SCOM 2012 Linux Monitoring (Lab) – Part 3 Agent Deployment

In part 2 we prepared SCOM to get ready for monitoring LINUX. Now we need to deploy the agent. So let’s get started…

Here an overview of the steps we need to take:

  1. Create monitoring account
  2. Modify sudoers file
  3. Discovery wizard
  4. Redeploy certificate

1. Create Monitoring Account

In part 2 when we configured the RunAs accounts we used the monuser credentials. Now we are going to create this user. Login as root user to your SUSE LINUX system by using VNC and open a terminal window (see part 1). You should see something like that…

S30

run these commands:

sudo useradd monuser

sudo passwd monuser (after you hit enter you must type your password two times)

2. Modify sudoers file

Next step is to modify the sudoers file. This modification allows the monuser to elevate its permission to do certain action where more power is necessary. Luckily Microsoft has predefined the commands we have to enter for different UNIX/LINUX platforms . You will find the list here.

In your terminal run the command:

sudo visudo

This will open the sudoers file in vi (LINUX editor) it looks like this….

S31

I copy/paste the command in my case for LINUX into this file.

 1: #-----------------------------------------------------------------------------------

 2:  #User configuration for Operations Manager agent – for a user with the name: monuser

 3:

 4: #General requirements

 5:  Defaults:monuser !requiretty

 6:

 7: #Lower sudo password prompt timeout for the user

 8:  Defaults:monuser passwd_tries = 1, passwd_timeout = 1

 9:

 10:  #Agent maintenance (discovery, install, uninstall, upgrade, restart, cert signing)

 11:  monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/tools/scxadmin

 12:  monuser ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-*/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-*; exit $EC

 13:  monuser ALL=(root) NOPASSWD: /bin/sh -c  /bin/rpm -U --force */scx-*

 14:  monuser ALL=(root) NOPASSWD: /bin/sh -c  /bin/rpm -F --force */scx-*

 15:  monuser ALL=(root) NOPASSWD: /bin/sh -c  rpm -e scx

 16:  monuser ALL=(root) NOPASSWD: /bin/sh -c  cat /etc/opt/microsoft/scx/ssl/scx.pem

 17:  monuser ALL=(root) NOPASSWD: /bin/sh -c  echo *

 18:

 19:  #Log file monitoring

 20:  monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p

 21:

 22: ###Examples

 23:  #Custom shell command monitoring example – replace  with the correct command string

 24:  #monuser ALL=(root) NOPASSWD: /bin/bash -c

 25:

 26:  #Daemon diagnostic and restart recovery tasks example (using cron)

 27:  #monuser ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep

 28:  #monuser ALL=(root) NOPASSWD: /sbin/service cron start

 29:

 30:  #End user configuration for Operations Manager agent

 31:  #-----------------------------------------------------------------------------------

Here a short vi tutorial Smiley

vi is an old text editor from UNIX/LINUX. You will find it on almost every UNIX/LINUX computer. It is a very powerful editor if you know how to use it. Otherwise it will drive you nuts Smiley.

This editor has two modes a command mode and an insert mode. You can switch between modes by hitting the escape ESC key on your keyboard or pressing the “i” if you are in command mode. This will enter the insert mode.

So what do we need to do….

  1. Run the command sudo visudo (if you not already have)
  2. User your arrow keys to navigate to the end of the file
  3. Press the “i” on your keyboard (you should see “insert” in your left lower corner)
  4. Copy/Paste like in Windows the lines from above into the file
  5. Press “Esc” key on your keyboard (enter the command mode)
  6. Press “:” key on your keyboard (tells vi to expect commands)
  7. Type “wq” (command write and quit)

Now you should be back on your command line.

3. Discovery wizard

In SCOM 2012 run discovery wizard and select UNIX/Linux computers…

S50

Here I already added a discovery criteria….klick Add…

S51

In discovery scope I entered the LINUX computer name SUSELinux…

S52

Choose “Set credentials…” I used the monuser account and selected “This account does not have privileged access” (as you remember this is a normal LINUX user account without any permissions)

S53

Now in order to receive the elevated permissions we must choose “Use ‘sudo’ elevation”…

S54

Choose the LINUX resource pool and start the discovery process…

S51

Select your LINUX computer…

S55

After the discovery it is possible that the status will be failed…

S56

If you click details the error shows a signing error…

S57

4. Redeploy certificate

In this case we need to resign the certificate. Normally SCOM would get the certificate from the agent, signs the certificate and deploys the certificate back to the agent. Now we need to do this manually Smiley.

Got to WinSCP.net and download WinSCP and install it. This is a tool to get and transfer files from Windows to LINUX and vice versa.

Start the WinSCP client and enter the host name…

SUSELinux

Enter the root credentials…

S59

Now you got your connection. On the left side is you Windows and on the right side your LINUX system…cool huh?

S60

On your right LINUX window go to /etc/opt/microsoft/scx/ssl and select your scx-host-[hostname].pem file.  On your left window choose the destination for example c:\temp. Then press F5 to copy the pem file from the LINUX computer to your Windows computer.

S61

Next open an elevated command prompt and change the directory to C:\Program files\ System Center Operations Manager 2012\Server. Now enter the command

 1: scxcertconfig.exe–sign c:\temp\scx-host-SUSELinux.pem c:\temp\scx-host-SUSELinux-new.pem

Remeber we copied the scx-host-[hostname].pem fiel to our SCOM into the c:\temp directory.

S62

Next step rename the scx-host-SUSELinux-new.pem to scx-host-SUSELinux.pem  and copy it back to the LINUX machine. by pressing F5.

S63

In order to load the new certificate you must restart the service by typing

scxadmin –restart

S64

Re-run the discovery wizard and now you should be able to receive a successfull status

S65

Voilà….

S66

And if you go into your SCOM 2012 console your LINUX should turn green…

S67

So that’s it for part 3…enjoy Smiley!

14 Comments

  1. Pingback: SCOM 2012 Linux Monitoring (Lab) – Part 4 Monitoring Application Server | SCOMfaq.ch

  2. I successfully imported management pack for CentOsS Linux and discovered my CentOS Linux machine. But the state remains “Not monitored” . Is there a way I can troubleshoot it and find out the problem Please help.

  3. Hi Stefan,

    We are using SCOM 2012 SP1

    I am following your blogs to setup monitoring for Red Hat Linux servers that we have , however i get stuck at discover as it fails.

    The error message is

    Unexpected DiscoveryResult.ErrorData type. Please file bug report.
    ErrorData: Microsoft.SystemCenter.CrossPlatform.ClientLibrary.MPAbstractions.WSManUnknownErrorException
    The SSL connection cannot be established. Verify that the service on the remote host is properly configured to listen for HTTPS requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: “winrm quickconfig -transport:https”.
    at System.Activities.WorkflowApplication.Invoke(Activity activity, IDictionary`2 inputs, WorkflowInstanceExtensionManager extensions, TimeSpan timeout)
    at System.Activities.WorkflowInvoker.Invoke(Activity workflow, IDictionary`2 inputs, TimeSpan timeout, WorkflowInstanceExtensionManager extensions)
    at Microsoft.SystemCenter.CrossPlatform.ClientActions.DefaultDiscovery.InvokeWorkflow(IManagedObject managementActionPoint, DiscoveryTargetEndpoint criteria, IInstallableAgents installableAgents)

    Do i have to enable somthing for WinRm on linux manchines.

  4. Thanks Stefan , one more thing:

    All my Linux agents are being managed by SCOM 2007 R2 CU5

    I used to follow the blog for SCOM 2012 SP1 , does that multihome the Linux agent or Upgrade it.

    In both SCOM 2007 R2 Management group and SCOM 2012 SP1 i see the agent version as 1.0.4-277

  5. Pingback: Quick Post – Check Linux Certificate Issued by SCOM | SCOMfaq.ch

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s