A couple of weeks ago I used the SCSM SCOM Alert Connector. When using the connector Alerts from SC Operations Manager are synced to SC Service Manager and incidents are created based on an Incident Template. You can create rules in SCSM to specify for which alerts specific Incident templates are used. But that’s all you can do at the SCSM side. For all alerts which come through the connector an incident is created. We all know that SCOM can be a bit noisy, so how can we filter the SCOM Alert Connector?
When the Alert connector is added to SCSM and when it’s initialized for the first time a subscription in the product connector in SCOM is created. Based on this subscription alerts will or will not be send to SCSM. The subscription is your starting point for filtering alerts in the SCOM Alert Connector:
You can filter on the following:
- Approved Groups (You can specify from which groups alerts are send to SCSM)
- Approved Targets (You can specify from which targets alerts are send to SCSM)
- Criteria (You can specify alert criteria for the alerts which are send to SCSM)
With above options you can configure some filtering. But most of the times it does not completely fit the requirements. So if you want to do some more in-dept filtering on alerts which will be send to SCSM you have to look into other solutions. In this blogpost I want to present a solution which I created. This solution uses System Center Orchestrator for filtering. The solution consists of the following steps:
- SC Orchestrator Runbook which monitors new alerts;
- SC Orchestrator Runbook which evaluates the filtering rules;
- SC Orchestrator Runbook which updates the Alert with a special configured Resolution State
- SC Operations Manager Connector Criteria filter based on configured Resolution State
Let we first look into the requirements for this solution. We need to have the correct version of the SC Operations Manager Integration Pack installed on the Orchestrator environment. More information can be found here. If we have installed the OpsMgr IP we can start the Runbook Designer on the Orchestrator Server. In this example I’m going to create a filter based on alerts from specific Management Packs.
- The first step is to use the ‘Monitor Alert’ Activity. Configure this activity to monitor on New Alerts.
- The next step is to add a ‘Get Alert‘ activity to the run book. In my case this activity was needed to get some ‘extra’ information from an alert. The Management Pack Name parameter is not filled from the Monitor Alert activity. So to get that information I had to use this extra step.
- The next step is to add the ‘Read Lines’ activity. This activity reads an external file which holds the list of ‘allowed’ management packs.
- The fourth step is to add a ‘Compare Values’ activity. This activity will compare the Management Pack name from the Get-Alert activity and the list of Management Packs from the Read-Lines activity. If there is a match it will continue to the 5th step.
- The last step in the runbook is an ‘Update Alert‘ activity. This activity will update the alert with a ‘special’ resolution state. First this Resolution state need to be created in SCOM.
The above image shows the runbook we have created. The last step is to configure the SCOM Alert Connector to only send alerts which have the special configured Resolution State. Based on this Resolution state alerts will be send through the connector to SC Service Manager.
In the above example we have made a filter based on the Management Pack Name of an Alert but we can also create filters based on specific times of an alert, names on an alert or we can do correlation of SCOM Alerts based on criteria. So with using SC Orchestrator we have a lot of capabilities in configuring additional filters on the SCSM SCOM Alert Connector.
Thanks to Oskar Landman for working with me on finding a solution for the filtering capabilities!