Our Linux team is afraid that the SCOM agent for Linux is not safe and uses root to much. So they wanted to see if SCOM can use SNMP to monitor our Linux systems.
I started to look at the MIB for Redhat and used the “Network Monitoring Management Pack Generator UI Tool” from Microsoft to create a MP. But I found to time consuming to add all the OID:s for each object and then set levels for them. And handling the number of disks on the server and diskusage was just a mess.
Is there anyone who has created a MP for monitoring Linux via SNMP? Most guides I found says: “dont use SNMP the Linux MP is much better”.
Anyone who has any input in the subject? Is the Linux agent safe?
Our *nix team were just as dubious. We’ve settled on a process where they install the agent, send me the certificate, I sign it and send it back and then discover only computers with the UNIX/Linux agent installed; this only uses the UNIX/Linux Action Account. We used the following to get this working:
We have some internal Linux appliances which are supported by a third party and they categorically refused to allow us to install the Unix-based SCOM Agent on those appliances.
What we’ve ended up doing is rolling our own solution. This uses an initial registry-based discovery to identify a ‘proxy’ which is then responsible for creating the required objects in the SCOM environment based on a configuration file. Once the objects are created the monitoring using SNMP is then performed by the same host using a custom PowerShell script and the Sharp SNMP Library.
If this sounds like something people are interested in then i’d be happy to post a bit more information. The script i’ve created uses an XML configuration document to map OID values back to named values. We then use some rules to log these into the databases and also with a custom unit monitor type to allow us to alert should specific values breach a threshold.
Please let me know if you’d like to see more information on this approach.
I would be interested the 'NIX appliance solution as well. Silect has a solution to build SNMP MP’s but it is not free. If you have some MP building prowess, that might help anyone else leveraging SNMP for SCOM monitoring.
I need to apologise for not reporting back on this sooner. I’ve unfortunately been tied up at work lately and i’ve been finding it incredibly hard to sanitise what i’ve already created and extract the key elements that are needed to successfully demonstrate how to build the solution.
What is probably going to be far easier is for me to put together a blog post detailing the steps you need to go through. I’ll actually start building a sample application from the ground up using the same method that i’ve used internally to monitor our new AV Solution.
I’m new to blogging so please give me a little time and i’ll hopefully get the first post up in the very near future.
I personally don’t see what all the fuss is about the agent, in my experience its simple to install and is robust and reliable.
In my organisation all the *nix boxes are Active Directory integrated (they still retain local accts for maintenance and emergencies)
We have 2 service accounts in AD, one that is high priv and used during the installation process with the sudo options, and a low priv account that is used by the agent to send the monitoring data up to the SCOM MP’s.
AD is not a pre-req here you can achieve this with a pair of local accounts configured with the required permissions.
We’ve had it running for well over a year now and despite the occasional failure of the AD integration module on the odd server its been stable and performant and has not posed any additional security risks that could not be mitigated via other means (e.g. bit of firewall here and there)
Our *nix expert had similar concerns when he set up the auth model for us but was quite happy with it once tested and implemented.
We also use a spacewalk server for build and config of and the settings for the 2 accounts that SCOM needs are propagated to every *nix box at build time so overhead to manage it is minimal.
We use standard snmp to monitor appliances. As long you can discover the device in Scom as a network device(node) then you can apply snmp discoveries/monitors/rules.
Let me know if anyone are interested in finding out more.
How about we figure out a way to automate that process? I’m not keen on signing and sending certificates
I think the issue for our Linuxguys was that the agent started three processes. Of which one was running as root. And the processes was running as the action account. Can you check how the processes are running in your environment?
I think they have 2 processes, one running as root, the other running as the SCOM action account.
Ok, then it is the same setup as we have.
I’m interested in finding out more since we also have a bunch of Linux Applicances we cant install any SCOM agent on.
I need a little time to sanitize my code and just make sure there’s no references to anything internal to our environment. I’ll strip out the relevent parts and try to post some examples when i’m back at the hotel this evening. Hope that’s ok.
I´m really interested in looking at your solution. Hopefully it will make our paranoid Linuxadmins happy =)
I will be posting something on this soon; alas my MP was quite tightly packed and customised for our specific requirements. I’m stripping out and refactoring it slightly so I can publish it in a more palatable form. Hopefully have something ready later today or during tomorrow.
We look forward to this Peter - Thank you for sharing with us!
We are the same. No issues with linux boxes and have around 100 monitored. Our linux admins are pretty good at keeping their patch in working order, and they have no issues with my SCOM agent, and usually are quite helpful when I’ve had issues.
If you can persuade them to accept the SCOM Linux Agent (and we have clients who are successfully monitoring > 2500 Linux servers via SCOM) then you may find this script from a Microsoft PFE helpful; http://runawaybunnies.blogspot.co.uk/2017/10/opsmgr-bulk-deployment-of-linux-agents.html
Great tip, I´ll take a look at that script.
Have you had time to create a blog post regarding your solution?