All Apps and Add-ons

Condensed installation instructions for integrating Splunk and MS Systems Operations Manager (SCOM)

Splunk Employee
Splunk Employee

Splunk Add-on for Microsoft System Center Operations Manager


Install Splunk Enterprise on Linux server that will act as Search Head and Indexer (50 Gb) licenses.

Install the SCOM-TA ( on this Splunk instance
- Turn on Receiving – Port 9997

On a server where a SCOM Operations Monitor runs, install Splunk Enterprise.

- Set up this instance as a Heavy Forwarder
o Log into Splunk Web as admin on the instance that will be forwarding data.
o 2. Click the Settings > Forwarding and receiving.
o 3. Click Add new at Configure forwarding.
o 4. Enter the hostname or IP address for the receiving Splunk instance(s), along with the receiving port specified when the receiver was configured. For example, you might enter: To implement load-balanced forwarding, you can enter multiple hosts as a comma-separated list.
o 5. Click Save.
- Install the SCOM-TA on this Splunk instance.
- Launch the SCOM-TA configuration App.
o in the SCOM TA Inputs section on you will need to select "Enable" for each input you wish to collect after you have edited its configuration. (see here for details:
o Specify SCOM Operations Monitor server (localhost) and credentials
o Specify an index
 index that you specify on the heavy forwarder must be configured on the Indexer before you enable the inputs.
o Specify a start date to collect the data.
o Enable the Input
- It could take awhile for events to start showing in your index.
- For errors that occur when PowerShell calls the SCOM scripts, monitor:
o index=_internal source=*ta_scom.log
o Run this on the Search Head

An Error that I got while monitoring the *ta_scom.log:
- New SCOMManagementGroupConnection Fail: The request was aborted: Could not create SSL/TLS secure channel.
- I followed Answers post:
- PowerShell uses TLS 1.0 as default, and the Splunk web services was configured to use TLS 1.2. I added the following line to \Splunk\etc\apps\Splunk_TA_microsoft-scom\bin\scom_command_loader.ps1 at line 10 and it fixed the problem:
o [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Another issue that hit me:
- index=_internal source=*ta_scom.log, uncovered this message:
o "2018-03-14 15:18:39 -04:00 [ log_level=WARN pid=7916 input=_Splunk_TA_microsoft_scom_internal_used_Events ] Execute command 'Get-SCOMTask' failed. The user IN\xxxxxxxx does not have sufficient permission to perform the operation.
 I switch to credentials (on the SCOM-TA) to a SCOM user that had Database reader access and permissions to launch the SCOM command shell. My original SCOM user did not have the necessary privileges.

Then I had SCOM events showing up in my Indexer.

Another Answers post that provides information on the installation/configuration of SCOM:

0 Karma