locked
SCOM - Monitor a registry key RRS feed

  • Question

  • Good day

    I am a beginner with SCOM and my first task is to create a management pack that controls the registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1" to check if it is on the value 0. With the help of the Authoring Console 2007 I have created a Management Pack following the instructions of https://kevinholman.com/2010/08/01/how-to-create-a-monitor-to-inspect-the-value-of-a-registry-key/ .
    Now I have imported the XML file, which is in the attachment, and found this error message in the EventViewer:

    Property reference with id:"{8F538D63-86DA-C149-3C84-1F1AACE2F930}" in workflow "****RegistrySMBv1.RegistrySMBv1Monitor", running for instance "Microsoft Windows Server 2016 Standard" with id:"{E33EE284-47F4-807F-7290-13CE4C7544B4}" cannot be resolved. Workflow will not be loaded. Management group "****-TEST"

    Unfortunately it didn't resolved the problem.

    Can anybody help me?

    Kind regards

    Noël Lehmann

    <ManagementPack ContentReadable="true" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
      <Manifest>
        <Identity>
          <ID>****RegistrySMBv1</ID>
          <Version>1.0.0.0</Version>
        </Identity>
        <Name>****RegistrySMBv1</Name>
        <References>
          <Reference Alias="SC">
            <ID>Microsoft.SystemCenter.Library</ID>
            <Version>6.1.7221.0</Version>
            <PublicKeyToken>31bf3856ad364e35</PublicKeyToken>
          </Reference>
          <Reference Alias="Windows">
            <ID>Microsoft.Windows.Library</ID>
            <Version>6.1.7221.0</Version>
            <PublicKeyToken>31bf3856ad364e35</PublicKeyToken>
          </Reference>
          <Reference Alias="Health">
            <ID>System.Health.Library</ID>
            <Version>6.1.7221.0</Version>
            <PublicKeyToken>31bf3856ad364e35</PublicKeyToken>
          </Reference>
          <Reference Alias="System">
            <ID>System.Library</ID>
            <Version>6.1.7221.0</Version>
            <PublicKeyToken>31bf3856ad364e35</PublicKeyToken>
          </Reference>
        </References>
      </Manifest>
      <TypeDefinitions>
        <MonitorTypes>
          <UnitMonitorType ID="****RegistrySMBv1.RegistrySMBv1" Accessibility="Internal">
            <MonitorTypeStates>
              <MonitorTypeState ID="RegValueBad" NoDetection="false" />
              <MonitorTypeState ID="RegValueGood" NoDetection="false" />
            </MonitorTypeStates>
            <Configuration />
            <MonitorImplementation>
              <MemberModules>
                <DataSource ID="RegDS" TypeID="Windows!Microsoft.Windows.RegistryProvider">
                  <ComputerName>$Target/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
                  <RegistryAttributeDefinitions>
                    <RegistryAttributeDefinition>
                      <AttributeName>SMBv1</AttributeName>
                      <Path>SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1</Path>
                      <PathType>1</PathType>
                      <AttributeType>2</AttributeType>
                    </RegistryAttributeDefinition>
                  </RegistryAttributeDefinitions>
                  <Frequency>60</Frequency>
                </DataSource>
                <ConditionDetection ID="CDGood" TypeID="System!System.ExpressionFilter">
                  <Expression>
                    <RegExExpression>
                      <ValueExpression>
                        <XPathQuery Type="String">Values/SMBv1</XPathQuery>
                      </ValueExpression>
                      <Operator>MatchesRegularExpression</Operator>
                      <Pattern>^(0)$</Pattern>
                    </RegExExpression>
                  </Expression>
                </ConditionDetection>
                <ConditionDetection ID="CDBad" TypeID="System!System.ExpressionFilter">
                  <Expression>
                    <RegExExpression>
                      <ValueExpression>
                        <XPathQuery Type="String">Values/SMBv1</XPathQuery>
                      </ValueExpression>
                      <Operator>DoesNotMatchRegularExpression</Operator>
                      <Pattern>^(0)$</Pattern>
                    </RegExExpression>
                  </Expression>
                </ConditionDetection>
              </MemberModules>
              <RegularDetections>
                <RegularDetection MonitorTypeStateID="RegValueBad">
                  <Node ID="CDBad">
                    <Node ID="RegDS" />
                  </Node>
                </RegularDetection>
                <RegularDetection MonitorTypeStateID="RegValueGood">
                  <Node ID="CDGood">
                    <Node ID="RegDS" />
                  </Node>
                </RegularDetection>
              </RegularDetections>
            </MonitorImplementation>
          </UnitMonitorType>
        </MonitorTypes>
      </TypeDefinitions>
      <Monitoring>
        <Monitors>
          <UnitMonitor ID="****RegistrySMBv1.RegistrySMBv1Monitor" Accessibility="Internal" Enabled="true" Target="Windows!Microsoft.Windows.Server.OperatingSystem" ParentMonitorID="Health!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="****RegistrySMBv1.RegistrySMBv1" ConfirmDelivery="true">
            <Category>Custom</Category>
            <AlertSettings AlertMessage="****RegistrySMBv1.RegistrySMBv1Monitor_AlertMessageResourceID">
              <AlertOnState>Warning</AlertOnState>
              <AutoResolve>true</AutoResolve>
              <AlertPriority>Normal</AlertPriority>
              <AlertSeverity>Warning</AlertSeverity>
              <AlertParameters>
                <AlertParameter1>$Data/Context/Values$</AlertParameter1>
              </AlertParameters>
            </AlertSettings>
            <OperationalStates>
              <OperationalState ID="UIGeneratedOpStateId25ecac8270de4999a5a90eda504a8247" MonitorTypeStateID="RegValueBad" HealthState="Warning" />
              <OperationalState ID="UIGeneratedOpStateId7675c3309f5846718b98f7711e471b87" MonitorTypeStateID="RegValueGood" HealthState="Success" />
            </OperationalStates>
            <Configuration />
          </UnitMonitor>
        </Monitors>
      </Monitoring>
      <Presentation>
        <StringResources>
          <StringResource ID="****RegistrySMBv1.RegistrySMBv1Monitor_AlertMessageResourceID" />
        </StringResources>
      </Presentation>
      <LanguagePacks>
        <LanguagePack ID="DES" IsDefault="false">
          <DisplayStrings>
            <DisplayString ElementID="****RegistrySMBv1">
              <Name>_****_MONITORING_REGISTRY_SMBv1</Name>
            </DisplayString>
            <DisplayString ElementID="****RegistrySMBv1.RegistrySMBv1">
              <Name>_****_MONITORING_RegistrySMBv1</Name>
              <Description />
            </DisplayString>
            <DisplayString ElementID="****RegistrySMBv1.RegistrySMBv1Monitor">
              <Name>_****-N-R-RegistryMonitorSMBv1</Name>
              <Description />
            </DisplayString>
            <DisplayString ElementID="****RegistrySMBv1.RegistrySMBv1Monitor" SubElementID="UIGeneratedOpStateId25ecac8270de4999a5a90eda504a8247">
              <Name>RegValueBad</Name>
            </DisplayString>
            <DisplayString ElementID="****RegistrySMBv1.RegistrySMBv1Monitor" SubElementID="UIGeneratedOpStateId7675c3309f5846718b98f7711e471b87">
              <Name>RegValueGood</Name>
            </DisplayString>
            <DisplayString ElementID="****RegistrySMBv1.RegistrySMBv1Monitor_AlertMessageResourceID">
              <Name>_****-N-R-MonitoringRegistrySMBv1</Name>
              <Description>{0}</Description>
            </DisplayString>
          </DisplayStrings>
        </LanguagePack>
        <LanguagePack ID="ENU" IsDefault="true">
          <DisplayStrings>
            <DisplayString ElementID="****RegistrySMBv1">
              <Name>_****_MONITORING_REGISTRY_SMBv1</Name>
            </DisplayString>
            <DisplayString ElementID="****RegistrySMBv1.RegistrySMBv1">
              <Name>_****_MONITORING_RegistrySMBv1</Name>
              <Description />
            </DisplayString>
            <DisplayString ElementID="****RegistrySMBv1.RegistrySMBv1Monitor">
              <Name>_****-N-R-RegistryMonitorSMBv1</Name>
              <Description />
            </DisplayString>
            <DisplayString ElementID="****RegistrySMBv1.RegistrySMBv1Monitor" SubElementID="UIGeneratedOpStateId25ecac8270de4999a5a90eda504a8247">
              <Name>RegValueBad</Name>
            </DisplayString>
            <DisplayString ElementID="****RegistrySMBv1.RegistrySMBv1Monitor" SubElementID="UIGeneratedOpStateId7675c3309f5846718b98f7711e471b87">
              <Name>RegValueGood</Name>
            </DisplayString>
            <DisplayString ElementID="****RegistrySMBv1.RegistrySMBv1Monitor_AlertMessageResourceID">
              <Name>_****-N-R-MonitoringRegistrySMBv1</Name>
              <Description>{0}</Description>
            </DisplayString>
          </DisplayStrings>
        </LanguagePack>
      </LanguagePacks>
    </ManagementPack>

    Monday, June 8, 2020 1:44 PM

Answers

  • I do not have an available SCOM environment to try it myself, but it's probably because you use the variable

     <ComputerName>$Target/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
     

    While the target of your monitor is Microsoft.Windows.Server.OperatingSystem.

    As you can see on the link, that class itself doesn't have a Microsoft.Windows.Computer/NetworkName property.

    However, it is hosted by the Microsoft.Windows.Computer class, so you can use that syntax : 

    <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

    • Marked as answer by Noël Lehmann Tuesday, June 9, 2020 12:51 PM
    Monday, June 8, 2020 3:44 PM