Improving or Migrating away from a Custom Management Pack RRS feed

  • Question

  • Background:

    We worked about a year ago with a consultant to deploy SCOM 2012 R2 in our production environment, and everything went pretty well. 

    One of the items we asked the consultant to address was service monitoring for our custom services, which includes 400+ servers and custom services for almost every server, though they do follow (somewhat) a naming convention.

    The consultant marked this one as done by deploying a custom management pack, however, the management pack throws false positive errors so often, our ACS database is full with 80% of these errors.

    Until recently, I had not created any custom management packs, so I was not quite 100% sure how the consultant made it work.  Now, after more research and a few custom management packs of my own, I understand the WMI process well enough.

    Current Issue:

    I have found the management pack that the consultant created in order to monitor these services across all of our servers, it is called "Service Application".  I have exported it and started looking through it, and it looks like it was written poorly, as the naming convention I mentioned above was barely used, and it looks like the whole service name was called out in an array of sorts.

    I would like to write another management pack to monitor the services across our servers the same way, but without all the false positive warnings/errors.  I believe I can do that with a much more simple, 1 line WMI filter, such as:

    select * from win32_service where name like 'one%' or name like 'two%'

    I have used a query like this to monitor a host of services on a few infrastructure servers, and it worked great.


    • If I have 2 management packs monitoring the same services, will that cause a conflict of sorts?
    • In order to remove the initial custom management pack, best practices would be to export it (to save it as a rollback plan) and then delete it from Administration > Management Packs?
    • Can anyone see any other issues I am missing with moving away from this custom management pack?

    Tuesday, September 16, 2014 1:18 AM

All replies

  • What you will see by monitoring the same service with two different packs is two alerts for each service interruption. Obviously, this is noise, and nobody wants that.

    What I suggest is, creating your own service monitoring pack that mirrors the services that are currently being monitored by the production pack. When this is complete and tested in a lab environment, simply import into production and delete the other pack.

    The only issue I can think of that you might experience is, if you have reports and views currently setup to utilize the state of the current production service monitoring pack, these might not work as expected anymore. It's not a big deal, though, because you can easily remedy this by updating the views and reports to target your new pack.

    I also want to suggest taking a look at this article. Good luck.

    Jonathan Almquist | SCOMskills, LLC (http://scomskills.com)

    Tuesday, September 16, 2014 2:09 AM
  • Thanks for the response Jonathan.

    I can deal with multiple alerts, as long as something is alerting.

    I put the new management pack in, and it is showing a discovered inventory of 698 services across my servers, which is encouraging

    In fact, looking at it, the consultant's management pack is only targeted towards one tier of my servers, our Processing tier, and those services are snowing up as "not monitored" by the new management pack.

    Possible overlap causing the issue?

    Tuesday, September 16, 2014 7:37 PM
  • If those services are showing as "not monitored", then there is no unit monitor targeting that class. This would not be an overlap issue.

    Jonathan Almquist | SCOMskills, LLC (http://scomskills.com)

    Tuesday, September 16, 2014 8:44 PM
  • Which seems odd, as I targeted the management pack at a group which contains all of my internal servers.  Also, when certain servers show services as "not monitored", a repair of the agent ends up being the trick to having the services show up as "monitored"
    Tuesday, September 16, 2014 8:53 PM
  • Groups are not valid targets for monitors, because they are managed by the management server. You need to target a class, which is hosted by the agent computer where the monitoring workflow will run. You can override monitors with a group, but not target a group for monitoring.

    Jonathan Almquist | SCOMskills, LLC (http://scomskills.com)

    Tuesday, September 16, 2014 9:22 PM
  • So, I am probably going about this in a not-so-best-practice manner, but this is the document I followed previously to setup a management pack to monitor all of my SFTP server services, 


    Granted, it was written for 2007, but everything is still applicable in 2012.  When I created the Windows Service monitor under Authoring > Management Pack Templates > Windows Service, I targeted the setup to a group called "Production Environments" which encompasses all of my non-infrastructure boxes, which are the ones that contain the custom services for me to monitor.  I figured a slight narrowing of the scope might help.

    From there, I followed the technet link and updated my WMI filter in there.  

    Like I said, everything looks good, all of the services on non-Processing servers are showing as monitored, however, the ones on the processing tier are showing "not monitored"

    In regards to the services, all of the custom services, no matter the server they are located on, are setup, deployed and run exactly the same manner, there is nothing special about the ones on the processing tier.


    With that in mind... where should I go from here?

    Tuesday, September 16, 2014 9:34 PM
  • I didn't realize you used the service monitoring template. Yes, the template does allow you to pick a group, but under the hood there are classes created and the unit monitors target those classes. So, you are ok with that.

    Jonathan Almquist | SCOMskills, LLC (http://scomskills.com)

    Wednesday, September 17, 2014 12:13 AM
  • So I am still at a standstill with our Processing tier.  All of our other tiers are reporting "monitored" for the custom services.  The processing tier still shows as "not monitored"

    Could you recommend anywhere to start troubleshooting?  I am hesitant to pull out the Service Application management pack, as it is currently the only functional way of reporting on approximately 500 custom services.

    Wednesday, September 17, 2014 10:51 PM
  • Wanted to add some more detail to this - 

    Was able to finally do some testing while I had a window, and stop a few services on our Processing tier.  Even though these services show up as "not monitored" they are alerting when the service is stopped.

    Also, I have noticed that this management pack I put in is working more effectively than the older one, so I think I might just pull out the old one and run with the new one, but what concerns me is that they're still showing as not monitored.

    Anyone have any additional thoughts? 

    Monday, September 22, 2014 4:15 PM
  • With both MPs running for a few days, I was able to validate that the MP I created was more functional than the previous one, so I backed up and removed the previous Service Application MP that was written by our old consultant.

    The services are still showing as 'Not Monitored' on our processing tier.

    As a secondary test, I stopped one of our services and it took approximately 5 minutes to show up as 'stopped' in our active alerts window.  Don't know how pleased I am with that 5 minute gap, but I guess for now, it will suffice

    Wednesday, September 24, 2014 9:36 PM