I'm tasked to create a SCOM Monitor MP that needs to be deployed on different servers where it needs to count events in the eventlog and trigger an alert.

Before it is suggested that counting an absolute arithmetic difference is enough and offering links to such solutions, there is a "gotcha!" :

There might be one server, Server A,  that gets, say, 1000 events per hour, an increase of 100+ should trigger the alert.

On Server B, only gets 100 events per hour, and an increase of 10+ should also trigger the alert.

Therefore: You *can't* use an absolute diference, but *must* use a percentage difference.

It gets more challenging as there is another "gotcha":

Actually what should trigger the alert is a rate increase of events that falls outside of  two Standard Deviations of a Moving Average. The best example is the stock market: Your stock price moves up and down daily, but also steadily moves up due to inflation over the years. You want a monitor that will alert you when the stock price goes above or below two standard deviations from the *moving average*.

I know how to call a PowerShell script from a SCOM Monitor, but I don't know how to get SCOM and PowerShell to "remember" prevous sampling's counts, because Monitors are state-less (e.g. "memoryless") .

Since SCOM, I'm told, can monitor any process state over time, I'm surprised that I don't see any support for statistical time-series analysis .

Any help would be appreciated.

Hi,

beyond advanced topic! That's what I like.

First, very good description, these are almost functional specifications!

I would also chose PowerShell.

Some time ago we did a similar situation - where it was necessary to take into account the previous situation|state.

We resolve this in a way that the states|values was stored in the dedicated text file. So, at each new interval we collect new samples, read previous samples, calculate required values, stored this new calculated values, if required create property bag and trigger alert. This is of course high level view. But in general the entire process is done in PS script.

Recently, I found that the xml files and PS scripts bring a lot of flexibility. Especially in building custom diagnostics.

And there is no need to care about distribution of this files, they may be included in the MP. So SCOM infrastructure take care of this. 

One piece of advice: First decide whether you need only alert or you want to steer|change health. The first case is simpler - you need rule. The second is more complex - you need monitor!

But of course the main part is PS script.

Regards,

Ivan

Thanks for your encouragement! :-)

Are there any "gotchas" in having a SCOM PS script creating, opening and updating a file on a given SCOM server? I'm thinking permission issues, account settings?

Peter

Hi

You steps are more or less like this:

1) Deploy the Monitor to e.g Windows Operating System class

2) The Script itself would work like this:

Get all Events from your Server eventlog (Count). Because you run the scheduled monitor every hour you could take the Count of the ($log = Get-EventLog -LogName Application; $log.count) of course you would Need to filter the Events, so only the entries are counted which appeared in the past hour. So you filter the Events on the time property for (Get-Date).AddHours(-1). If you build this Count you know how many Events are generated in the past hour.

If you Need to compare it with past values you could write the result to the registry or XML file. Store the date and Event Count. In the script you could the write a function which reads the values from the registry / XML and compares it to your specification.

Wrap this stuff into a property bag and generate alerts accordingly.

Hope this helps a bit,

Stefan