[SCOM] UNIX/Linux Run As Account settings for multiple DMZ, different resource pools
Hello all,
I observed that this topic is lacking some explanations on how to configure different run as accounts for each DMZ zone when using linux/unix monitoring. If the targeting is wrong you will get an error like:
Log Name: Operations Manager
Source: Cross Platform Modules
Event ID: 4113
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: ComputerName
Description:
The account for the UNIX/Linux Action Run As profile associated with the workflow "Microsoft.Linux.Universal.Computer.Discovery", running for instance "computer.FQDN" with ID {random GUID} is not defined. The workflow has been unloaded. Please associate an account with the profile.
This condition may have occurred because no UNIX/Linux Accounts have been configured for the Run As profile. The UNIX/Linux Run As profile used by this workflow must be configured to associate a Run As account with the target.
The situation: You have multiple unix/linux run as accounts that should be used with a separate gateway or a separate resource pool or MS. So for example you want to monitor DMZ Zone1 using GW1 and account User1. You will define User 1 as a unix/linux run as account with a more secure distribution targeting the resource pool that holds GW1 or GW1 as an object directly.
You will go after this and configure the UNIX/Linux profiles (all three) and add User 1 targeting the same resource pool.
This will give you however error 4113 on GW1.
When looking at the discoveries from the Unix/Linux Core Libraries we have one that targets the Microsoft.Unix.ComputerGroup. So targeting objects of type unix/linux will not be enough since this discovery will fail.
How to solve:
You will configure custom Unix/Linux groups that can be dynamic or not and will add the DMZ servers to each of them: group 1, x, x+1 etc...
For the RunAsAccounts you will still have the targeting for User 1 set to ResourcePool of Gw1, but under RunAsProfiles you will select as a target for each 3 unix/linux profiles for User1 the corresponding custom group (Group1).
This way you`ll get rid of the 4113 events and monitoring will work.
Here also a diagram: