Partilhar via


PowerShell Alert Update Connector and Orchestrator

Many of my customers have the need to "sort" SCOM alerts to different support teams.
In the past, the Alert Update Connector was used:
https://blogs.technet.microsoft.com/kevinholman/2012/09/29/opsmgr-public-release-of-the-alert-update-connector/
There still are some versions available:
https://blogs.technet.microsoft.com/markmanty/2017/04/24/scom-alert-update-connector-example-for-scom-2016/ https://blogs.technet.microsoft.com/markmanty/2012/05/03/scom-alert-updater-service-connector-example-updating-scom-alerts/

The "Supported" way is to use System Center Orchestrator to process your alerts.
For my customer I reused this example:
sc.scomurr.com/scom-2012-flagging-alerts-for-processing-using-scorch-2012-2/

 

 

Here's an overview of what needs to be implemented:

Alert Enrichment Database and Table

In order to store the information of each alert. We need to create a database and table. (In my case a CE_Enrichment database and CE_Enrichment table)
The .sql file can be downloaded on the bottom of this article.

The following columns are added to the table:

 

 

Alert Enrichment Configuration Tool

Configuration

In order to get the tool working, we need to define a few settings in the "AE_ConfigurationTool.config" XML:

  • RootManagementServerEmulator
  • SQLServer
  • SQLDBName
  • SQLEnrichTable
  • SQLQuery
  • default_appid
  • default_owner
  • default_resstate
  • default_ticket

 

 

The Tool

I've extended Scott Murray's PowerShell script to do have a similar functionality as the Alert Update Connector.
Multiple SCOM groups can be added to an alert, each group has it's own Custom Field definition.
The advantage of the PowerShell tool is that you can customize the tool anyway you want.
The code is open and there's no need to compile.

The tool can be downloaded on the bottom of this article.

Here's a screenshot of the tool :

 

 

System Center Operations Manager

In order to get the System Center Orchestrator working. We need to create some Resolution States.
In the SCOM Console, goto Administration - Settings - Alerts - Alert Resolution States.
Add the following Resolution States:

  • Alert Not SCORH Enriched
  • Alert SCORH Enriched
  • ProcessedBySCORCH

 

 

 

System Center Orchestrator

System Center Orchestrator will do the actual job:

  • Process Alerts with the Resolution State "New"
  • Set the Resolution State to "ProcessedBySCORCH"
  • Query the Database
  • Check if records for the Rule/Monitor exist in the database
    • If exist:
      • Run PowerShell script and verify if the MonitoringObject is member of the groups defined in the table
      • Update with corresponding Custom Fields
      • Update Resolution State to "Alert SCORH Enriched"
    • If not exist
      • Update Resolution State to "Alert Not SCORH Enriched"

Here's the screenshot of the Runbook that processes the alert:

The tool can be downloaded on the bottom of this article.

Because we need to connect to the management group in the PowerShell script we need to import the SCOM module.
Orchestrator 2016 currently has an issue in loading 64bit modules. In order to let Orchestrator import 64bit modules change the following reg. key:

HKLM\SOFTWARE\Wow6432Node\Microsoft\.NETFramework
Reg_DWORD: OnlyUseLatestCLR
Value: 1

Make sure that you know what you are doing before you break backward compatibility:
https://social.technet.microsoft.com/Forums/lync/en-US/bda22a17-c274-4799-9624-97588fdf4357/orchestrator-2016-powershell-not-importing-modules?forum=scogeneral
www.opsconfig.com/better-practices-orchestrator-automation-sometimes-that-blog-post-that-seems-too-good-to-be-true/

 

 

Download:

The Alert Enrichment Configuration tool:

AE_ConfigurationTool_v2_0_8

The Orchestrator Runbook:

2.8-AUC

SQL create Enrichment Table:

CE_Enrichment

 

 

Disclaimer:
All information on this blog is provided on an as-is basis with no warranties and for informational purposes only. Use at your own risk. The opinions and views expressed in this blog are those of the author and do not necessarily state or reflect those of my employer.