There are times when an application installs a Windows Service that uses inconsistent naming. There might be a scenario where the Computer Name is inserted into the service name, or where random characters get generated in the service name.
I wrote about this previously here: https://kevinholman.com/2011/01/20/how-to-monitor-a-service-with-unique-names-across-multiple-computers-using-a-wildcard/
Now, I have a Visual Studio fragment to make this even easier. This fragment will use a WMI based discovery that supports a partial name match with a wildcard, to discover instances of your service name as a property. Then it includes a monitor which uses this class property and monitors the discovered service name.
You can download the fragment library here: https://github.com/thekevinholman/FragmentLibrary
You can see fragments in action here: https://kevinholman.com/2019/07/15/advanced-mp-authoring-mpu-may-2019/
In this scenario, I am going to use a built in service that uses random data in the service name.
You can use Silect MP Author or Visual Studio with VSAE for fragments. I’ll be using Visual Studio in this example.
Create a new MP:
Add an existing item, and choose my new fragment “Combo.Class.Discovery.ServiceMonitor.Wildcard.WMIQuery.mpx”
In this fragment, we will need to replace the following items:
##CompanyID##
##AppName##
##ServiceNameWildcard##
##UniqueID##
CompanyID and AppName are standard across all fragments.
##ServiceNameWildcard## is what will go into the WMI query, that supports the operator for wildcards “%”.
In this example, since I want to discover and monitor any services that start with “UserDataSvc_”. Therefore I will replace ServiceNameWildcard with “UserDataSvc_%”
For the UniqueID, this just needs to be something to keep this workflow unique, in case we want to reuse the fragment multiple times in the same MP. Since this is my User Data Svc service monitor, I will just use that. (NO SPACES OR SPECIAL CHARACTERS ALLOWED)
That’s it! Save it and Build it, and we are ready to deploy this MP.
If you look at Discovered Inventory, change target type to our new Demo App class view, you will begin to see new instances showing up:
Note the ServiceName property, with different names in each. Also note they are monitored – because the built in service monitor in the fragment is enabled.
And we are generating good quality alerts:
Kevin, once again you have put together an MP fragment that hits home! Cannot thank you for your work in this area, and for keeping us SCOM admins semi-sane.
Thanks Peter! Knowing my work is helping others keeps me motivated. Appreciate you taking time to comment.
Kevin, one more thing: how does one alert on automatic startup services only (no need to alert on a manual or disabled start, not just disabled)? Similar to the checkbox in the console UI for windows services monitors. Thanks in advance.
Peter C.
Kevin, I worked it out in the fragment to exclude the manual startup services by Copying/adding this code to the ConditionDetection section, Expression Section for “ServiceRunning” (Equal), and Expression Section for “ServiceNotRunning” (NotEqual), value=3:
Property[@Name=’StartMode’]
Equal
3
Copied for each wildcard condition within the MP, adding the condition test for startmode = 3. Again, a fantastic fragment, saves tons of time!
Thanks , it’s great!
Is it possible to detect multiple services with wild card in their names on the same server?
Sample WMI query :
Select Name from Win32_Service where Name like ‘e1c%’
Query return this:
Win32_Service.Name=”e1c2541″
Win32_Service.Name=”e1c3541″
Win32_Service.Name=”e1c4541″
Win32_Service.Name=”e1c5541″
Win32_Service.Name=”e1c6541″
?
That’s exactly the scenario that this post is describing, and provides a solution for.
Super!
Thank you vary much!
Thanks for another great article. I am using this fragment with another wmi query and it works. I would like to also add a task so that it is possible to start the service from console when alert is raised. Any chance for a fragment where that is included? I am struggling with parameters and how to be able to use parameters in a powershell script. Want to use a parameter for the servicename.
Kevin
Thanks very much for this, I know I was one of the people asking for it.
In Silect should import this in as discovery or monitor?
Silect imports fragments. Anything could be in there. In this case, it has both a disco and a monitor.
I also need to monitor other things in this MP based off this discovery, capture several other perf counters and monitor a few other processes all core windows processes but I only need to monitor them if this service exists that appends the machine name to the end of the service name.
Ok, perfect. That’s what this fragment is for. Just use other fragments and add them to your MP using Silect or Visual Studio.
Hi,
I am trying to set this up but I am getting a lot of errors when trying to build the solution:
Lots of ‘tag was not closed’ errors, along with several ‘Missing attribute value on attribute “%attributename%’ errors.
All I have done is replaced the values for:
##CompanyID##
##AppName##
##ServiceNameWildcard##
##UniqueID##
Am I missing something?
Sorry – I am very new to Visual Studio but this management pack would be very useful to my team.
Thanks
Anyone?
Whats in your wildcard?
Whats in your UniqueID?
Hi Kevin,
The Wildcard is Fx%
And the UniqueID is FxTarigma
Should I get an email when a comment is made on my post?
Thanks
hi came across this topic on my search
as an extension of the above example
is it possible to do a discovery where userdataSVC service is running and specify as property that it concerns the 4ce50af?
so that I can filter on the ‘userdataSVC’ and then see a list of which variants are running and which servers
Hi Kevin,
I’m using this method to discover and monitor groups of similar services for quite some time. Now I found out that event 31876 is logged in the Operations Manager log over and over again on the monitored systems:
Data item returned no information for parameter ‘$Data/Property[@Name=’BinaryPathName’]$’
This usually indicates that the query is incorrect.
One or more workflows were affected by this.
Workflow name: ServiceStateProbePage_f00208c6e837459caf6cf29463a5f5f5.DiscoveryRule
Instance name:
Instance ID: {624EA4E6-0C16-8E2D-EFC2-6F22F25F2FBB}
This is the line from the MP for ServiceStateProbePage_f00208c6e837459caf6cf29463a5f5f5.DiscoveryRule :
The services are discovered and monitored ok though. But the event log is flooded every minute.
Tested agent version: 2019 UR1 and UR2 on Windows 2012R2 and 2019
Thanks
My fragments don’t have anything like that in them. I am assuming your errors are coming from something other than using my fragments?
Hi
Can I add cpu and memory threshold monitor to the service?
Of course. Once you discover the service, you can target those monitors at the service class.
If I attempt to display the state of the service monitor I do not get the service name. Is there something else I need to do?
id = {normal GUID}
monitorDisplayName = Company AppName UniqueID Service Monitor
monitorDescription = {blank}
monitorName = Company.AppName.UniqueID.Service.Monitor
healthState = Success
objectId = {normal looking GUID}
objectDisplayName = FQDN of server
Can you explain to me what the issues is or what you are trying to accomplish? I am not following you.
I don’t know how many times I’ve started and stopped writing MPs in VS. I may have completed one or 2 but no clue how. I actually kind of moved on from trying. I took an a new app to monitor that has some very interesting monitoring challenges. I’ve started using your fragments and am actually producing MPs with results.
Each time the app folks ask me for something else that stumps me a search your repository and bang, you have a frag that fits what I need. This is a perfect example. I have an app on a few servers that spawn a separate Windows service for every queue they create. It’s annoying but this is a great solution.
I also have a security app that names the service with an incrementing version number. Super annoying to monitor that and upgrading the app. This also solves that.
Thanks for all this work you’ve done. I am back to using VS and becoming more useful to my org. I appreciate that!
That is so AWESOME to hear! Thank you for taking the time to give me feedback! 🙂
I do have one question that I tried all evening to answer myself. I need to get the display name of the service since the ServiceName field can be short and not enough info. I used Powershell to query WMI and I can select and see the DisplayName attribute. I added the class property in the MP fragment in all the places needed to pass the build.
$MPElement[Name=”company.appname.FaxSvc.Class”]/DisplayName$
$Data/Property[@DisplayName=’DisplayName’]$
I don’t see the displayname populating and I see this error in the event log:
Data item returned no information for parameter ‘$Data/Property[@DisplayName=’DisplayName’]$’
This usually indicates that the query is incorrect.
Even though I can see it as DisplayName in PS, it’s obviously either not the correct field name or I simply messed up. Is there a way to see what fields would be available in the WmiProviderWithClassSnapshotDataMapper?
Thanks again. -Brett
P.S. Here is my result of a PS query.
PS C:\Windows\system32> Get-CimInstance -ClassName Win32_Service -Property Name, DisplayName | FL Name, DisplayName
Name : AdtAgent
DisplayName : Microsoft Monitoring Agent Audit Forwarding
Name : AJRouter
DisplayName : AllJoyn Router Service
Name : ALG
DisplayName : Application Layer Gateway Service
I echo Brett’s sentiments.
I truly appreciate your care and level of effort Kevin; its apparent in everything you deliver! Thank you for all that you do!
Hey Kevin,
Do you have a version of this where a clickable console task is generated? Thanks for all of your awesome work.
What do you want the console task to do?
When an alert is generated, allow a person to start that wildcard service from the console if needed. Similar to how the built in service monitoring template works. Thx
Kevin,
I have been testing this using pretty much all default settings from your xml against the spooler service. I have noticed that every 2 minutes or so the monitor goes back and forth between healthy and unhealthy. The service has been stopped the entire time, so it should stay in an unhealthy state.
In the health explorer context the state shows 1 when it flips back and forth. Curious if you have ever seen it do this.
Property Name Property Value
State 1
ServiceType 272
StartMode 2
ErrorControl 1
TagId 0
ProcessId 0
Thanks
Hi Kevin,
Just tried these simple instructions and unfortunately, when I go into Discovered Inventory > Can see the Name and Path populate but the State shows as “Not Monitored”.
Any idea what I missed?
Check the condition for ServiceRunning. The default is Equal 4. I had to change to NotEqual 4 for it to start monitoring. If it works, im curious if you run into the issue i mentioned above.