locked
SCOM generates a false positive when a container volume volume is renamed after container redeployment or restart. RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    The container´s volumes apprears as a mounted filesystems. in the OS space:

    Filesystem Size Used Avail Use% Mounted on overlay 197G 2.4G 185G 2% /docker/overlay2/9ed21fb91438df2b5b59212878d74b2c4054fd771aa6004cfadee912371d13a3/merged overlay 197G 2.4G 185G 2% /docker/overlay2/7359de2d4d7e19fb75daa34d51d21db1c02a44c99ac30aafca840c8ab4df5b5c/merged overlay 197G 2.4G 185G 2% /docker/overlay2/38086a3800656e9f92dfc24857c009d5b5ee1c22ad580edba4293ca0d9feacb6/merged

    Every time the container restarts, it´s volumes will change the hash name. This is an expected behavior. Somehow, SCOM can´t handle this and assumes that the old disk is not there anymore (That is technically true) and triggers an alarm and an incident is created automatically. We need to find a way to stop this false positives as they are losing their purpose. By getting so many of them, we might lose a real alert in a sea of false positives. Any comments ?

    -py


    Tuesday, June 30, 2020 6:24 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    What MP are you using? The one created by Vladimir Zelenov and available in the technet gallery?

    Tuesday, June 30, 2020 8:20 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello Cyraz , 

    Apologies for my delayed response.

    We have a management pack to exclude the Overlay and nfs mount points from monitoring. However, alert still appear on the console.

    We have a dynamic group 

    ( Object is Logical Disk AND ( FileSystem Equals nsfs ) OR ( FileSystem Equals overlay ) ) 

    and i have verified the instances are discovered in the group. Is there anything i'm missing ?

    -py

    Monday, July 20, 2020 7:59 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Oh yes I remember now, I've already faced that issue.

    The best way to avoid errors with overlay filesystem is to override the Logical Disk discovery : it has a setting called "ExcludeFileSystemType" that you can use for that.

    Monday, July 20, 2020 9:13 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Many Thanks Cyraz , I will look into it.

    -py

    Monday, July 20, 2020 1:31 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello Cyraz,

    May i request how can i perform this override? Should i override it on the group which i have created to discover nsfs and overlay filesystems ?

    Override on the below discovery rule

    If yes , how do i remove the instances that have already been discovered using below

    Remove-SCOMDisabledClassInstance

    Please advise

    -py

    Tuesday, August 11, 2020 11:12 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    No, you should do it "for all instances" and they will get undiscovered next time the discovery runs.

    There is no need to target a group nor to run remove-scomdisabledclassinstance here, because you are not disabling the discovery but rather telling it to ignore some specific filesystems next time it runs.

    • Edited by CyrAz Tuesday, August 11, 2020 12:02 PM
    Tuesday, August 11, 2020 12:02 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello Cyraz,

    Forgive me for lack of understanding here. 

    The alert is being generated from a Ubuntu server. 

    When i scoped discoveries to Logical disk , below categories appear . 

    When i override "Discover Linux Logical disk" for all objects i do not see any option to exclude filesystem

    Can you please advise ?

    -py


    Friday, August 14, 2020 7:33 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    You should see two options in the overrides : ExcludeFileSystemName and ExcludeFileSystemType, as shown in the datasource properties of that discovery here : https://systemcenter.wiki/?GetElement=Microsoft.Unix.WSMan.TimedEnumerate.LogicalDisk.DiscoveryData&Type=DataSourceModuleType&ManagementPack=Microsoft.Unix.Library&Version=7.6.1072.0

    I unfortunately do not have a running SCOM environment available right now so I can't show you a screenshot. Could you show us what you see in the override possibilities of that discovery?

    Friday, August 14, 2020 7:41 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Please find the screenshot below

    Summary :

    for "Discover Universal Linux Logical disks' discovery there is no exclude filter.

    for other types, i.e. RHEL 5,6,7 i was able to find the exclude filter. 

    --------------------------------

    Discovered type : Discover Universal Linux logical disk 

    Other discovered types :

    Discovered type: RHEL Server 5 logical disk

    Please advise 

    -py

    Friday, August 14, 2020 9:19 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Any comments ?

    -py

    Tuesday, August 18, 2020 5:17 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi py,

    had the same challenge with e customer of mine. The solutions was exactly what Cyril also suggested - group and override. I have described it in your Microsoft QandA post here:

    SCOM generates a false positive when a container volume volume is renamed after container redeployment or restart

    Regards,

    Stoyan

    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov

    Thursday, August 20, 2020 7:57 AM