Monitoring Linux with SCOM 2012 R2 – Part 3: Installing the SCOM Agent On Linux

In our last post, we went through preparing SCOM for monitoring Linux, which included creating Run As Accounts, and associating them to the applicable Run As Profiles. In this part, we will be installing the SCOM Agent on the Linux system.

Create Linux Accounts

If you recall from our last post, we created 3 Run As accounts in SCOM. However, I mentioned that at the time of creating the SCOM Run As accounts, the actual accounts don’t need to exist on the Linux system yet. So, we will first go over how to create these accounts we referenced in SCOM, on the Linux system.

For reference, these are the Run As accounts that I created in SCOM, and the account name I used for it:

• UNIX/Linux Action Account = LinuxMonitoring
• UNIX/Linux Privileged Account = LinuxPrivileged
• UNIX/Linux Agent Maintenance Account = LinuxMaintenance

Start by logging into the Linux system as the Root user (aka. Local Administrator) so that we can create the accounts and set their permissions. Once you are logged in, right-click on the “Root’s Home” folder, and select “Open In Terminal“.

In the Terminal window, type the following commands (press Enter after each line).

• sudo useradd ACCOUNTNAME
• sudo passwd ACCOUNTNAME (Note: After you press Enter you need to type the password twice)

Repeat these steps for each of the Linux Run As accounts so that they are created.

SUDO Elevation

A new feature for UNIX and Linux monitoring with System Center 2012 – Operations Manager is the ability to use sudo elevation in the discovery and agent upgrade wizards, as well as Run As accounts. This means that the root user is no longer needed for privileged monitoring (log file monitoring, script/command execution) and agent maintenance (installation, upgrade, and uninstallation). In order to use sudo-enabled accounts for Operations Manager monitoring, the sudoers file must be configured (on each UNIX/Linux computer) to authorize elevation for the selected user account, using visudo.

The actual list of commands used for privileged monitoring or agent maintenance varies between platforms. See the following TechNet article for a list: http://social.technet.microsoft.com/wiki/contents/articles/7375.configuring-sudo-elevation-for-unix-and-linux-monitoring-with-system-center-2012-operations-manager.aspx.

In order to use sudo-enabled accounts for Operations Manager monitoring, the sudoers file must be configured (on each UNIX/Linux computer) to authorize elevation for the selected user account, using visudo.

Since in my lab I am using SUSE 11, I am going to be using the following code:

#———————————————————————————–
#User configuration for Operations Manager agent – for a user with the name: monuser

#General requirements
Defaults:monuser !requiretty

#Agent maintenance (discovery, install, uninstall, upgrade, restart, cert signing)
monuser ALL=(root) NOPASSWD: /bin/sh -c cp /tmp/scx-monuser/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-monuser; /opt/microsoft/scx/bin/tools/scxadmin -restart
monuser ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-monuser/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-monuser; exit $EC
monuser ALL=(root) NOPASSWD: /bin/sh -c  cat /etc/opt/microsoft/scx/ssl/scx.pem
monuser ALL=(root) NOPASSWD: /bin/sh -c  rpm -e scx
#SLES 9
monuser ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -F –force /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].sles.9.x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-monuser; exit $EC
monuser ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -U –force /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].sles.9.x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-monuser; exit $EC
#SLES 10 or 11
monuser ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -F –force /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].sles.1[0-1].x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-monuser; exit $EC
monuser ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -U –force /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].sles.1[0-1].x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-monuser; exit $EC

#Log file monitoring
monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p

###Examples
#Custom shell command monitoring example – replace <shell command> with the correct command string
#monuser ALL=(root) NOPASSWD: /bin/bash -c <shell command>
 
#Daemon diagnostic and restart recovery tasks example (using cron)
#monuser ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep
#monuser ALL=(root) NOPASSWD: /usr/sbin/cron & 

#End user configuration for Operations Manager agent
#———————————————————————————–

Within the Linux system,  right-click on the “Root’s Home” folder, and select “Open In Terminal“.

In the Terminal window, type the following command (press Enter after).

sudo visudo

Navigate to the end of the file (using the arrow keys). Then press “i“, which will change the file into “Insert” mode (it should say ‘insert’ along the bottom).

Copy the appropriate code into the file. After you have copied the code into the file, press the escape key (ESC).

Note: You will see in my lab example, that I am referencing my UNIX/Linux Action Account (i.e. LinuxMonitoring). Ensure that you are referring to the correct account in your environment.

After you have pressed ESC, type the following “:wq” (without the quotation marks), then press Enter.

Note: For clarity, look at the following screenshot (at the bottom of the window).

Configure SCOM Linux Discovery

Now that we have configured the permissions within the Linux system for our monitoring account, we need to configure the SCOM Discovery.

In the SCOM console, navigate to the Administration workspace > Device Management > Agent Managed. Right-click and choose Discovery Wizard.

On the Discovery Type screen, select UNIX/Linux Computers, then click Next.

On the Discovery Criteria screen, click the Add button.

On the Discovery Criteria Wizard, add the Linux system’s name in the Discovery Scope.

After adding the Linux system to the Discovery Scope, click on the Set Credentials button.

On the Credential Settings dialog, change the Type to “User name and password” since that’s what we have configured. Type in the credentials for the UNIX/Linux Action Account (i.e. LinuxMonitoring in my lab example).

Also ensure that the ‘Does this account have privileged access?’ option is set to “This account does not have privileged access“, then click OK.

Back on the Discovery Wizard screen, now that all the fields/information is filled in, click Save.

Back on the Discovery Criteria dialog, select the Resource Pool that will be used to monitor the Linux system, then click Discover.

On the Computer Selection screen, select the Linux system, then click Manage.

On the Computer Management screen, if the deployment was successful, click Done.

In the SCOM console, navigate to the Administration workspace > Device Management > UNIX/Linux Computers. The Linux system should appear.

You can also navigate within the SCOM console to Monitoring > UNIX/Linux Computers, and check out the different views and diagrams.

Well, that covers my series and experience in using SCOM to monitor a UNIX/Linux system. I hope this was interesting and helpful for everyone.

Monitoring Linux with SCOM 2012 R2 – Part 2: Configure SCOM For Monitoring Linux

In our last post, we went through the Installation and Configuration of a Linux Virtual Machine. In this part, we will configure System Center Operations Manager (SCOM) to be prepared to monitor UNIX / Linux systems. To accomplish this, we will need to setup a Resource Pool, import the appropriate Management Packs, Configure Name Resolution, and Configure/Assign RunAs Accounts. Let’s get started.

Create A Resource Pool

Log on to the Operations console with an account that is a member of the Operations Manager Administrators role.

Click Administration.

In the navigation pane, click Resource Pools.

In the Tasks pane, click Create Resource Pool.

In the Create Resource Pool wizard, on the General Properties page, enter a name and, optionally, a description for the resource pool, and then click Next.

On the Pool Membership page, click Add.

In the Member Selection window, enter text to filter the search results if desired, and then click Search. If you click Search without entering anything in the filter field, all available management servers will be displayed.

In Available items, select the servers that you want in the resource pool, click Add, and then click OK.

Click Next.

On the Summary page, review the settings and then click Create.

When the wizard completes, click Close.

Import UNIX and Linux Management Packs

The UNIX and Linux Operating Systems Management Packs enable discovering, monitoring, and managing UNIX and Linux computers with System Center Operations Manager. They provide both proactive and reactive monitoring of the UNIX and Linux operating systems.

In the SCOM Console, navigate to the Administration workspace.

Right-click on the Management Pack item in the navigation pane, and choose ‘Import Management Packs’. This will cause the Import Management Packs wizard to launch.

In the Import Management Pack wizard, click the Add button. You will be presented with 2 options, ‘Add From Catalog’ and ‘Add From Disk’. The ‘Add From Catalog’ option will enable you to search the catalog directly, however, most Production systems don’t have an Internet connection, which this option requires.

Therefore, we will demonstrate and choose the ‘Add From Disk’ option. When you select this option, you will immediately receive the following prompt. Since, in Production, your server probably will not have Internet access, we will choose ‘No’.

Now, you will see the File Explorer dialog. From here you need to navigate to the location of the Management Pack files. You can find the UNIX and Linux Management Packs on the SCOM Source Media.

In my lab example, I have the SCOM ISO mounted to my DVD Drive as D:\, so the location of my Management Packs is: D:\ManagementPacks\

NOTE: As of this writing, there is an update available (version 7.5.1025.0) to the existing Management Packs from the source meida, which can be found here: http://www.microsoft.com/en-ca/download/details.aspx?id=29696.

The specific .MP files that you want to import will depend on what version of UNIX or Linux you want to monitor. To start, you will want to import the “Microsofot.Linux.Library.mp”. You will also want to find the appropriate Library and Version MP files for the edition of Linux you are monitoring.

In my lab example, since I am monitoring SUSE, I will also be importing the “Microsoft.Linux.SUSE.Library.mp” and “Microsoft.Linux.SUSE.11.mpb” files.

Once the Management Packs are displayed in the import list, click Install.

After the Management Packs have been imported, click Close.

NOTE: You may have to restart the following Services on the Management Server:

• System Center Data Access Service
• System Center Management Configuration

Configure Name Resolution

The SCOM Management Servers needs to be able to communicate with the Linux server. This means it needs to be able to resolve the FQDN of the Linux system, and the Linux system needs to be able to resolve the SCOM Management Server(s) FQDN.

To simplify this process in my lab, we’re going to modify the HOSTS file. On the Management Server(s), navigate to C:\Windows\System32\Drivers\ETC and edit the HOSTS file. Note that there is no file extension on this file. The easiest way to edit the file is in Notepad.

When you have the HOSTS file open in Notepad, we need to add an entry for the Linux system so that the SCOM Management Server(s) can resolve it. Once you have added the entry, save the file.

Now from the SCOM Management Server(s), ensure that you can successfully PING the name of the Linux server.

Also from the Linux server, ensure that you can successfully PING the name of the SCOM Management Server(s).

Configure Run As Accounts and Profiles for UNIX and Linux

You must create Run As accounts for agent maintenance operations, and for health and performance monitoring. These Run As accounts must then be associated with the Run As profiles defined in the UNIX and Linux management packs, so they can access the agents on UNIX and Linux computers.

We need to create 3 accounts:

• UNIX/Linux Action Account
• UNIX/Linux Privileged Account
• UNIX/Linux Agent Maintenance Account

UNIX/Linux Action Account

In the Operations console, click Administration.

In Run As Configuration, click UNIX/Linux Accounts.

In the Tasks pane, click Create Run As Account.

On the Account Type page, choose the Monitoring Account option, then click Next.

On the General Properties page, provide a name and description for the account, then click Next. The description is optional.

On the Account Credentials page, provide account credentials that can be used for the Run As account type that you selected, then click Next.

NOTE: This account does not necessarily need to exist on the Linux system yet, and you can create it later if need be.

On the Distribution Security page, select the More Secure or Less Secure option, then click Create.

Once the wizard is complete, click Close.

UNIX/Linux Privileged Account

In the Operations console, click Administration.

In Run As Configuration, click UNIX/Linux Accounts.

In the Tasks pane, click Create Run As Account.

On the Account Type page, choose the Monitoring Account option, then click Next.

On the General Properties page, provide a name and description for the account, then click Next. The description is optional.

On the Account Credentials page, provide account credentials that can be used for the Run As account type that you selected, then click Next. Ensure that the elevation option is set to “Elevate the account using sudo for privileged access“.

NOTE: This account does not necessarily need to exist on the Linux system yet, and you can create it later if need be.

On the Distribution Security page, select the More Secure or Less Secure option, then click Create.

Once the wizard is complete, click Close.

UNIX/Linux Agent Maintenance Account

In the Operations console, click Administration.

In Run As Configuration, click UNIX/Linux Accounts.

In the Tasks pane, click Create Run As Account.

On the Account Type page, choose the Agent Maintenance Account option, then click Next.

On the General Properties page, provide a name and description for the account, then click Next. The description is optional.

On the Account Credentials page, select the “User name and password” option, and provide account credentials that can be used for the Run As account, then click Next. Ensure that the privileged access option is set to “This account does not have privileged access“.

NOTE: This account does not necessarily need to exist on the Linux system yet, and you can create it later if need be.

On the Elevation page, select the Use ‘sudo’ elevation option, then click Next.

On the Distribution Security page, select the More Secure option, then click Create.

Once the wizard is complete, click Close.

Configuring Run As Profiles for UNIX and Linux

Now that you have created the Run As accounts, you must add each Run As account to the applicable profile.

In the Operations console, click Administration.

In Run As Configuration, click Profiles.

In the list of profiles, right click and then select Properties on one of the following profiles:

• UNIX/Linux Action Account
• UNIX/Linux Privileged Account
• UNIX/Linux Agent Maintenance Account

In the Run As Profile wizard, click Next until you get to the Run As Accounts page.

On the Run As Accounts page, click Add to add a the Run As account that you created. Select the “All targeted objects” option, then click OK.

Click Save.

On the Completion screen, you may see a warning message about the More Secure accounts (if you chose this option when creating the accounts).

If you click on the Linux Action Account link, the Run As Account Properties dialog will appear. Click the Add button.

On the Computer Search screen, search for the Resource Pool, and add the Linux Resource Pool that we previously created, then click OK.

Back on the Run As Account Properties screen, click OK.

Back on the Completion screen, the Warning icon will now have changed to a green checkmark. Click Close.

Repeat these steps for each of the UNIX/Linux Run As Profiles.

Wow! That was a lot of work, but SCOM is now ready to monitor Linux. In the next part of this series, we will install the SCOM Agent on the Linux server.

Monitoring Linux with SCOM 2012 R2 – Part 1: Installation and Configuration of Linux (SUSE) Virtual Machine

I wanted to write a post/series on something that I knew about, but never had the opportunity to actually do in a Production environment; monitoring Linux/UNIX servers using System Center Operations Manager (SCOM).

All of my experience has been in a Windows-based environment. Even though the environments I have worked in did have some Linux/UNIX systems, these were not within my realm of jurisdiction, and therefore I could not install the SCOM Agent on these servers.

So, what better way to gain experience with something, than doing some research, and trying it out. Here it goes. Let’s start with setting up a Linux server. In my lab I’m running Hyper-V, so I will setup a Linux VM to work with.

The first thing that you need to do is choose an appropriate Linux/UNIX distribution. System Center Operations Manager supports multiple versions/editions of Linux/UNIX, but it doesn’t support ALL versions. Here is the link for the Supported UNIX and Linux Operating System Versions, specific to System Center 2012, 2012 SP1, and 2012 R2 Operations Manager.

Review the list, and choose a version you would like to work with. If you are not familiar with UNIX or Linux at all (like myself), I have read that it SUSE Linux Enterprise Server 11 is easier to work with because it has setup wizard, which we Windows-IT folk are more used to.

Now that we have chosen a Linux distribution to use, SUSE 11 in my lab example, we have to obtain the files necessary. Go to the SUSE webpage and navigate to the SUSE Downloads page. In their Basic Search tool, select the appropriate options to find the download. At the time of this writing, the latest version of SUSE is version 11 SP3.

IMPORTANT: You will need to register for a free account before you will be allowed to download the ISOs.

After you have downloaded  the ISOs, we need to create a VM to install it onto. I’m not going to detail how to create a Virtual Machine (VM) in Hyper-V; but if you do need me to detail/document that piece, please email me and I will add it. On my VM, I have mounted the first ISO, and then powered on the VM.

Setup/Installation of SUSE Linux

NOTE: Within the SUSE VM, use the up and down arrows and the Tab key to navigate around, and the Enter key to accept or confirm a selection.

On the setup screen, highlight the Installation option, and then press Enter.

Once the OS loads, on the Welcome screen, change the Language and Keyboard Layout options as desired, then click Next.

On the Media Check screen, click the Start Check button to check the files contained on the ISO. Once the check has completed successfully, click Next.

After the System Analysis runs, you will be on the Installation Mode screen. Choose New Installation and then click Next.

On the Time Zone screen, make the appropriate selection for Region and Time Zone, then click Next.

On the Server Scenario screen, select the “Physical Machine (also for Fully Virtualized Guests” option, then click Next.

One the Installation Summary screen, review the information displayed, and then click Install.

On the Confirm Package License screen, review the information displayed, then click I Agree.

On the Confirm Installation screen, click Install.

Now we can watch the installation being performed. But we’re not done yet.

Configuration of SUSE Linux

After the installation has been completed, we have to perform some configuration steps.

The first configuration you will be prompted with is for the Password for the System Administrator “Root” account. Provide a password and then click Next.

IMPORTANT: This is the most important thing to provide (and remember). The “Root” user account is equal to the Windows Local Administrator account.

On the Hostname screen, provide a name for the computer, and also provide a domain name, then click Next.

IMPORTANT: The domain name provided must NOT be a valid Active Directory domain name. Also ensure that the “Change Hostname via DHCP” option is NOT selected.

On the Network screen, make the appropriate changes as you require, then click Next.

In my lab example, I disabled the Firewall, enabled VNC Remote Administration,

On the Test Internet Connection screen, you can choose the option to “Yes, Test Connection to the Internet” or “No, skip this test“, then click Next.

In my lab example, my VMs are not connected to the Internet, so I chose to skip the test.

On the Network Services Configuration screen, click Next.

On the User Authentication Method screen, you can choose the Authentication Method that you want to use, then click Next.

In my lab example, I used the “Local (/etc/passwd)” option, since this setup is similar to the Windows “Workgroup” type setup.

On the New Local User screen, I am going to create a new account to use with SCOM monitoring, then click Next.

On the Release Notes screen, review the information, then click Next.

On the Hardware Configuration screen, click Next.

Now the installation/configuration is finally complete! Click Finish.

Now you can login to the new Linux installation. Login with the Root account that we setup.

If everything is setup and configured correctly, your home screen should look something like this.

Now that we have a UNIX / Linux system setup, in our next post of this series we will setup SCOM to be able to monitor Linux systems.