Our Linux team is afraid that the SCOM agent for Linux is not safe and uses root to much. So they wanted to see if SCOM can use SNMP to monitor our Linux systems.
I started to look at the MIB for Redhat and used the “Network Monitoring Management Pack Generator UI Tool” from Microsoft to create a MP. But I found to time consuming to add all the OID:s for each object and then set levels for them. And handling the number of disks on the server and diskusage was just a mess.
Is there anyone who has created a MP for monitoring Linux via SNMP? Most guides I found says: “dont use SNMP the Linux MP is much better”.
Anyone who has any input in the subject? Is the Linux agent safe?
We use standard snmp to monitor appliances. As long you can discover the device in Scom as a network device(node) then you can apply snmp discoveries/monitors/rules.
Let me know if anyone are interested in finding out more.
I personally don’t see what all the fuss is about the agent, in my experience its simple to install and is robust and reliable.
In my organisation all the *nix boxes are Active Directory integrated (they still retain local accts for maintenance and emergencies)
We have 2 service accounts in AD, one that is high priv and used during the installation process with the sudo options, and a low priv account that is used by the agent to send the monitoring data up to the SCOM MP’s.
AD is not a pre-req here you can achieve this with a pair of local accounts configured with the required permissions.
We’ve had it running for well over a year now and despite the occasional failure of the AD integration module on the odd server its been stable and performant and has not posed any additional security risks that could not be mitigated via other means (e.g. bit of firewall here and there)
Our *nix expert had similar concerns when he set up the auth model for us but was quite happy with it once tested and implemented.
We also use a spacewalk server for build and config of and the settings for the 2 accounts that SCOM needs are propagated to every *nix box at build time so overhead to manage it is minimal.
I need to apologise for not reporting back on this sooner. I’ve unfortunately been tied up at work lately and i’ve been finding it incredibly hard to sanitise what i’ve already created and extract the key elements that are needed to successfully demonstrate how to build the solution.
What is probably going to be far easier is for me to put together a blog post detailing the steps you need to go through. I’ll actually start building a sample application from the ground up using the same method that i’ve used internally to monitor our new AV Solution.
I’m new to blogging so please give me a little time and i’ll hopefully get the first post up in the very near future.
I would be interested the ‘NIX appliance solution as well. Silect has a solution to build SNMP MP’s but it is not free. If you have some MP building prowess, that might help anyone else leveraging SNMP for SCOM monitoring.
We have some internal Linux appliances which are supported by a third party and they categorically refused to allow us to install the Unix-based SCOM Agent on those appliances.
What we’ve ended up doing is rolling our own solution. This uses an initial registry-based discovery to identify a ‘proxy’ which is then responsible for creating the required objects in the SCOM environment based on a configuration file. Once the objects are created the monitoring using SNMP is then performed by the same host using a custom PowerShell script and the Sharp SNMP Library.
If this sounds like something people are interested in then i’d be happy to post a bit more information. The script i’ve created uses an XML configuration document to map OID values back to named values. We then use some rules to log these into the databases and also with a custom unit monitor type to allow us to alert should specific values breach a threshold.
Please let me know if you’d like to see more information on this approach.
Our *nix team were just as dubious. We’ve settled on a process where they install the agent, send me the certificate, I sign it and send it back and then discover only computers with the UNIX/Linux agent installed; this only uses the UNIX/Linux Action Account. We used the following to get this working: