Coming Soon: SNMP Monitoring for Changes in Polled Values

Most SNMP monitoring can be facilitated by comparing the value of a specific retrieved SNMP object to an expected string or threshold, but monitoring for some conditions can only really be accomplished by comparing the current value to a previous value.  

Three examples of this are:

1)      Serial Interface Flapping:  If a serial connection is experiencing problems, the interface may bounce up and down rapidly.  If an SNMP poll on that interface is occurring every 1, 3, or 5 minutes, it may not detect any problems (if the interface is up for the poll), meaning that compromised availability could go undetected for several polling cycles.  These conditions can be detected by comparing the Interface Resets (locIFResets) counter in the Cisco local interfaces table  to previous values.   

2)      Default Gateway Changes on Redundant Routers:  In some redundant WAN router deployments, a default gateway change on the routers is indicative of a redundancy failover.  Because all devices and interfaces may be up and reachable before and after a failover, it may be difficult to detect when the failover has occurred, potentially meaning production traffic is routed over a slower backup link.   This can be detected by monitoring the Default Gateway value (ipRouteNextHop in the ipRouteTable) on the routers and detecting changes when compared to previous polling cycles.

3)      High-Availability State Changes on CheckPoint SPLAT Firewalls:  In an HA configuration on CheckPoint firewalls, the haStatus value will return a string value of “active” or “standby.”  The best way to detect an HA failover is to watch this value for a change.

These are just three examples of many potential scenarios where monitoring of an SNMP object is best served by comparing current values to previously polled values.  Unfortunately, this capability is not a common feature in many of the monitoring tools that I am familiar with.  

Over the next week (or more), I will be posting articles about how I have to implemented just such a monitor for the three described scenarios using the two monitoring products that I currently work with:  SolarWinds ORION and System Center Operations Manager.  In the case of ORION, these monitors can be implemented fairly easily with a bit of SQL work.  In the case of SCOM, it’s a little bit more complicated, but ultimately doable.

SCOM: An SSRS Custom Report for SNMP Device Performance Data Collected by Rules

While the SCOM Reporting implementation provides a great set of reports out of the box, there are a number of custom reports which I have found useful to develop.   The report described here is one to report on aggregated hourly performance counters collected on SNMP Network Devices.


First up, the queries:

Read more of this post

SCOM: One More Use for Custom Resolution States – A “Closed by Operator” State

I had previously written a post about using customization of SCOM’s resolution states to generate an additional notification, on-demand, in order to send the event to a helpdesk software system.  Another resolution state customization that I have found useful facilitates the opposite effect, preventing notifications. 

Unlike those generated by monitors, alerts generated by rules in System Center Operations Manager are not linked to an object’s health state, and are not closed automatically.  Rather, they must be closed manually (in the console or with a script) or deleted after a set period of time (database grooming).  While it is typically desirable for notifications to be generated when alerts generated by monitors are closed, as an indication of the conditions resolution, this is not usually desirable for alerts generated by rules, as the notification would just indicate that an operator closed the alert.   This is particularly true if operators are not managing the console 24/7. 

If notification subscriptions are scoped to classes or groups (and not individual rules/monitors), an easy way that I have found to prevent notifications when rule-generated alerts are closed is by adding a custom resolution state with the name: “Closed by Operator” and a value such as 254 and then modifying the Open alert views in the Operations Console to filter on resolution status less than 254 (instead of “not equal to 255”).  This has the effect of logically assigning two potential closed states for alerts, the system default Closed state of 255 and the “Closed by Operator” state of 254.   In the Operations Console, operators can right click an alert, choose Set Notification State and choose “Closed by Operator,” clearing the alert from the open alert views, and not generating a notification. 

Figure 1

EventLog Search: A Utility App for Searching Windows Event Logs

On a number of occasions in the past few weeks, I’ve found myself wishing there was an easy way to search a machine’s event log for events that matched a string in the description.   I’ve primarily wanted such a utility while troubleshooting SCOM management packs, where I wanted to be able to filter for events with the management pack name in the description, from the Health Service Modules source, and an event ID between 21000-22000. While the native Windows EventLog provides filtering capabilities, you can’t enter a filter for the event message/description or search on a range of event IDs.   I believe there are third-party tools that let you do this, but it seemed pretty easy to whip up a Windows Forms application to provide this search functionality.   I was able to put something together in pretty short order, and it can be downloaded here.  The only requirement should be for .NET version 2, and it doesn’t have to be installed to run.   I haven’t taken the time to implement much error-handling or any documentation, but it seems to fit the bill pretty well and it should be pretty self-explanatory.

The main search window:

The event details window (double-click a row in the Data Grid View to open):

WebMon: A SCOM Management Pack for Basic Web Site Monitoring, Configured with a Single XML File, Part II

The WebMon URL Monitoring management pack that I described in the previous post, can be downloaded here.    Notes on deploying and configuring the MP are as follows:


This management pack for SCOM 2007, is intended to provide basic web monitoring for multiple web sites while being very easy to deploy.   All configuration for each monitored URL is performed by editing a single XML file on the Watcher Node.   The management pack implements three classes:  1) WebMon Watcher Node, which hosts 2) WebMon Request and 3) WebMon Secure Request classes.   The Request and Secure Request classes are identical, except the Secure Request class utilizes NTLM/Integrated authentication through a RunAs profile.   The monitors and rules implemented are as follows (for each of the two request clasess):

  • Monitors:
    • DNS Resolution Failure
    • Status Code (greater than a threshold)
    • Reachable
    • Error Code
    • CA Untrusted
    • Certificate Expired
    • Certificate Invalid
    • Response Time (greater than a threshold)
  • Rules:
    • Response Time Performance Collection

The monitors are rolled-up into an aggregate monitor used for alerting for each Request class.   A set of views are also created under the Web Application folder in the Monitoring section of the SCOM console.  These include state views for the Watcher Nodes, two Request classes, and a performance view displaying the historical response time for all requests. 

The advantage of this management pack over the SCOM the Web Application monitoring implementation for basic web monitoring is that it can be rapidly deployed and configured by simply editing the XML configuration file. 

Deployment and Configuration:

To deploy the WebMon URL Monitoring Management Pack:

  • Copy the sample webmonconfig.xml to a location on a local disk drive of each node intended to be a watcher node (the default path is C:\webmon\webmonconfig.xml)
  • Edit the configuration file with the desired settings (see the XML configuration section below)
  • Import the WebMon.xml file using the Import Management Pack function in the Operations Manager console, under administration
  • Access the Authoring section of the Opeartions Manager console, click the Change Scope link and limit the scope to WebMon Watcher Node. 
  • Right click the “WebMon Discovery” object under “Discovered Type: WebMon Watcher Node,” and choose Overrides->Override the Object Discovery->For a Specific Object of Class: Windows Server.   Select the server designated as Watcher Nodes, and override the object discovery to be “enabled.”
  • If the webmonconfig.xml file is deployed to a non-default location, override the script arguments and update the first parameter (c:\webmon\webmonconfig.xml) to reflect the actual script location.
  • The default interval for the object discovery is 15 minutes.  If this needs to be changes, edit the properties of the WebMon Discovery object, and adjust the schedule accordingly. 
  • If any sites are to be monitored with NTLM/Integrated authentication, a RunAs Profile must be configured.
    • Create a new RunAs account to be used by the watcher node, or determine an existing account to use.  
    • In the Administration section of the Operations Manager console, click RunAs Profiles.  Edit the properties of the WebMon Request RunAs Profile. 
    • Assign a RunAs account for the designated Watcher Node


All configurable elements of the WebMon URL Monitoring Management Pack can be set in the webmonconfig.xml on the Watcher Node.   Multiple requests can be defined in the configuration file by adding another <request/> element.   The discovery script performs some basic validation, but the XML configuration should be edited carefully in order to prevent inadvertent errors due to invalid configuration.

The XML configuration file looks like:

 <?xml version=”1.0″ encoding=”utf-8″?>

The configuration elements are:


  • requesturl:  the URL of the request, either http:// or https://
  • responsetimethreshold:  the response time threshold in seconds , if this is surpassed, a warning alert will be generated
  • retrycount:  the number of attempts to retry the request, 0 or greater
  • pollinginterval:  the interval in seconds between requests
  • statuscodevalue;  an error alert will be generated if the reponse status code is greater than this value
  • usentlm:  input true for this value if the site requires NTLM authentication.  The credentials used are defined in the WebMon Request URL RunAsProfile

Using the Management Pack

For both the WebMon Request and WebMon Secure Request classes, aggregate monitors are configured to generate alerts if any of the monitors trigger a warning or error health state.   Health states can be viewed in the Monitoring section of the Operations Manager Console, under the Web Application\WebMon URL Monitoring folder.   The views include state views for the WebMon Watcher Node, WebMon Request, and WebMon Secure Request classes as well as a view to display the collected response time data for all of the URL requests.  While overrides on the individual monitors can be configured, configuration should be performed in the webmonconfig.xml file. 

Notes on Editing the Management Pack

Prior to editing the management pack, please reference the link below to read more about the design of this management pack.   Due to some issues with the way the Authoring Console handles MonitorTypes and the use of variables in some configuration elements, all edits should be made in an XML editor. 

Support and More Info

This management pack is provided as-is, with no implied or explicit warranty.    For more info about the design and development of this management pack, reference:

WebMon: A SCOM Management Pack for Basic Web Site Monitoring, Configured with a Single XML File, Part I

The native Web Application monitoring capabilities of SCOM are impressive to say the least, and provide excellent functionality for in-depth monitoring of complex web application transactions.   However, the administrative effort required to configure web application monitoring makes the implementation less than ideal for wide-scale basic web site monitoring.  In most cases, required web monitoring would entail monitors just for status code, reachability, response time, and perhaps some other checks like certificate validity.  I wanted to create a custom management pack to implement these monitors, with a minimal degree of configuration effort.   While researching available options, I came across a post by Russ Slaten describing a way to utilize the Microsoft SystemCenter WebApplication Library implementation to accomplish a similar goal.  

However, I wanted to take it a step further.  The key decision point in my design approach was that I wanted to be able to deploy a configuration file (in XML format) to each watcher node involved and define the URL’s and monitoring properties in that file.   I have completed this management pack, and I’m quite happy with it thus far.   I’ve described the Management Pack and development process below.

The WebMon MP, Design and Development

Read more of this post

Recursively Listing Security Group Members with PowerShell

It seems like a favorite request of auditors is one for lists of all members of a set of local or domain groups that are associated with a resource that is being audited, and these requests typically stipulate that all members of nested groups must be listed as well (i.e. full recursion).  I used to use a VBS script to perform this functionality, but I’ve recently rewritten it in PowerShell.  The script accepts a group name (either local or domain) as well as a recursion depth as command line arguments and outputs a list of all group members to a text file.

The method used to retrieve the group members is:

 $Group= [ADSI]”WinNT://$GroupName,group”
 $Members = @($Group.psbase.Invoke(“Members”))

With that, it’s just a matter of configuring a function that accepts a group name as an input parameter, outputs the members, and loops through the member groups until the defined recursion depth is reached.

The script can be downloaded here.  And the output looks like:

The script could be easily modified to accept a text file with a list of group or server names as in input, or modified to output the results in HTML instead of plain text.