wednesday, August 24th 12:00 – 13:00


My second session is a more fun session where we have built an automation “thing”, using all sorts of freely available Azure and other cloud resources to provide a “tool” that gives you some advice when you need it. It is a session that is fun but also shows you things you might not have known. If you want to know more about this session please join my fellow MVP Stefan Koell (@stefankoell) and me in Berlin.

The session will be on Thursday, August 25th 09:15 – 10:15


You can expect a top quality conference with top quality content. During the conference you have many options to learn and connect. Beside learning we guarantee that you will also have a lot of fun at our parties and make new friends. Here we go with a list of available options you have during the conference:

  • 3 conference days
  • 75+ breakout sessions
  • 1 Keynote session
  • 1 Closing session
  • 1 Pre-Party session
  • 5 parallel tracks
  • Lots of Microsoft MVPs on site
  • Ask the experts area
  • Exhibition area (partners)
  • 1-to-few side meetings
  • Top WiFi infrastructure
  • Power available everywhere
  • Food & beverages
  • Networking Party
  • Closing Party
  • Good connected historical city
  • Hotels near the venue

It is going to be a great conference with a lot of skilled people and a lot to learn and of course a lot of fun. So hopefully see you in Berlin!