SCOM – Add additional informations to alert custom fields and notifications from extended class

Summary

You have built extended classes in SCOM and fill the extended classes with data from your own built attributes? Now you want to use this data in custom fields from alerts und notifications?

Here is a method with powershell and SCORCH to add data from extended classes to custom fields in SCOM and use this data for custom notifications and other cool stuff.

Description

The script running in my scenario trough a SCORCH runbook. With small changes, the script will also run without SCORCH on a command channel notification.

First you musst declare some variables and values to understand and use the following powershell script.

  • Alert ID (script line 11) $alertID (In my scenario, the SCORCH runbook run only when a specific alert are come up in SCOM.)
  • SCOM management server (script line 14) $hostname (The hostname in FQDN from any of your SCOM management server)
  • Property name of your extended class (script line 60) $className (The display name of your extended class)
  • Value names from your extended class (script lines 61 – 63) $classAttr1, $classAttr2, $classAttr3 (How you can find the value names of your extended class with powershell, is explained in this post.)

The SCORCH runbook

 

The SCORCH runbook are pretty easy to create.

 Create a “Monitor Alert” pattern, with following settings.

Set the filter for “Monitor Alert” to the SCOM (Source) attribute “MonitorObjectDisplayName” or something else that you like to filter from the alert.

Create a “Run .Net Script” pattern and paste the powershell script.

Link the string from the variable $alertID to the published data filed “ID” from the pattern “Monitor Alert”.

Add following string data to the “Published Data” section, to pass the values in to the linked runbook pattern.

Create an “Update SCOM Alert” pattern with the following data.

Link the property “Alert ID” to the published data filed “ID” from the pattern “Monitor Alert”.

Add fields to the properties area that you want to fill with the runbook. In my scenario I fill the custom fields 1-3.

Link the selected fields to the passed variables from the “Run .Net Script” pattern.

Link the created patterns and voilà, the runbook are complete.

The powershell script

The script collect the values from your extended class and write the values in the custom fields to the original alert. (How you can find the value names of your extended class with powershell, is explained in this post.)

EventLog entry
The powershell script  create on line 26 an Event Log entry on the SCOM management server, to check whether the runbook was started. When you dont need this, comment it out.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
####################################################################################
#  Title:       Custom fileds alert update script SCORCH
#  Description: Collect additional informations from extended class and write back
#               to the defined custom fields from original alert
#  Version:     1.3/roe
#  Date/Time:   05.09.2017 / 09:42
#  Developer:   Beat
####################################################################################

#Alert ID SCORCH value
$alertID = "Alert ID or runbook pattern link"

#SCOM MGM server for connection
$hostname = "scommgmsrv.domain.com"

#Declared variables for script
$arguments = "$alertID"
$password = ConvertTo-SecureString "*********" -AsPlainText -Force
$username = "DOMAIN\username"
$credentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username, $password
$session = New-PSSession -credential $credentials -ComputerName $hostname
$result = Invoke-Command -Session $session -ScriptBlock {$alertIDInv=$args[0]

#Begin script block "$alertIDInv"
#Write EventLog on SCOM management server "$hostname"
Write-EventLog -EntryType Success -LogName Application -Source SCOMScript -EventId 1000 -Message "Powershell script - SCORCH update custom fields - executed, Alert ID = $alertIDInv"

#Check if the operations manager module is loaded
$checksnap = Get-Module | Where-Object {$_.name -eq "OperationsManager"};
if ($checksnap.name -ne "OperationsManager")
 {
 Import-Module OperationsManager;
 }

#Convert the alert ID and get the alert
$newalert = Get-SCOMAlert -Criteria "Id = '$alertIDInv'";
#Get the alert source server
$server= $newalert.principalname;

#Declare object to pass variable ot of script block "$alertIDInv"
new-object pscustomobject –property @{
 server = $server
 alertIDInv = $alertIDInv
 }
 
#Argument list to pass in to the script block "$serverInv"
} -ArgumentList $arguments
#Close PS session from script block "$alertIDInv"
Remove-PSSession $session

#Declare Variables for script block "$serverInv"
$serverInv = $result.server
$alertIDInv = $result.alertIDInv
$argumentsInv = "$serverInv"
$session = New-PSSession -credential $credentials -ComputerName $hostname
$resultReg = Invoke-Command -Session $session -ScriptBlock {$serverInv=$args[0]

#Begin Script Block "$serverInv"
#***************Begin variables***************
$className = "Windows Computer Extended Attribute"
$classAttr1 = "AttributeDiscoveryGeneratedByUI843f4fa102e24b2791be3ccce9441e92"
$classAttr2 = "AttributeDiscoveryGeneratedByUIc16fe093d54846159a5f620545143277"
$classAttr3 = "ActiveDirectorySite"
#****************End variables****************

$class = Get-SCOMClass | WHERE {$_.Displayname -eq $className}
$SCOMExAttr = Get-SCOMClassInstance -Class $class | WHERE {$_.Displayname -eq "$serverInv"}

$serverFunctionSCOM = $SCOMExAttr.psobject.properties | % {if($_.Name -like "*$classAttr1*"){$_.value.value}}
$serverTypeSCOM = $SCOMExAttr.psobject.properties | % {if($_.Name -like "*$classAttr2*"){$_.value.value}}
$serverOUSiteSCOM = $SCOMExAttr.psobject.properties | % {if($_.Name -like "*$classAttr3"){$_.value.value}}

#Test content of variables
Write-Host $serverFunctionSCOM
Write-Host $serverTypeSCOM
Write-Host $serverOUSiteSCOM

#Declare object to pass variable ot of script block "$serverInv"
new-object pscustomobject –property @{
 ServerFunctionSCOM = $serverFunctionSCOM
 ServerOUSiteSCOM = $serverOUSiteSCOM
 ServerTypeSCOM = $serverTypeSCOM
 }

#Argument list to pass in to the script
} -ArgumentList $argumentsInv
#Close PS Session from script block "$serverInv"
Remove-PSSession $session

#Transform informations for SCOM custom fields variables
$serverFunctionSCOM = $resultReg.ServerFunctionSCOM
$serverOUSiteSCOM = $resultReg.ServerOUSiteSCOM
$serverTypeSCOM = $resultReg.ServerTypeSCOM
$serverDomainSCOM = $resultReg.ServerDomainSCOM

Result

When the triggered alert shows up in SCOM the created runbook will run and add the values in the custom fields.

Important to know: When you have a lot of data in your extended class, the powershell script take a little bit longer then thought. If the values in notifications are needed, configure the delay for sending the notification to 1 minute.

If the runbook has updated the alert, the “Last Modified By” data switch from System to the SCORCH service account.

Now the custom fields are filled up with the values from your extended class.