All Apps and Add-ons

Getting the following error after trying to use Splunk Add-on for SCOM. Downloaded the add-on and modified the inputs.conf and placed it in local folder as per documentation.

sshres5
Communicator

User script exception: : {"messages":[{"type":"ERROR","text":"\n In handler 'ta_ms_scom_common_serverinfo': Admin handler 'ta_ms_scom_common_serverinfo' not found."}]}

And found this on ta_scom.log
And found this e
[ERROR] The remote server returned an error: (404) Not Found.
at getSplunkServerVersion, C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_microsoft-scom\bin\scom_command_loader.ps1: line 651
at run, C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_microsoft-scom\bin\scom_command_loader.ps1: line 584
at , C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_microsoft-scom\bin\scom_command_loader.ps1: line 667
at , : line 1
at , : line 46

0 Karma

maciep
Champion

I got that error when I first tried to install the TA on a universal forwarder. But this TA needs to run on a heavy forwarder (or search head etc). I believe that particular function is doing a rest call against the box to get the splunk version.

Do you have it installed on a universal forwarder?

0 Karma

sshres5
Communicator

I completely skipped the add-on for SCOM. Since the evtx file of SCOM is Operations Manager.evtx, we started monitoring it like the other winevent System/Application logs.

0 Karma

sshres5
Communicator

Yes, the server has universal forwarder installed on it. Is there a way to use it on universal forwarder, as the servers with SCOM are using universal forwarder.?

0 Karma

maciep
Champion

Not inherently that I could tell. For example, i think they store the credentials in the rest interface, so you wouldn't be able to do that with a uf.

I just went ahead and built a Windows heavy forwarder and installed the SCOM console on it. And so once the TA was installed, I was able to use the app's web interface to configure servers/credentials/inputs.

0 Karma

sshres5
Communicator

In my case, I won't be able to use Windows Heavy Forwarder, as all our search heads are on UNIX systems.

Do you think there might be other ways to collect data from SCOM and feed it to Splunk?

0 Karma

maciep
Champion

Sure, you can probably do something similar to what the TA does. Because although there seems to be a lot going on with it, it really boils down to running the various scom cmdlets to gather data.

So you could create your own scripted inputs to run those cmdlets, e.g. get-scomalert, get-scommonitor, get-scomoverride etc. SCOM has a ton of powershell cmdlets available to gather all sorts of data. Or set up scheduled tasks to run those cmdlets and output the results to log files and just ingest those log files.

Also, if you're familiar with the scom database schema and have access to it, you could install the dbconnect app to ingest data directly from the database (personally, I'm not familiar with the database schema).

0 Karma

sshres5
Communicator

When I modified my inputs.conf on the powershell portion with 'commands' for 'groups', I no longer see this. However, I do not see any logs arriving in my splunk indexer.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...