OMS – Log Search Cheat Sheet


A bit more than 2 years ago I created a cheat sheet for Azure Operational Insights Search Data Explorer, today known as Operations Management Suite (OMS) Log Search. Over the years this technology has evolved and grown to one of THE most exciting products from Microsoft. The log search syntax has also grown and got some new options. Because of that, I updated the legacy cheat sheet to meet the latest syntax and modified the examples. I had to extend the sheet to two pages, so that the content would make sense.

Page 1…image

…Page 2


Continue reading

SCOM / SCSM – Retrieve Decrypted RunAs Account Credentials


I am not sure if you have seen it, but Richard Warren from nccgroup has figured out, how to decrypt the RunAs account credentials in SCOM. The problem up to now was, that there was no official way to retrieve the encrypted credentials from SCOM. There is just one DLL to use, which offers the decrypt method. He has written a EXE and a PowerShell script on Github . I know there are always two sides of the medal. In this case an evil and a good way of using this knowledge. I think I don’t have to talk about the evil way, instead I would like to talk about its benefit.

Richard Warren has used it for SCOM RunAs accounts, but if you think about it Service Manager (SCSM), which is based on the same framework, therefore I was curious if this approach also works for SCSM. In fact it did! Why is this awesome? Well, think about it. We are able to “securely” store credentials in SCSM (or SCOM) using RunAs accounts. Now we are able to retrieve those credentials easily. Because I do a lot of automation in SCSM using service requests and itnetX PowerShell activities I always had some trouble to store credentials in a save manner. There are many ways to do so, like exporting the credentials into XML (Export-CliXML) , using certificates , encrypting the credentials using a key and store it somewhere like here or maybe you could store the credentials in SMA and retrieve it using PowerShell. Whatever method you are going to use, you will end up with more or less problems. The best approach would be, to store the credentials on the system where you need it (SCSM) and the SCSM administrator can manage these accounts without to dig into PowerShell code or certificates etc. Therefore RunAs accounts are a perfect way for storing credentials.

Because of that, I have used Richard’s sample, modified the code a bit to be able to use it on SCOM and SCSM and also return proper output. The PowerShell module will return the a credential hash table. You need to execute the module on the SCOM or SCSM management server and the only parameter you need to provide is the SCOM RunAs account display name like in this example.

In SCOM the RunAs account looks like this…


…and if you use the PowerShell module it works like this…


You can download the module from PowerShell Gallery . Be aware of the fact, that you need permission to access the database and management server.

Continue reading

OMS – Custom Solution “SCOM Effective Configuration”

I had been very busy lately so this blog has been quite for few days, but now I would like to provide a custom OMS solution. My goal was to build a solution which shows you the effective configuration of a monitor or rule, based on a group of objects in SCOM. I created two parts, one is a PowerShell module to collect all the data from your SCOM management server and ingest it into your OMS workspace. For visualizing the data I created a OMS view which looks like this…


How does it work? Great question, so let’s start with the data collection.

SendEffectiveConfiguration PowerShell Module

I published the module on PowerShell gallery, which you can find here.

The module supports the following parameters:

  • GroupDisplayName

This parameter accepts any existing group in SCOM, that contains objects. E.g. Windows Server 2012 Computer Group.

  • ManagementServer

Set your SCOM management server here.

  • CustomerID

CustomerID is the workspace id where you want to analyze your data.

  • SharedKey

SharedKey ist the primary key for the corresponding workspace.

So the command executed would look like this:

Send-EffectiveConfiguration -GroupDisplayName  “Windows Server 2012 Computer Group” -ManagementServer SCOM -CustomerId [WorkspaceID] -SharedKey [PrimaryKey] –verbose

Continue reading

SCOM – Extensible Network Monitoring Management Pack Generator Tool


Microsoft just released the Extensible Network Monitoring Management Pack Generator tool which allows you to build custom SNMP management packs. In my previous post SCOM 2016 TP5 I have written a post about the prototype of this tool which was command line driven. I addressed some missing parts like a GUI, custom SNMP components and handling more complex SNMP values. Guess what?! Microsoft listened and released a GUI based (and also a command line based) tool to create your own SNMP management packs..

Both tool have the following features:

  1. SNMP_MPGenerator tool has an inbuilt MIB browser. Users can load MIB files, search through the Object Identifiers (OIDs) of the component they wish to add workflows for and create rules and monitors.
  2. Users can add monitors and rules for device components such as Processor, Memory, Fan, Temperature Sensor, Power Supply, Voltage Sensor and Custom device components.
  3. This tool would also support custom devices in addition to already supported devices like Switch, Router, Firewall and Load Balancer.
  4. Users can define monitors and rules for multiple devices in a single project file and generate a single Management Pack for all of their devices.
  5. As mentioned above, this tool would also include the command line executive NetMonMPGenerator.exe for users who wish to generate MP through command line interface.

The tool is free and comes with a detailed documentation how to build an MP. I just have clicked through the tool and it seems to be very self-explaining. The GUI has basically two parts, the MIB browser which let’s you import MIBs and browse/search through the MIB tree and the editor part were you can add components, rules and monitors. The MIB browser is just for finding the proper OID for each component and then you are able to copy/paste the value to the proper place in the editor. For the command line tool you need to configure a XML file as input.

I think it is a very nice approach and let’s see how it will perform in some upcoming projects download the tool here.

SCOM 2016 – What’s New UNIX/Linux Series: File System Discovery e.g. Exclude /tmp

A little pain in SCOM 2012 R2 was, that as soon you installed the UNIX/Linux management packs for your distribution all UNIX/Linux folders were discovered on the file system. This could be lead to a huge list of monitored directories e.g. /tmp, /var… which was not intended to be. To overcome this problem, you would have needed to create a group, add the objects and disable the discovery rule for this group. The override parameters in SCOM 2012 R2 looked like this…

…the discovery itself…


…and the properties…


In SCOM 2016 there is a new option which let’s you exclude directories using regular expressions. The override parameters in SCOM 2016 look like this…


As you can see there are two options, either override by file system name or by file system type.

How does this work? Let’s see…

Continue reading

SCOM 2016 – What’s New UNIX/Linux Series: Monitors and Rules Running (Any) Script e.g. Perl

One new feature I am very excited about is to run any sort of script on the UNIX/Linux agent. In SCOM 2012 R2 you had the option to run shell commands for performance rules and monitors. In SCOM 2012 R2 the monitor dialog looks like this…


…and the rules wizard shows options for creating shell command based alert and performance rules…


The problem was, that you were restricted to “one-liner” command which executed either the full command or you used the command to execute a script on the host. Now, in SCOM 2016 the awesome news are, that you are able to put any sort of UNIX/Linux scripts into your monitors and rules. The new wizard for monitors looks like this…image

…and the additional script options for alert and performance rules…image

As you can see,  we got these new options:

  • UNIX/Linux Script Three State Monitor
  • UNIX/Linux Script Two State Monitor
  • UNIX/Linux Script (Alert) Rule
  • UNIX/Linux Script (Performance) Rule

I think this a really awesome step for SCOM. In the past I had a few cases where I would have needed such new capabilities. How does it work? Let’s see…

Continue reading

SCOM 2016 – What’s New UNIX/Linux Series: Discovery Wizard Provide RunAs Account

I just want to start a short series “SCOM 2016 – What’s New Unix/Linux” where I show you what’s new in SCOM 2016 from a UNIX/Linux perspective. We start of with the discovery wizard. In SCOM 2012 R2 when you discovered the UNIX/Linux systems you always had to provide the credentials for deploying the agent.

In SCOM 2012 R2 it looked like this…


In SCOM 2016 you are able to select a RunAs account, which will be used for deployment. Actually the UNIX/Linux Agent Maintenance Account and the UNIX/Linux Action Account credentials will be used for discovery and installation of the agent.


This a very convenient for deploying a large amount of agents, so you don’t have to provide the credentials all the time. Nice!