Running a Powershell script for a response action on a rule?

In the configuration for a rule, there is an option to add responses. Even if the rule runs a scheduled Powershell script from the Community management pack, I don’t believe you can run a Powershell script as a response.

I think you can. Have you tried already?

What is the intended end result?
Could Diagnostic/Recovery tasks (woefully underappreciated in my opinion) be a better fit for what you are looking for?

We are trying to check for a particular event, but not every event that meets the source and event ID will be regarded as an error. It gets a bit messy.

Inside the event detail there are about 25 lines of information and within that there are 2 URLS which we want to check if they are the same. If they are the same, then we want to generate an alert. Generating the alert would be handled by getting the response script to log a separate event and a second rule picking up on that.

I was hoping to use the rule for NT Event Log (Alert) to catch every event and add a response that runs a script to check if this is one of the events with the matching URLs. So I added to my rule a response which runs a Powershell script, but I get the Health Service Modules 21413 response (Command executed: “C:\Windows\system32\cscript.exe” /nologo “response.ps1”). Cscript does not run Powershell.

We can get around this by running a scheduled Powershell script every 10 minutes to look at the previous 10 minute’s worth of events and then loop through them checking the details of the message for matching URLs.

Or we could try and add some additional criteria to the original Event Log rule which includes looking at the detail, but that would take a lot of head scratching for us.

It seemed odd that we can write a diagnostic / recovery for any monitor using the Powershell community management pack but not so much with the rules.

I agree diagnostic / recovery scripts are wonderful. We have quite a few now doing automatic fixes and if at the end of the script you write out a new event that gets picked up as an information alert you get an idea of how often SCOM is fixing stuff! :slight_smile:

Personally, I steer clear of rules for alerting as it requires a human to manually close the alert, it also doesn’t help if the human reads the alert a few hours (s)he will not know if the alert is current or not. I will usually go with Monitors and determine health instead.

FYI, rules don’t have diagnostic/recovery modules as they are designed to run more custom workflows which should replace the those modules.

That said, I think you will need to use VASE to do this the “right” way. You’d use the “Windows!Microsoft.Windows.EventProvider” module as base datasource in the workflow, then run the Powershell script using module “Windows!Microsoft.Windows.PowerShellPropertyBagTriggerOnlyProbe”. Then you can use the CD module to do the logic depending on the information provided by the probe and calculate the health (if monitor).

PS: If you haven’t invested the time in the authoring courses that are now on Channel 9, you will lose a lot of opportunities in monitoring and will have a LOT more head scratching than required…