SystemCenter

All about System Center Articles and Tutorials

STOP ALERT REPEAT COUNT FOR UNIX / LINUX LOG ALERT IN SCOM

Posted by on Jul 29, 2016 in SCOM 2012

STOP ALERT REPEAT COUNT FOR UNIX / LINUX LOG ALERT IN SCOM

Last time when we configured UNIX/Linux log file monitoring, we faced an issue wherein SCOM was sending only one alert for the log monitor even if when the suppression was turned off.

The alerts were visible in SCOM console wherein we received only one alert email notification and after that just Repeat Count was increasing, so no new alert after that.

1

When we further checked, we found that the custom Management Pack containing the log file monitoring rule was culprit.

To fix the same follow below:

  1. Load up the operations manager console and click on Administration.
  2. Click on Management Packs and right click on custom Management Pack containing the rule.
  3. Select Export Management Pack…

Export the Management Pack at preferred location.

2

Open the exported Management Pack in Notepad++. You will see below rule configuration:

<Rule ID=”LogFileTemplate_465281003ec6490d9f9124d867c60ff1.Alert” Enabled=”false” Target=”Unix!Microsoft.Unix.Computer” ConfirmDelivery=”false” Remotable=”true” Priority=”Normal” DiscardLevel=”100″>

        <Category>EventCollection</Category>
        <DataSources>
          <DataSource ID=”EventDS” TypeID=”Unix!Microsoft.Unix.SCXLog.VarPriv.DataSource”>
            <Host>$Target/Property[Type=”Unix!Microsoft.Unix.Computer”]/PrincipalName$</Host>
            <LogFile>/var/log/messages</LogFile>
            <UserName>$RunAs[Name=”Unix!Microsoft.Unix.PrivilegedAccount”]/UserName$</UserName>
            <Password>$RunAs[Name=”Unix!Microsoft.Unix.PrivilegedAccount”]/Password$</Password>
            <RegExpFilter>System initiated reload of unit</RegExpFilter>
            <IndividualAlerts>false</IndividualAlerts>
          </DataSource>
        </DataSources>
        <WriteActions>
          <WriteAction ID=”GenerateAlert” TypeID=”Health!System.Health.GenerateAlert”>
            <Priority>1</Priority>
            <Severity>2</Severity>
            <AlertName>Log File Alert:  System Initiated Reload of Unit</AlertName>
            <AlertDescription>$Data/EventDescription$</AlertDescription>
                    <Suppression>
             <SuppressionValue />
            </Suppression>
          </WriteAction>
        </WriteActions>
      </Rule>

Just delete the below attributes which are highlighted above:

<Suppression>
      <SuppressionValue />
     </Suppression>

Save the Management Pack file.

Now import the same Management Pack (in which changes were done) in SCOM.

  1. Load up the operations manager console and click on Administration.
  2. Right click on Management Packs and click on Import Management packs.
  3. Click on Add button and select the Management Pack file.
  4. Click on Install button to start the import.

3

Import will take few seconds.

4

Click on Close button to close the wizard.

5

Now you should receive individual alerts for the servers and alerts will reflect in same way in SCOM console:

6

Just take care of one thing here, if you modify the rule in any way, it will put the suppression section back into the configuration, so you will have to Export, Edit and Import the Management Pack again.

Submit a Comment

Your email address will not be published. Required fields are marked *