This is a concept that I have seen several examples of, but realize not everyone knows of this capability.
You can create a rule, that targets a class hosted by an agent (such as Windows Server Operating System), but have a script response run on the Management Server to take action.
Here is a simple example:
<Rule ID="Demo.ResponseOnMS.Rule" Enabled="true" Target="Windows!Microsoft.Windows.Server.OperatingSystem" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100"> <Category>Maintenance</Category> <DataSources> <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider"> <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName> <LogName>Application</LogName> <Expression> <And> <Expression> <SimpleExpression> <ValueExpression> <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery> </ValueExpression> <Operator>Equal</Operator> <ValueExpression> <Value Type="UnsignedInteger">100</Value> </ValueExpression> </SimpleExpression> </Expression> <Expression> <SimpleExpression> <ValueExpression> <XPathQuery Type="String">PublisherName</XPathQuery> </ValueExpression> <Operator>Equal</Operator> <ValueExpression> <Value Type="String">MM</Value> </ValueExpression> </SimpleExpression> </Expression> </And> </Expression> </DataSource> </DataSources> <WriteActions> <WriteAction ID="PSWA" TypeID="Windows!Microsoft.Windows.PowerShellWriteAction" Target="SC!Microsoft.SystemCenter.CollectionManagementServer"> <ScriptName>Demo.ResponseOnMS.Rule.ps1</ScriptName> <ScriptBody> # Add the SCOM API and Log event $api = New-Object -comObject "MOM.ScriptAPI" $api.LogScriptEvent("Demo.ResponseOnMS.Rule.ps1",2222,0,"This event is created by a script running on the MS") </ScriptBody> <TimeoutSeconds>30</TimeoutSeconds> </WriteAction> </WriteActions> </Rule> </Rules>
This rule uses a simple event datasource looking for event 100, and source of “MM”.
Then – it responds with a Write Action – but the Write Action has a Target of Management server. This is the key part:
<WriteAction ID=”PSWA” TypeID=”Windows!Microsoft.Windows.PowerShellWriteAction” Target=”SC!Microsoft.SystemCenter.CollectionManagementServer”>
My example is very simple – and runs PowerShell on the Management server, creating a single simple event in the OpsMgr log.
This design works in SCOM 2012 and later – where the response will execute on the Management Server that the agent is assigned to.
You can use this example to do things, like query the OpsDB and generate a specific alert in response to an agent side issue – or you can put the agent into Maintenance mode by passing the computername as a parameter to the script write action.
You can also do similar things with tasks:
<Task ID=”Your.Task” Accessibility=”Public” Enabled=”true” Target=”SC!Microsoft.SystemCenter.Agent” Timeout=”180″ Remotable=”true” RunLocation=”SC!Microsoft.SystemCenter.CollectionManagementServer”>
Hi,
I’m trying to use this to build my own remote stop-maintenancemode function .in a similar way to the way the start-agentmaintenancemode function works however I am struggling
in regards to the write action can you tell me which MP your ‘SC!’ alias is pointing at? and nwhere I can obtain the ‘Windows!Microsoft.Windows.PowerShellWriteAction’ action ?
Stopping MM is nearly impossible – from an agent perspective – because IF the agent Healthservice class is n MM, then the agent does not send responses to the Management Server… so this becomes incredibly difficult. If only a child object is in MM, then you can remove an object from MM the same way it was put in.
SC! = Microsoft.SystemCenter.Library
I am using a powershell command on the host to write an event to the event log and then wanting to run the below bit of code on the management server to stop maintenance mode.
$class = get-scomclass -name:’Microsoft.Windows.Computer’
$computer = get-scomclassinstance -class $class -ComputerName “$computername”
$computer.StopMaintenanceMode([DateTime]::Now.ToUniversalTime(),[Microsoft.EnterpriseManagement.Common.TraversalDepth]::Recursive);
I guess I didn’t ‘think ahead’ as you have made me realise the rule will not look for my event log on an agent in maintenance mode…
my goal is to allow Maintenance mode to be stopped from a server regardless of there permissions in SCOM.
would it be possible to write my stopmaint event to a central log and utilise a value in that log (computername) as a variable in the powershell write action response ?
hello Mr Kevin, we have a small problem about e-mails that constantly we are receiving from scom.
we already checked your website looked for all writings but couldnt find an answer.
Namely we have a server pc which works over 98 percent cpu utilization. so that scom always send e-mail us. if you can help us how we can adjust this threshold only on this server settings?
thanks a lot
Tried the same but I have no result at all. It seems the code is simply not executed (SCOM 1801).
I know the rule works , because I added this:
and the event is correctly logged, but the code itself does absolutely nothing (no writing on the event log). Do we need special permissions (aka RunAs) to run the rule ? Or SCOM 1801 has different rules ?
Thanks
sorry, the tags killed what I wanted to add 🙂 consider the brackets before and after—-
WriteAction ID=”WriteToDB” TypeID=”SC!Microsoft.SystemCenter.CollectEvent”/
Hi, do you know if can I run the writeaction on rule which is working on target Unix!Microsoft.Unix.Computer as looks like it’s not working (trying to create simple event on MS). Other writeAction like creating incident is working fine.