none
False SCOM alerting for the modified file RRS feed

  • Question

  • Hi,
    I deployed a two-state monitor using following PowerShell script. This monitor checks every 15 minutes any given log file (overridable parameter), if it is modified/change within 60 minutes (overridable parameter). If yes, it is all OK. If there is no change/modifying, a SCOM alert will be generated.

    param([string]$FileWithPath)
    
    $ScomAPI = new-object -comObject "MOM.ScriptAPI"
    $PropertyBag = $ScomAPI.CreatePropertyBag()
    
    $LogFile = get-item $FileWithPath
    $State = "Unknown"
    try {
    	if ($LogFile.LastWriteTime -ge (get-date).AddMinutes(-60)){
    		#The file is modified/changed: healthy
                    $State = "OK" 
    		}
    	else{
    		#ERROR, the file is not modified/changed: unhealthy
    		$State = "ERROR"   
    		}
    	}
    
    finally {
    		#Collect for alert or performance collection
    		$PropertyBag.AddValue("File",$FileWithPath)
    	
    		#State value for Monitor
    		$PropertyBag.AddValue("State",$State)
    	
    		# Send output to SCOM
    		$PropertyBag
    		}

    The issue is with false alerts.

    Although the log file is modified within 60 minutes, SCOM generated alerts as if the change is not up-to-date.

    I tried also with AddHours(-1) parameter in script. It is the same issue.

    Any help/idea?

    Best regards

    Birdal


    • Edited by _Birdal Tuesday, October 1, 2019 7:10 AM
    Tuesday, October 1, 2019 6:49 AM

All replies

  • Hi Birdal,

    Your logic seems perfect and both of the time values in script is in same format too. I could only suggest avoid white space in script and give a try there, then.

    param([string]$FileWithPath)
    
    $ScomAPI = new-object -comObject "MOM.ScriptAPI"
    $PropertyBag = $ScomAPI.CreatePropertyBag()
    
    $LogFile = get-item $FileWithPath
    $State = "Unknown"
    try {
    	if ($LogFile.LastWriteTime -ge (get-date).AddMinutes(-60)){
    		#The file is modified/changed: healthy
                    $State = "OK" 
    		}else{
    		#ERROR, the file is not modified/changed: unhealthy
    		$State = "ERROR"   
    		}
    	}finally{
    		#Collect for alert or performance collection
    		$PropertyBag.AddValue("File",$FileWithPath)
    	
    		#State value for Monitor
    		$PropertyBag.AddValue("State",$State)
    	
    		# Send output to SCOM
    		$PropertyBag
    		}

     

    Cheers, Gourav Please remember to mark the replies as answers if it helped.


    • Edited by GouravIN Tuesday, October 1, 2019 3:25 PM
    Tuesday, October 1, 2019 2:12 PM
  • Hi Birdal,

    Feels good to see you leveling up with your SCOM knowledge. Keep the trend!

    Can you please post some more details about this statement:

    "Although the log file is modified within 60 minutes, SCOM generated alerts as if the change is not up-to-date."

    Is the delate between the actual change and the change as per the alert always the same? Is it 1 hour?

    Regards,


    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov

    Tuesday, October 1, 2019 2:48 PM
    Moderator
  • Hi Stoyan,

    it is nice to see your comment here again :-).

    Modifying of the file ist not in the same time, but within 60 Minutes.

    Additional details (example):

    1) The log file "myFile.log" is changed at 09:15

    2) SCOM script tries every 15 minutes to check the file if it is modified in the last 60 minutes.

    3) SCOM generates for example at 09:40 an alert. (that is false).

    4) Alert stays as "Active Alerts" in the SCOM Management Console. If I try to close alert it, SCOM says

    Alert(s) in the current selection cannot be closed as the monitor(s) which generated these alerts are still unhealthy. For more details on the alerts which could not be closed, view the "Alert Closure Failure" dashboard in the Operations Manager Web Console.

    5) If I "Recalculate Health" in the "Health Explorer", it stays still as issue.

    6) After this alerting, SCOM monitor generates no more any alert, and this alert stays in "Active Aleers".

    Best regards

    Birdal


    Wednesday, October 2, 2019 10:46 AM
  • Hi Birdal,

    I migh be missing something, but let's try to figur this out:

    When I check the PowerShell code and particularly:

    $LogFile.LastWriteTime -ge (get-date).AddMinutes(-60)

    I see that every chnage of the log file within the 60 Minutes period, will lead to the result always being $true (just tested this). How come then the monitor generates and alert if the file is changed at 098:15 and the workflow runs at 09:30 or 09:45?

    4) Alert stays as "Active Alerts" in the SCOM Management Console. If I try to close alert it, SCOM says

    Alert(s) in the current selection cannot be closed as the monitor(s) which generated these ale

    This is expected as the monitor is in Critical state, so you cannot close the alert (You seem to be ruznning SCOM 2019)

    6) After this alerting, SCOM monitor generates no more any alert, and this alert stays in "Active Aleers".

    This would be also clear if the monitor is in Critical state. 

    Can you please make a screenshot of the monitor config and in particular the conditions and the PropertyBag config? I think we are missing soimething essentiial here. 

    Regards,


    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov

    Wednesday, October 2, 2019 11:49 AM
    Moderator
  • Couple things on the script:

    1. Some logging of the script would help.  Keep at least filename and timestamp in the logs to help on troubleshooting.  Use $SCOMAPI.LogScriptEvent to log unto the OpsManager logs of the agent running the script.
    2. I would also send the timestamp in the PropertyBag.  At least you can see right from the console's Alert Context what the value was. (And you can even put that in the alert message if you want)
    3. The "Get-Item $FileWithPath" should be in the Try/Catch as it is more likely to fail than anything else (and this may be the root of your issue!)
    4. In theory, the probe script is only to capture data, not analyse it.  Thus I would have the script only capture the amount of time since file last modified and have a CD module evaluate the health.  You can use the New-TimeSpan cmdlet to determine the length of time as in:
    [Math]::Truncate((New-TimeSpan -Start $LogFile.LastWriteTime | Select-object -expandproperty TotalMinutes))

    However, your logic in the script is OK.  Once you do have logs, then you should be able to troubleshoot better.  If not, you will need to post the full UMT and relevant modules so we can help out.

    On the rest of your questions:

    1. If your Unit Monitor Type does not have an "OnDemandDetections" section, then by design, the "Recalculate Health" will not function.
    2. As Stoyan stated, the rest of your experience in the console are "per design".
    3. I think I already advised you to take on the MVA/Channel9 course on MP Authoring, some of your questions are answered there.
    Wednesday, October 2, 2019 12:57 PM
  • Hi Stoyan,

    >>>> "How come then the monitor generates and alert if the file is changed at 098:15 and the workflow runs at 09:30 or 09:45?"

    I think the option "-ge (get-date).AddMinutes(-60)" ist correct. Or do you mean different?

    I list you the Monitor:

    SCRIPT

    -----------------

    param([string]$FileWithPath)
    
    $ScomAPI = new-object -comObject "MOM.ScriptAPI"
    $PropertyBag = $ScomAPI.CreatePropertyBag()
    
    $LogFile = get-item $FileWithPath
    $State = "Unknown"
    
    try {
    	if ($LogFile.LastWriteTime -ge (get-date).AddHours(-1)){
    		# The file has changed: healthy
    		$State = "OK" 
    		}
    	else{
    		# The file hasn't changed: unhealthy
    		$State = "ERROR"   
    		}
    	}
    
    finally {
    		#Collect for alert or performance collection
    		$PropertyBag.AddValue("File",$FileWithPath)
    	
    		#State value for Monitor
    		$PropertyBag.AddValue("State",$State)
    	
    		# Send output to SCOM
    		$PropertyBag
    		}
    

    PARAMETERS

    -----------------

    $FileWithPath = "C:\Program Files (x86)\myApp\Lib\C3\myFile.log"

    UNHEALTHY

    --------------

    	Property[@Name='State']	Equals	ERROR

    HEALTHY

    ---------------

      Property[@Name='State']  Equals

    OK

    Best regards

    Birdal

    Wednesday, October 2, 2019 1:29 PM
  • Hi Stoyan,

    could you see any problem in script code / parameters?

    Best regards

    Birdal

    Tuesday, October 8, 2019 2:09 PM
  • 1) rather than using the file path as "C:\Program Files (x86)\myApp\Lib\C3\myFile.log", please share this file path(e.g.\\servera) and modify the file path as \\servera\myfile.log

    2) also check what type of object, this monitor target for.


    Roger
    Wednesday, October 9, 2019 9:20 AM
  • Hi Roger,

    >>> 1) rather than using the file path as "C:\Program Files (x86)\myApp\Lib\C3\myFile.log", please share this file path(e.g.\\servera)

    I don't want to share path.Best regards

    Birdal

    Wednesday, October 9, 2019 12:56 PM