SysCtr Archives

Microsoft killed SCOM internally

11/03/201907/01/2025
by Martin Ehrnst

Microsoft no longer uses SCOM to monitor their own workloads. They have replaced their entire SCOM based monitoring stack with Azure Monitor. Allegedly reduced alert noise and administration overhead.

Even if I have moved from SCOM as my main responsibility, I am still very much involved in the whole monitoring and management scope. Over the last years we have heard alot of talk about Azure Monitor replacing SCOM, but that cooled off after a while, maybe until now?

Technology change or cultural change

Microsoft’s story on how they killed SCOM internally was released one day before the official announcement on Operations Manager 2019. But we first heard the story at Ignite in 2018. One may ask, why the re-initiate this topic now?
For SCOM 2019, the focus is to better support hybrid cloud environments, which is good. If Microsoft doesen’t want to use it, should you?

I have written and spoken about the use of SCOM as your hub for Azure Monitor, and my opinion hasn’t changed that much. I belive that transition to you a new monitoring stack will happen with changes to the infrastructure.

When you read the article you’ll see that this was the case for Microsoft as well. There are two quotes i find partculary interesting in the announcement.

“This is not just a technology change, but a culture change,” Baxter says. “It wasn’t only that we would remove SCOM central monitoring, but we had to tell our application teams, now you’re going to manage alerts..”

It was January of 2017 when Baxter got the call. “Our goal was not just to get rid of SCOM, but to move to a Software as a Service (SaaS) solution and retire Virtual Machine (VM) based infrastructure,” she says.

The key here is change in culture. Microsoft went full on DevOps for their internal IT, and by doing that technology will change, and your monitoring will follow.
Further, the showcase mention monitoring was desentralized, which is true. But ther’s another key part of this story. The monitoring team built an integration service between their monitoring stack (Azure Monitor, app insights) and their ITSM system. This system allows for more meta data on each alert etc before ending up as a ticket.

Final notes

If you’re organization runs most of your IaaS on premises, you don’t have to make change yet. Allow the culture to drive the change. A long the way, your SCOM environment can be that integration service between Azure PaaS, FaaS, XaaS and ITSM.

Operations Manager

SCOM Virtualization host CPU spikes

14/03/201807/01/2025
by Martin Ehrnst

A lot of the core functionality SCOM 2016 has today was released with SCOM 2007. SCOM 2007 was released (as the name states) in 2007, at the very, very early stages of virtualization. 2007 Was also the start of my professional IT career and I remember only the most assertive companies with most capital was thinking about or using SAN and virtualization. I am talking about oil companies, large architectural firms etc. but still they had the environments in-house, making the virtualization environments small.

In 2018 most companies have much larger environments in-house or have moved everything to a service provider or a public cloud, and now, old SCOM 2007 implementations beginning to play a part.

Virtualization hosts

I work for a service provider in Norway, and we have around 4000 vm’s running on VMWare ESX. The environment is monitored in different ways, but visualization is using Grafana and Influx DB – providing very good insight to analyze the environment. See how you can create your own solution following Rudi Martinsens blog series on VMWare performance data.

This chart shows around 3000 VM’s CPU Ready spike every 15 minutes. Previously we had these spikes at 5 and 15. More on that later.

Collect Distributed Workflow Test Event

Collect Distributed Workflow Test Event is the rule that logs event id 6022 on all agent managed computers. It is used to “test event collection”.

Here’s a quote from the rule’s KB

This rule runs for each System Center Management Health Service and logs an event. This event is collected and used to verify that the end-to-end workflow to collect events properly is functioning as expected. If you alter the interval for this rule, it can cause the corresponding monitors to change state or generate an alert. The corresponding monitors are “No End to End Event for 45 Minutes (Critical Level)” and “No End to End Event for 30 Minutes (Warning Level)

The rule refers to two monitors using this event to check that “end-to-end” workflow is working. By default these two monitors are disabled, so what is the purpose of this rule? I already know from investigation that this rule indeed causes the CPU spikes every 15 minutes, that it has not implemented “spread initialization” which would be the prefered method. Instead it has a sync time forcing the same start interval for all agents. Even though it doesn’t create a noticeable overhead it self, multiply by X VMs on a host and you will see the impact.

I was not sure if the event logged by the rule was used to something else, so I reached out to Microsoft Premier Support. After a few phone calls and emails referring to my uservoice idea explaining the issue we got the following reply.

[…]

To summarize, if you did not enable the two monitors and if you have disabled the collection rule, logging the event is quite useless. There is no point in logging an event that no one checks afterwards. From this perspective, you could disable the rule logging the event and the collection rule as well, if this is not already disabled.

That confirmed my suspicions. This rule has no value (to our environment) and I can disable the whole thing.

Collect agent processor utilization

I have written about this rule exactly a year ago and I was not the first. It is the worst of the two and runs a script every five minutes to collect agent performance data. If you don’t use this data. Disable the rule.

Fun fact: Kevin Holman was the one suggested to run this rule every 321 seconds as he was tired of every workflow was running every 300 seconds by default.

Summary

Every SCOM environment differs from the other, but I strongly belive you are impacted by these two rules. “Collect Distributed Workflow Test Event” and “Collect agent processor utilization” both run on a fixed interval with a sync time instead of using Spread Initialization.

Depending on the size of your environment, , but if you don’t use the data generated by these rules I recommend you disable them. Here is a graph showing our two largest clusters hosting around 1000 VM’s.
Just before 11 I disabled “Collect Distributed Workflow Test Event” and you can clearly see the difference.

Let me know if you have experienced similar issues or have comments to this post.

Operations Manager

SCOM 1801 REST API Interfaces

19/02/201807/01/2025
by Martin Ehrnst

For many years SCOM have delivered state of the art infrastructure monitoring. The platform itself is very flexible, but it has lacked an easy integration interface. This has now changed.

SCOM UnOfficial REST API

A year ago we needed an easier way to integrate monitoring data with non Microsoft products customer portals, CMDB etc. Some of these systems also needed the ability to trigger maintenance mode and create maintenance schedules. As an internal project with a very steep learning curve I started on a SCOM Web API. In May 2017 everyone on the Internet could see how poorly I knew C# as I pushed the whole project to GitHub (First commit).

Latest version now supports many new features and a lot of code changes.

SCOM Official REST API

As I follow Microsoft’s monitoring space closely I was very surprised when Jasper VanDamme started talking about a official SCOM REST API released with SCOM 1801. This was something never seen (by me) in the release notes and not talked about at all. If we had got this news when 1801 first announced I believe people had seen it as one of the big news along side HTML5 dashboards, which I understand is why the API now exists.

Being very passionate about SCOM and it’s possibilities despite being an old dinosaur, I feel this official API can open doors for many non SCOM admins creating very cool solutions. I was hoping this could happen to the one I created (and to some extent it have) but now we have a officialy backed SCOM API which is consistent and professional in every corner – future looks promising.

Resources

Official REST API Reference

Custom Dashboard Example

SCOM REST API on GitHub

Remarks

When I find the time to upgrade my labs to 1801 I will write a blog post dedicated to the new API. Please let me know if you have developed anything cool using either of the API’s available. I’m happy to check it out and provide feedback.

Microsoft killed SCOM internally

Technology change or cultural change

Final notes

Share this:

SCOM Virtualization host CPU spikes

Virtualization hosts

Collect Distributed Workflow Test Event

Collect agent processor utilization

Summary

Share this:

SCOM 1801 REST API Interfaces

SCOM UnOfficial REST API

SCOM Official REST API

Resources

Remarks

Share this: