locked
FIM and SCOM MP RRS feed

  • Question

  • Hello,

    I have an error with the FIM Sync Server??:

    Details: Delta Import cannot be run as the change log has been detected to be in a corrupted state

    Is it catched by the FIM 1.0.0.0 MP? or another one? or should I create a rule/monitor to get the alert on it?

    I am trying to create a Monitor > Unit Monitor > Windows Event > Simple Event Detection > Windows Event Reset >

    Event Log (Unhealthy Event) > Application > Event ID 6500 - EventDescription Contains "Delta Import cannot be run as the change log has been detected to be in a corrupted state"

    Event Log (Healthy Event) > Application > Event ID 6500 - EventDescription Does not Contain "Delta Import cannot be run as the change log has been detected to be in a corrupted state"

    Target: the Windows Computers group with the 3 FIM Servers.

    http://blogs.technet.com/b/kevinholman/archive/2008/04/22/using-event-description-as-criteria-for-a-rule.aspx

    Should it be a rule or a monitor?

    NT-Event-Log Event Collection Rule ?
    NT-Event-Log-Based Rule ?

    Is there a condition for the choice between Monitor, Collection Rule, Based Rule, etc...?

    How could I verify the rule has been picked by the Client? Does it appear somewhere in the Resource Explorer?

    What should be the target a "Windows Computer" Group?

    Thanks,
    Dom


    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager





    • Edited by Felyjos Friday, January 27, 2012 10:36 PM
    Friday, January 27, 2012 4:57 PM

Answers

  • Hi Dom:

    1. Recommend create two rules. Make them NT-Event-Log-Based rules.

    2. Keep the default Custom rule type, it does not matter.

    3. You can verify the rule is running with this method: http://technet.microsoft.com/en-us/library/hh212748.aspx

    4. Windows Computer target groups works fine. Just be aware all computers in your management group will now be watching for these alerts too. This is not a concern unless you are a very large organization.

    Good luck,

    John Joyner
    MVP-OpsMgr

     

    • Marked as answer by Felyjos Wednesday, February 1, 2012 6:50 PM
    Sunday, January 29, 2012 7:32 PM
  • Hi Dom -

    The document may refer to SCOM 2012, but I have verified that also SCOM 2007 R2 has this path Operations Manager -> Agent -> Agents By Version -> select and agent -> Actions -> Health Service Tasks -> Show Running Rules and Monitors for this Health Service. Running that task will show if your custom rule is loaded.

    When you target a rule or monitor at the Windows Computer class, all computers in the management group will load the rule or monitor. If you have object discoveries and no objects are discovered, a particular managment pack will be unloaded after it is loaded. In this scenario where you are watching the application log with a rule, the rule will not be unloaded, and the application log of every Windows Computer will be watched in the same fashion.

    John Joyner
    MVP-OpsMgr

     

    • Marked as answer by Felyjos Wednesday, February 1, 2012 6:50 PM
    Monday, January 30, 2012 9:33 PM
  • Hi Dom -

    1. I see you found the path to the rules display, good show.

    2. The ODR report will not show you what is running on a particular computer. The ODR report is for overall assessment of your management group configuration and usage.

    3. I also see you found the effective configuration viewer--my next trick!

    Actually since output from the agent task is taking 2 hours (it should take under 2 minutes) and since you can't run the effective configuration viewer, it sounds like you have more serious issues with the health of your management group. Look at repair and reinstall options for your managment group. You need to be able to run that "Show running rules and monitors running for this health service" task without a problem.

    John Joyner
    MVP-OpsMgr

     

     

    • Marked as answer by Felyjos Wednesday, February 1, 2012 6:50 PM
    Monday, January 30, 2012 9:37 PM
  • Hi Dom -

    Tip: To make finding results easier, copy the results of the running rules task output to the clipboard, them paste them into notepad. Do your search for the rule in notepad. (You may have done this already!)

    Tip: Save the rule in its own management pack and give the rule a distinctive name to make it easy to find in notepad. Also this will give you additional diagnostic information by watching the Operations Manager log of an agent computer. The log will show HealthService EventID 1201 with the name of the managment pack within a few minutes of you deploying the rule if everything is working.

    Tip: Try making a new rule as a test and see if that shows up in the results.

    1. During a period of low network activity, create a new NT Event Log alerting rule that looks for some random (but not used) event number in a valid log name and source, for example Application log, source MsiInstaller, EventId 99997 (that is not a valid EventId for that source, but that's OK we don't want this alert to really fire anyway). Target the rule to the Windows Computer class!

    2. Deploy the rule and every Windows computer should show that active rule--watching for MsiInstaller EventID 99997 which will never arrive.

    3. Delete the rule and/or custom management pack from the SCOM console, becuase we don't want the test rule running on all your computers unnecessarily.

    If you can deploy a test rule and observe it running, then you can backtrack the problem rule to see why your original rule is not working.

    Good luck,

    John Joyner
    MVP-OpsMgr

    P.S. The sealed vs. unsealed is not likely an issue, SCOM protects you and itself from most such conflicts.


    Tuesday, January 31, 2012 1:21 AM
  • 1. Use Alert Generating Rules > Event Based to create the custom rule.

    2. The rule will appear listed in random order in the output of the Show Running Rules and Monitors. That is why I recommend cut and paste the Show Running Rules and Monitors output into notepad and use Search in notepad to look for the rule name.

    3. It is never necessary to restart the health service on the client to load a management pack. If you saved your custom rule in a management pack named "Demo Rule Mangement Pack", then a few minutes (2-10 minutes) after you deployed the custom rule, the Operations Manager log of the client should show HealthService EventID 1201 (loaded new managment pack) with the name of the managment pack "Demo Rule Mangement Pack" clearly in the event details.

    John Joyner
    MVP-OpsMgr

    • Marked as answer by Felyjos Wednesday, February 1, 2012 6:50 PM
    Tuesday, January 31, 2012 7:55 PM

All replies

  • Hi Dom:

    1. Recommend create two rules. Make them NT-Event-Log-Based rules.

    2. Keep the default Custom rule type, it does not matter.

    3. You can verify the rule is running with this method: http://technet.microsoft.com/en-us/library/hh212748.aspx

    4. Windows Computer target groups works fine. Just be aware all computers in your management group will now be watching for these alerts too. This is not a concern unless you are a very large organization.

    Good luck,

    John Joyner
    MVP-OpsMgr

     

    • Marked as answer by Felyjos Wednesday, February 1, 2012 6:50 PM
    Sunday, January 29, 2012 7:32 PM
  • Hi John,

    1 & 2 are fine...

    3 It seems the document is working for SCOM 2012 ONLY as I do not see "Show Running Rules and Monitors for this Health Service" in the windows Computer Tasks pane available ... it passes from "Set Statistic Threshold Percentage" to "Sophos Virus Detection Engine Update" nothing starting bu SHow???

    It seems the place has changed I find it Using SCOM Console - Monitoring --> Operations Manager --> Agent --> Agent by version , select computer with agent you want to see the rules and monitors and run the task "Show running rules and monitors running for this health service". This will give the output you need.

    4. Please could you expand why all machines will not see the alert?

    In my case it is on several machines I need to see it about 2-3 servers from the 700 total.

    Thanks,
    Dom


    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

    • Edited by Felyjos Monday, January 30, 2012 8:39 PM
    Monday, January 30, 2012 8:34 PM
  • I am trying several ways to list the rules:

    1 ) Using SCOM Console - Monitoring --> Operations Manager --> Agent --> Agent by version , select computer with agent you want to see the rules and monitors and run the task "Show running rules and monitors running for this health service". This will give the output you need.

    The same as you provided but it seems running for ever... alreadt two hours !!!

    2 ) Using the SCOM Reporting. For that go to SCOM console --> Reporting -->Operational Data Reporting Management Pack --> Management pack Report. This report will give you all the overrides done by management pack and what rules are being applied to the target computer / agent.

    This report is so huge 220 pages nothing could come out of it!!! Any idea how to use this report?

    3 ) Other solution is try to use "SC Ops Mgr 2007 Resource Kit – Effective Configuration Viewer" Tool. This will give you a overview over all monitors and rules for what you are looking into. However if you want to check what "windows services" are being monitored check you SCOM console on authoring and check on management pack templates --> windows services what is being deployed or not to be monitored on the specific machine.

    Apparently I have issues with the SDK as the Effective Configuration Viewer is failing to start!!!

    This one is fixed and information are populated trying to find my rule now !!!

    Thanks,
    Dom


    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager
    • Edited by Felyjos Monday, January 30, 2012 9:29 PM
    Monday, January 30, 2012 9:24 PM
  • Hi Dom -

    The document may refer to SCOM 2012, but I have verified that also SCOM 2007 R2 has this path Operations Manager -> Agent -> Agents By Version -> select and agent -> Actions -> Health Service Tasks -> Show Running Rules and Monitors for this Health Service. Running that task will show if your custom rule is loaded.

    When you target a rule or monitor at the Windows Computer class, all computers in the management group will load the rule or monitor. If you have object discoveries and no objects are discovered, a particular managment pack will be unloaded after it is loaded. In this scenario where you are watching the application log with a rule, the rule will not be unloaded, and the application log of every Windows Computer will be watched in the same fashion.

    John Joyner
    MVP-OpsMgr

     

    • Marked as answer by Felyjos Wednesday, February 1, 2012 6:50 PM
    Monday, January 30, 2012 9:33 PM
  • Hi Dom -

    1. I see you found the path to the rules display, good show.

    2. The ODR report will not show you what is running on a particular computer. The ODR report is for overall assessment of your management group configuration and usage.

    3. I also see you found the effective configuration viewer--my next trick!

    Actually since output from the agent task is taking 2 hours (it should take under 2 minutes) and since you can't run the effective configuration viewer, it sounds like you have more serious issues with the health of your management group. Look at repair and reinstall options for your managment group. You need to be able to run that "Show running rules and monitors running for this health service" task without a problem.

    John Joyner
    MVP-OpsMgr

     

     

    • Marked as answer by Felyjos Wednesday, February 1, 2012 6:50 PM
    Monday, January 30, 2012 9:37 PM
  • Hi John,

    Finally the Show running rules and monitors running for this health service ended 150 minutes for one server!!!

    Unfortunately within the 47 pages of results I could not find my rule which might confirm it has not been applied...

    Let me review the target... it seems the health service is not targeted with the class in the group:

    - Monitored     - Healthy  - Windows Server 2008 R2 Full Computer
    - Monitored     - Healthy  - VMGUEST Virtual Machine
    - Monitored     - Healthy  - ConfigMgrClient
    - Not monitored -          - VMware Virtual Machine
    - Monitored     - Healthy  - Agent
    - Monitored     - Healthy  - Forefront Identity Manager Synchronization Service
    - Monitored     - Healthy  - Health Service Watcher (Agent)
    - Not monitored -          - Discovery Helper

    As it is a custom rule could it be a conflict between sealed and unsealed management pack ?

    Thanks,
    Dom


    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager
    • Edited by Felyjos Monday, January 30, 2012 9:55 PM
    Monday, January 30, 2012 9:46 PM
  • Hi Dom -

    Tip: To make finding results easier, copy the results of the running rules task output to the clipboard, them paste them into notepad. Do your search for the rule in notepad. (You may have done this already!)

    Tip: Save the rule in its own management pack and give the rule a distinctive name to make it easy to find in notepad. Also this will give you additional diagnostic information by watching the Operations Manager log of an agent computer. The log will show HealthService EventID 1201 with the name of the managment pack within a few minutes of you deploying the rule if everything is working.

    Tip: Try making a new rule as a test and see if that shows up in the results.

    1. During a period of low network activity, create a new NT Event Log alerting rule that looks for some random (but not used) event number in a valid log name and source, for example Application log, source MsiInstaller, EventId 99997 (that is not a valid EventId for that source, but that's OK we don't want this alert to really fire anyway). Target the rule to the Windows Computer class!

    2. Deploy the rule and every Windows computer should show that active rule--watching for MsiInstaller EventID 99997 which will never arrive.

    3. Delete the rule and/or custom management pack from the SCOM console, becuase we don't want the test rule running on all your computers unnecessarily.

    If you can deploy a test rule and observe it running, then you can backtrack the problem rule to see why your original rule is not working.

    Good luck,

    John Joyner
    MVP-OpsMgr

    P.S. The sealed vs. unsealed is not likely an issue, SCOM protects you and itself from most such conflicts.


    Tuesday, January 31, 2012 1:21 AM
  • Hi Dom -

    1. I see you found the path to the rules display, good show.

    2. The ODR report will not show you what is running on a particular computer. The ODR report is for overall assessment of your management group configuration and usage.

    3. I also see you found the effective configuration viewer--my next trick!

    Actually since output from the agent task is taking 2 hours (it should take under 2 minutes) and since you can't run the effective configuration viewer, it sounds like you have more serious issues with the health of your management group. Look at repair and reinstall options for your managment group. You need to be able to run that "Show running rules and monitors running for this health service" task without a problem.

    John Joyner
    MVP-OpsMgr

     

     


    Hi John,

    I did the  Agent Task on another client and effectively it runs in 2 minutes!!!

    and retry on the same machine as before 2 minutes this time but still no trace about the custom rule created!!!

    Thanks,

    Dom


    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

    • Edited by Felyjos Tuesday, January 31, 2012 5:52 AM
    Tuesday, January 31, 2012 5:27 AM
  • Hi Dom -

    Tip: To make finding results easier, copy the results of the running rules task output to the clipboard, them paste them into notepad. Do your search for the rule in notepad. (You may have done this already!)

    Tip: Save the rule in its own management pack and give the rule a distinctive name to make it easy to find in notepad. Also this will give you additional diagnostic information by watching the Operations Manager log of an agent computer. The log will show HealthService EventID 1201 with the name of the managment pack within a few minutes of you deploying the rule if everything is working.

    Tip: Try making a new rule as a test and see if that shows up in the results.

    1. During a period of low network activity, create a new NT Event Log alerting rule that looks for some random (but not used) event number in a valid log name and source, for example Application log, source MsiInstaller, EventId 99997 (that is not a valid EventId for that source, but that's OK we don't want this alert to really fire anyway). Target the rule to the Windows Computer class!

    2. Deploy the rule and every Windows computer should show that active rule--watching for MsiInstaller EventID 99997 which will never arrive.

    3. Delete the rule and/or custom management pack from the SCOM console, becuase we don't want the test rule running on all your computers unnecessarily.

    If you can deploy a test rule and observe it running, then you can backtrack the problem rule to see why your original rule is not working.

    Good luck,

    John Joyner
    MVP-OpsMgr

    P.S. The sealed vs. unsealed is not likely an issue, SCOM protects you and itself from most such conflicts.



    Hi John,

    NT Event log is in two folders: Alert Generating Rules > Event Based and Collection Rule > Event Based which one should be used?

    Where should I look for the rule within Effective Configuration Viewer? at the root? on a specific item? How long should I wait? Should I restart the Health Service Service on the Client?

    Thanks,
    Dom


    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

    • Edited by Felyjos Tuesday, January 31, 2012 6:35 PM
    Tuesday, January 31, 2012 6:26 PM
  • 1. Use Alert Generating Rules > Event Based to create the custom rule.

    2. The rule will appear listed in random order in the output of the Show Running Rules and Monitors. That is why I recommend cut and paste the Show Running Rules and Monitors output into notepad and use Search in notepad to look for the rule name.

    3. It is never necessary to restart the health service on the client to load a management pack. If you saved your custom rule in a management pack named "Demo Rule Mangement Pack", then a few minutes (2-10 minutes) after you deployed the custom rule, the Operations Manager log of the client should show HealthService EventID 1201 (loaded new managment pack) with the name of the managment pack "Demo Rule Mangement Pack" clearly in the event details.

    John Joyner
    MVP-OpsMgr

    • Marked as answer by Felyjos Wednesday, February 1, 2012 6:50 PM
    Tuesday, January 31, 2012 7:55 PM
  • 1. Use Alert Generating Rules > Event Based to create the custom rule.

    2. The rule will appear listed in random order in the output of the Show Running Rules and Monitors. That is why I recommend cut and paste the Show Running Rules and Monitors output into notepad and use Search in notepad to look for the rule name.

    3. It is never necessary to restart the health service on the client to load a management pack. If you saved your custom rule in a management pack named "Demo Rule Mangement Pack", then a few minutes (2-10 minutes) after you deployed the custom rule, the Operations Manager log of the client should show HealthService EventID 1201 (loaded new managment pack) with the name of the managment pack "Demo Rule Mangement Pack" clearly in the event details.

    John Joyner
    MVP-OpsMgr

    Hi John,

    1. Done

    2. Yes it is in the log

    3. Ok

    Let me try again with the one I need.

    In progress if I target Windows Computer the machine has received the updates... Event ID 1201

    Thanks,
    Dom


    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

    • Edited by Felyjos Wednesday, February 1, 2012 2:23 AM
    Wednesday, February 1, 2012 2:05 AM
  • It works finally thank you for your patience.

    Dom


    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager
    Wednesday, February 1, 2012 6:51 PM
  • Glad to hear Dom and thank you for the feedback.

    Enjoy,

    John

    Wednesday, February 1, 2012 7:24 PM