I understand the difference between rule-based alerts and monitor-based alerts, but my users don’t.
I’ve tried to educate them but still some monitor alerts get closed. I use Green Machine to re-open these alerts, but can I just prevent operators from closing monitor alerts entirely?
Squared Up will show the user a warning if they try to close a monitor-based alert. Although, they can still just ignore this.
Apart from education that you already do, there aren’t many alternatives. Especially for Exchange 2010 where all alerts are from rules, controlled by the correlation engine which relies on monitors. Any way, I suggest you check out Tao Yang’s self maintenance MP. There is a rule to alert you when this occurs, it also has an option to reset the corresponding monitor.
Tao’s management pack can be downloaded from here.
Demote them to R/O operators or use Tao’s pack to report on manually closed monitor alerts and share it with their supervisor.
Another good solution may a orchestrator runbook that resets the health when the alert is closed.
[SCOrch] Automatically Reset Unhealthy Unit Monitors (when alert closed in error by a human)
You could always write a PowerShell script that executes as part of a scheduled task which resets the health of any monitor if the associated rule was closed. That way you wouldn’t have to worry about alerts being closed as they’ll just come back after the health has been reset.
$Alertname=@();
$State=@();
$Displayname=@();
Import-Module OperationsManager;
New-SCOMManagementGroupConnection SERVERNAME;
$alerts=get-scomalert -Criteria “Severity!=0 AND IsMonitorAlert=1 AND ResolutionState=255"| where {$_.LastModified -ge ((get-date).AddMinutes(-15)).ToUniversalTime()}
if ($alerts -is [object])
{
foreach ($alert in $alerts)
{
$monitoringobject = Get-SCOMClassinstance -id $alert.MonitoringObjectId
#Reset Monitor
If (($monitoringobject.HealthState -eq ‘Error’) -or ($monitoringobject.HealthState -eq ‘Warning’))
{
$monitoringobject.ResetMonitoringState()
$State+=$monitoringobject.HealthState
$Displayname+=$monitoringobject.displayname
$Alertname+=$alert.Name
}
}
}
Tao’s solution is the best alternative until OpsMgr has an option to prevent users from closing these alerts. The rule is called “OpsMgr 2012 Self Maintenance Detect Manually Closed Monitor Alerts Rule.” All of Tao’s modules in the MP are disabled by default, so you need to explicitly enable this rule.
I second Tao’s MP. Until I started using that I had a task in SCOM I created that would reset/recalc the health of all Monitors in Warning/Critical that did not have an open alert.