On a server where a SCOM Operations Monitor runs, install Splunk Enterprise.
- Set up this instance as a Heavy Forwarder
o Log into Splunk Web as admin on the instance that will be forwarding data.
o 2. Click the Settings > Forwarding and receiving.
o 3. Click Add new at Configure forwarding.
o 4. Enter the hostname or IP address for the receiving Splunk instance(s), along with the receiving port specified when the receiver was configured. For example, you might enter: receivingserver.com:9997. To implement load-balanced forwarding, you can enter multiple hosts as a comma-separated list.
o 5. Click Save.
- Install the SCOM-TA on this Splunk instance.
- Launch the SCOM-TA configuration App.
o in the SCOM TA Inputs section on you will need to select "Enable" for each input you wish to collect after you have edited its configuration. (see here for details: http://docs.splunk.com/Documentation/AddOns/released/MSSCOM/Configureinputs)
o Specify SCOM Operations Monitor server (localhost) and credentials
o Specify an index
index that you specify on the heavy forwarder must be configured on the Indexer before you enable the inputs.
o Specify a start date to collect the data.
o Enable the Input
- It could take awhile for events to start showing in your index.
- For errors that occur when PowerShell calls the SCOM scripts, monitor:
o index=internal source=*tascom.log
o Run this on the Search Head
An Error that I got while monitoring the *tascom.log:
- New SCOMManagementGroupConnection Fail: The request was aborted: Could not create SSL/TLS secure channel.
- I followed Answers post:
- PowerShell uses TLS 1.0 as default, and the Splunk web services was configured to use TLS 1.2. I added the following line to \Splunk\etc\apps\SplunkTAmicrosoft-scom\bin\scomcommand_loader.ps1 at line 10 and it fixed the problem:
o [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Another issue that hit me:
- index=internal source=*tascom.log, uncovered this message:
o "2018-03-14 15:18:39 -04:00 [ loglevel=WARN pid=7916 input=SplunkTAmicrosoftscominternalusedEvents ] Execute command 'Get-SCOMTask' failed. The user IN\xxxxxxxx does not have sufficient permission to perform the operation.
I switch to credentials (on the SCOM-TA) to a SCOM user that had Database reader access and permissions to launch the SCOM command shell. My original SCOM user did not have the necessary privileges.