SCOM Alerting on IIS Log misconfiguration for OMS
Introduction
Microsoft recommends that machines loaded into Microsoft Operations Management Suite (OMS that are running IIS, have their log rollover set to hourly.
However, once machines are added into OMS, it's entirely possible the IIS logs are changed, new sites are rolled, etc. And there is no easy way to see if that had been done, or stay on top of it.
This is a solution to that. There are two scripts below:
The first script helps set the IIS log format via Powershell by parsing the applicationHost.config file and making necessary changes. IT can be executed from a remote machine. This should aides initial configuration.
The second is a vbscript to be included in a SCOM Monitor to throw an alert if the log rollover configuration changes on any OMS-attached servers. It will display the site name and configuration in the alert description. Once the configuration has be resolved the monitored will reset back to healthy automatically.
Script - Remotely change IIS Log rollover
#Script to remotely change IIS log rollover frequency.
#Written by Darren Joyce 2/7/15
param($computer, $period)
if (!$computer){
$computer = read-host 'What is the Name of the server to change log rollover frequency?'
}
if (!$period) {
$period = read-host "What frequency to set? 'Monthly', 'Weekly', 'Daily', 'Hourly' (Default='Hourly')"
if (!$period) {
$period = "Hourly"
}
}
write-host -ForegroundColor Yellow "Connecting to $computer and setting rollover frequency to $period"
Invoke-Command -ComputerName $computer -ScriptBlock {
import-module WebAdministration
$period = $($args[0])
write-host "Setting log rollovers..."
get-website | select Name -ExpandProperty Name | `
ForEach-Object{
$sitename = $_
[xml]$configfile = get-content "c:\windows\system32\inetsrv\config\applicationHost.config"
$testValue = $configfile.SelectNodes("/configuration/system.applicationHost/sites/site") | where-object {$_.name -eq "$sitename"}
if ($testValue.logFile) {
$currentPeriod = get-WebConfigurationProperty @("/system.applicationHost/sites/site[@name='$sitename']/Logfile") -name period
Set-WebConfigurationProperty @("/system.applicationHost/sites/site[@name='$_']") -name logFile -value @{period="$period"}
Write-host -ForegroundColor Green "$_ is now set to $period (was $currentPeriod)"
}
}
$currentPerioddefault = get-WebConfigurationProperty "/system.applicationHost/sites/sitedefaults/Logfile" -name period
Set-WebConfigurationProperty '/system.applicationHost/sites/sitedefaults' -name logFile -value @{period="$period"}
Write-host -ForegroundColor Green "Site Defaults is now set to $period (was $currentPerioddefault)"
write-host -ForegroundColor Yellow "Completed."
} -ArgumentList $period
Setting up SCOM alerting
To create a SCOM alert on any IIS misconfiguration, create a two-state monitor. I created it as disabled, targeted to "IIS Server Role", and then used an override to apply it to a group containing my servers that are connected to OMS.
This is the script to use:
' CheckIISRollover.vbs
' Script by Darren Joyce July 2015
' This is designed to be run in SCOM to alert on any websites that have log rollover set to anything but Hourly
' For the purposes of checking machines for OMS
'
' Version 1.0
' Last Update July 2015
option explicit
dim xmlDoc, oAPI,oBag
dim strAlertDescription,strPeriod, strSiteName
dim logfileNode, dlogfileNode, dNode,sNode, sitename
' Set up XML for reading
Set xmlDoc = CreateObject("Msxml2.DOMDocument")
xmldoc.SetProperty "SelectionLanguage","XPath"
xmlDoc.async = False
xmlDoc.load "C:\windows\system32\inetsrv\config\applicationHost.config"
If xmlDoc.parseError = 0 Then
' Set up the propertybag
Set oAPI = CreateObject("MOM.ScriptAPI")
Set oBag = oAPI.CreatePropertyBag()
' Set up some needed variables
'strAlertDescription = "The following sites are not set to Hourly IIS log rollver:" & VbCrLf ' We will need this for alert generation.
strAlertDescription = ""
strPeriod = "Hourly" ' What the correct logfile period should be
'Specify the SiteDefault Node and read the logFile Period attribute.
dlogfileNode = "/configuration/system.applicationHost/sites/siteDefaults/logFile"
set dNode = xmldoc.SelectSingleNode(dlogfileNode)
'wscript.echo "IIS Global Site Period set to :" & dNode.getattribute("period")
' Check the IIS global logfile period and append to the alert
if dNode.getattribute("period") <> strPeriod then
strAlertDescription = strAlertDescription & "IIS Global logfile Configuration : " & dNode.getattribute("period") & VbCrLf
end if
' Now we the rest of the sites on the IIS box.
' Find the list of configured websites
For Each SiteName In xmlDoc.selectNodes("/configuration/system.applicationHost/sites/site/@name")
strSiteName = SiteName.text
' Now loop through them checking the logFile period attribute, and append to the description if not set correctly.
logfileNode = "/configuration/system.applicationHost/sites/site[@name='" & strSiteName & "']/logFile"
set sNode = xmlDoc.SelectSingleNode(logfileNode)
if sNode is nothing then ' Need this check here as if there is nothing configured, then it throws an exception.
if dNode.getattribute("period") <> strPeriod then
strAlertDescription = strAlertDescription & strSiteName & " : " & dNode.getattribute("period") & " (Inherited from Site Default Setting)" & VbCrLf
end if
else
' Check for the period set and append to the description
if sNode.getattribute("period") <> strPeriod then
strAlertDescription = strAlertDescription & strSiteName & " : " & sNode.getattribute("period") & VbCrLf
end if
end if
next
end if
'Put everything into the propertybag to return to SCOM if an error is found
If strAlertDescription = "" then
Call oBag.AddValue("Status","OK")
else
strAlertDescription = "The IIS log file rollover is incorrectly set. It needs to be set to " & strPeriod & "." & VbCrLf & "The following sites are not correct:" & VbCrLf & strAlertDescription
Call oBag.AddValue("Status","bad")
Call oBag.AddValue("Description",strAlertDescription)
end if
Call oAPI.Return(oBag)
Configure your health expressions
Conclusion
The end result you should get an alert similar to this.
A useful way of seeing if configuration changes that might be useful to some environments.