All Apps and Add-ons
Highlighted

Condensed installation instructions for integrating Splunk and MS Systems Operations Manager (SCOM)

Splunk Employee
Splunk Employee

Splunk Add-on for Microsoft System Center Operations Manager

https://splunkbase.splunk.com/app/2729/

Documentation: http://docs.splunk.com/Documentation/AddOns/latest/MSSCOM/About

Install Splunk Enterprise on Linux server that will act as Search Head and Indexer (50 Gb) licenses.

Install the SCOM-TA (https://splunkbase.splunk.com/app/2729/) on this Splunk instance
- Turn on Receiving – Port 9997

On a server where a SCOM Operations Monitor runs, install Splunk Enterprise.

- Set up this instance as a Heavy Forwarder
o Log into Splunk Web as admin on the instance that will be forwarding data.
o 2. Click the Settings > Forwarding and receiving.
o 3. Click Add new at Configure forwarding.
o 4. Enter the hostname or IP address for the receiving Splunk instance(s), along with the receiving port specified when the receiver was configured. For example, you might enter: receivingserver.com:9997. To implement load-balanced forwarding, you can enter multiple hosts as a comma-separated list.
o 5. Click Save.
- Install the SCOM-TA on this Splunk instance.
- Launch the SCOM-TA configuration App.
o in the SCOM TA Inputs section on you will need to select "Enable" for each input you wish to collect after you have edited its configuration. (see here for details: http://docs.splunk.com/Documentation/AddOns/released/MSSCOM/Configureinputs)
o Specify SCOM Operations Monitor server (localhost) and credentials
o Specify an index
 index that you specify on the heavy forwarder must be configured on the Indexer before you enable the inputs.
o Specify a start date to collect the data.
o Enable the Input
- It could take awhile for events to start showing in your index.
- For errors that occur when PowerShell calls the SCOM scripts, monitor:
o index=internal source=*tascom.log
o Run this on the Search Head

An Error that I got while monitoring the *tascom.log:
- New SCOMManagementGroupConnection Fail: The request was aborted: Could not create SSL/TLS secure channel.
- I followed Answers post:
o https://answers.splunk.com/answers/561941/new-scommanagementgroupconnection-fail-the-request.html
- PowerShell uses TLS 1.0 as default, and the Splunk web services was configured to use TLS 1.2. I added the following line to \Splunk\etc\apps\Splunk
TAmicrosoft-scom\bin\scomcommand_loader.ps1 at line 10 and it fixed the problem:
o [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Another issue that hit me:
- index=internal source=*tascom.log, uncovered this message:
o "2018-03-14 15:18:39 -04:00 [ loglevel=WARN pid=7916 input=SplunkTAmicrosoftscominternalusedEvents ] Execute command 'Get-SCOMTask' failed. The user IN\xxxxxxxx does not have sufficient permission to perform the operation.
 I switch to credentials (on the SCOM-TA) to a SCOM user that had Database reader access and permissions to launch the SCOM command shell. My original SCOM user did not have the necessary privileges.

Then I had SCOM events showing up in my Indexer.

Another Answers post that provides information on the installation/configuration of SCOM:
https://answers.splunk.com/answers/579862/trouble-configuring-the-forwarder-when-integrating.html

0 Karma