MSOMS Archives - Page 4 of 6

SCOMpercentageCPUTimeCounter cause CPU Spike

13/03/201707/01/2025
by Martin Ehrnst

To be honest this have existed for years, and written about back in 2014. Now, in 2017, SCOM 2016 UR2 is released the problem remains. Perhaps with greater consequence due to virtualization.

If you’re unfamiliar with the problem SCOMpercentageCPUTimeCounter.vbs (.ps1 in SCOM 2016) is a script included in the “System Center Core Monitoring” management pack, and is used as the data source for a rule and a monitor to determinate agent health by gathering ‘HealthService’ CPU usage. The rule and monitor are set to run at a fixed interval of 321 seconds (I assume the person who wrote the MP just tapped 3-2-1 on their numpad 🙂 ) and sync time set to 00:00

[supsystic-tables id=1]

If you want to look at the actual code you will find the data source on SystemCenterCore.com

Running this script every 5 minutes isn’t exactly a problem when you have physical servers or a small amount of virtual machines on your Hypervisor. But if you run 100 or 300VM’s on one host and each single VM start this script simultainiasly it will create it creates unnecessary load on your host. If this host is overcommitted as well CPU wait time could cause a ‘freeze’ on your tenant machines as well.

To illustrate the problem, I have attached a graph, that clearly show spikes during script execution.

On a monitored computer you will see a cscript.exe process executing the following command line “c:\windows\system32\cscript.exe” /nologo “SCOMPerventageCPUTimeCounter.vbs

Unfortunately out of the box there isn’t much to do. Sync time and interval is the only overridable parameters, and these will only help reduce the load on the agent machine itself. So if you experience CPU utilization peaks due to this script, I see only two options

Disable the rule and monitor
- Then you will have to rely on the CPU utilization monitor from the operating system management pack
Create a new rule and monitor, using SpreadInitializationOverInterval parameter
- Reduces load as executions occurs randomly within the set interval
- Requires authoring skills, but possible. Some information here.

To not let this go into oblivion, I have left feedback on Operations Manager user voice. Hopefully, Microsoft will make some changes in the future. If you have suggestions or other experience please let me know and i will update accordingly.

Operations Manager

Getting your colleagues engaged with SCOM

08/02/201707/01/2025
by Martin Ehrnst

Q: How do I get my teammates engaged in SCOM?

A: Disable Email alerting

Q: What?

A: Let me explain what we did.

I had an interesting conversation the other day on how to get people more involved with SCOM. After going through what we have done over the years I figured it’s a topic worth sharing. Even if Operations Manager will be replaced with OMS or another product in the future, it’s still plays a significant role and will be for many more years.

In this post I will go through some of the steps I think have ben a deal breaker in terms of the involvement from application and service owners that have their environment monitored with SCOM. I won’t reproduce all the steps we have done as that will be to environment specific, but I will explain how and why i think you should look in to these topics.

Season SCOM with data from external sources.

By using data from your CMDB as additional properties to servers (and other objects) in SCOM makes a huge difference. I manage a large environment monitoring a lot of different customers with many services and applications running. Knowing which customer this server belongs to, what kind of backup it is running, which patch regime etc. This is data you typically find in a CMDB and by default SCOM is totally unaware of this.

We use a in-house developed CMDB system fully detached from any SCOM environment, but it has an API. By creating a management pack that extends the Windows computer class we now have the following extended properties on all servers monitored by SCOM

Customer name
Location
Type (Physical, virtual)
Host
Environment (Test, dev, production)
Services (Applications running)

All these properties can be used for almost anything. Group creation etc.

If you haven’t done this already, i strongly recommend connecting with a CMDB.

Replace the existing console.

The only person(s) who needs the SCOM console is the SCOM admin, and the only reasonable solution is to invest in a web-based system. Third party or in-house developed. There are a few commercial products out there, like SquaredUp and Savision, I encourage you to check them out. Below are two screenshots showing the difference between SquaredUp and the local console which should be a reason alone to invest in this.

SCOM Object state dashboard (who uses this?)

SquaredUp default installation showing a windows server object.

Agent tasks

This is a hidden gem. SCOM has an agent running on “all” servers in your environment, and this agent can run scripts for you by a click of a button. We have developed a management pack with a few tasks that was requested by my fellow colleagues.

Spend less time logging on to these servers and have the output directly.

Below is an output from the task showing disk free space. It is a simple Powershell script packed in a task targeted windows computers.

A few examples on other tasks

Add or remove management group
List local administrators
top x memory consuming processes
Restart agent
Start Windows service

Alert to ticket creation.

If youre not using SCSM, you probably havent got a good connection with your ticketing system or any at all. You can send an Email directly but chances are that it won’t work wery good. Let’s say you have an alert storm and you are sending alerts through a SMTP channel to your ticketing system. You will probably have 100 tickets created without any connection at all to the actual alert. Maybe you have two tickets for each alerts as well, one being resolution state NEW and the other Closed? Thats 200 tickets, or 198 because there are two business critical alerts not resolved but you don’t see it.

With SquaredUp we created a function for ‘on demand’ alert creation directly from the console using their built in functionality and a external script.

In a scenario with an alert storm the operations team can quickly look at their dashboards and see which alerts is still present – not the ones that are already resolved. Creating tickets for these alerts makes sense as they will have to be looked in to further. Below is a diagram showing how we set this up.

flowchart showing ticket creation from scom/squaredup

Along side with this flow. We update each ticket with a new message when the alert is closed.

Support different alert platforms.

What I mean is that you should try to integrate SCOM so that alerts can be consumed on other platforms. I have blogged earlier on how to post messages to Microsoft Teams and Mattermost. This can also be done with Slack. If you don’t use any of these collaboration tools, think and consult with your colleagues, they Probably have some great ideas!

Stop being personally involved with SCOM alerts.

As a SCOM administrator, how many times have you found your self invastigating an alert not within your field and without notifying anyone else? Probably too many. You’re not going to solve all the alerts and there’s is a reason for the application being monitored in the first place, someone wanted it. Sit down with your team and figure out a solution together.

Big Data and Events

Splunk. OMS, Elasticsearch. It doesn’t matter. If you manage to tie your existing SCOM environment with event and big data systems you will be amazed. Again, the built-in OMS, Event log and Web API plugins in SquaredUp can be used for this.

examples

Display SQL recommendations from the OMS SQL Assessment on all servers running SQL
Show change tracking events on the alert page.
Missing security updates on Windows server perspective.

Disable email alerts

It may be a bold statement, but if you manage to implement a few of the things i have listed and maintain your good tuning and MP implementation procedure. Chances are that you can start to disable alerting by email or at least get your colleagues more involved when they have the chance to properly use all the data and possibilities when having a SCOM installation in your environment.

Automation

Sending SMS with Azure functions and Twilio

23/12/201607/01/2025
by Martin Ehrnst

Update:

As pointed out by Tao Yang, storing the Twilio credentials in the script isnt exactly best practice.

pretty cool but the secret should at least be stored as application settings, not in clear text in the code. or even better – in Key Vault

— Tao Yang (@MrTaoYang) July 4, 2017

I have updated the script below to use Functions environment variables. You can create these from Settings>Manage Application settings
[Fast publish]

Here the other day i “needed” to send a SMS when an alert was raised in Microsoft OMS. I already had a Twilio subscription so i developed a little script to send my self a text message. Later I put that script in a runbook in Azure Automation and called that from the alert. SMS received and it was all good.

Later the same evening i was trying out Azure Functions which let you run so called ‘server-less code’. Serverless or not, the code has to run on something, but you don’t need to maintain the infrastructure. I needed something to test Functions so i ported my Automation runbook in to a function.

The function accepts (in my environment) a webhook or sending a post with Json string.

And here is the code that does it. You will have to add your own Twilio config, but other than that it should work.

<#
    .DESCRIPTION
        Azure function sending SMS through Twilio.
        Depending on how you set up your function. This script will accept bot GET parameters through it's URL or a POST with JSON string sending phone and msg

        {
            "phone": "+4712345678",
            "msg": "www.adatum.no"
        }

        It will send the msg to the number you provide.

    .NOTES
        Requires an active twilio subscription and an azure functions container.
        Please add your Twilio sid, secret and phone number to the script

        Created by Martin Ehrnst
        www.adatum.no

    .CHANGELOG
        21.12.16: v1.0 initial release

#>

$requestBody = Get-Content $req -Raw | ConvertFrom-Json
$phone = $requestBody.phone
$msg = $requestBody.msg
$sid = $env:TwilioSID
$password = ConvertTo-SecureString -String $env:TwilioPASS -AsPlainText -Force
$uri = "https://api.twilio.com/2010-04-01/Accounts/$sid/Messages.json"
$from = $env:TwilioPhone

if ($req_query_phone) 
{
    $phone = $req_query_phone 
}

if ($req_query_msg) 
{
    $msg = $req_query_msg
}


$cred = New-Object System.Management.Automation.PsCredential($sid,$password)

$SMS = @{
    From=$from
    To=$phone
    Body=$Msg
}

$SMSEND = Invoke-RestMethod -Method Post -Uri $uri -Credential $Cred -Body $SMS
Out-File -Encoding Ascii -FilePath $res -inputObject "$smssend"

Here is a little example on how you configure your OMS alert to use it. The message contains a link to the alert search result.

SCOMpercentageCPUTimeCounter cause CPU Spike

Share this:

Getting your colleagues engaged with SCOM

Season SCOM with data from external sources.

Replace the existing console.

SCOM Object state dashboard (who uses this?)

SquaredUp default installation showing a windows server object.

Agent tasks

Alert to ticket creation.

Support different alert platforms.

Stop being personally involved with SCOM alerts.

Big Data and Events

Disable email alerts

Share this:

Sending SMS with Azure functions and Twilio

Share this: