All Apps and Add-ons

Condensed installation instructions for integrating Splunk and MS Systems Operations Manager (SCOM)

bbrothers_splun
Splunk Employee
Splunk Employee

Splunk Add-on for Microsoft System Center Operations Manager

https://splunkbase.splunk.com/app/2729/

Documentation: http://docs.splunk.com/Documentation/AddOns/latest/MSSCOM/About

Install Splunk Enterprise on Linux server that will act as Search Head and Indexer (50 Gb) licenses.

Install the SCOM-TA (https://splunkbase.splunk.com/app/2729/) on this Splunk instance
- Turn on Receiving – Port 9997

On a server where a SCOM Operations Monitor runs, install Splunk Enterprise.

- Set up this instance as a Heavy Forwarder
o Log into Splunk Web as admin on the instance that will be forwarding data.
o 2. Click the Settings > Forwarding and receiving.
o 3. Click Add new at Configure forwarding.
o 4. Enter the hostname or IP address for the receiving Splunk instance(s), along with the receiving port specified when the receiver was configured. For example, you might enter: receivingserver.com:9997. To implement load-balanced forwarding, you can enter multiple hosts as a comma-separated list.
o 5. Click Save.
- Install the SCOM-TA on this Splunk instance.
- Launch the SCOM-TA configuration App.
o in the SCOM TA Inputs section on you will need to select "Enable" for each input you wish to collect after you have edited its configuration. (see here for details: http://docs.splunk.com/Documentation/AddOns/released/MSSCOM/Configureinputs)
o Specify SCOM Operations Monitor server (localhost) and credentials
o Specify an index
 index that you specify on the heavy forwarder must be configured on the Indexer before you enable the inputs.
o Specify a start date to collect the data.
o Enable the Input
- It could take awhile for events to start showing in your index.
- For errors that occur when PowerShell calls the SCOM scripts, monitor:
o index=_internal source=*ta_scom.log
o Run this on the Search Head

An Error that I got while monitoring the *ta_scom.log:
- New SCOMManagementGroupConnection Fail: The request was aborted: Could not create SSL/TLS secure channel.
- I followed Answers post:
o https://answers.splunk.com/answers/561941/new-scommanagementgroupconnection-fail-the-request.html
- PowerShell uses TLS 1.0 as default, and the Splunk web services was configured to use TLS 1.2. I added the following line to \Splunk\etc\apps\Splunk_TA_microsoft-scom\bin\scom_command_loader.ps1 at line 10 and it fixed the problem:
o [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Another issue that hit me:
- index=_internal source=*ta_scom.log, uncovered this message:
o "2018-03-14 15:18:39 -04:00 [ log_level=WARN pid=7916 input=_Splunk_TA_microsoft_scom_internal_used_Events ] Execute command 'Get-SCOMTask' failed. The user IN\xxxxxxxx does not have sufficient permission to perform the operation.
 I switch to credentials (on the SCOM-TA) to a SCOM user that had Database reader access and permissions to launch the SCOM command shell. My original SCOM user did not have the necessary privileges.

Then I had SCOM events showing up in my Indexer.

Another Answers post that provides information on the installation/configuration of SCOM:
https://answers.splunk.com/answers/579862/trouble-configuring-the-forwarder-when-integrating.html

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...