All Apps and Add-ons

How to install and configure SCOM - System Center Operation Manager integration?

tmarlette
Motivator

I am attempting to install the SCOM app using a univeral forwarder on the SCOM box, and so far this is what I have done.

This is what I have
1. SCOM server has a UF on it
a. powershell add on installed by DS
b. Scom add-on installed by DS
c. Has .NET 3.5 and Powershell 2
2. Search Head doesn't see any data
a. powershell add on installed through UI
b. Scom add-on installed by through UI

My Problem:
No SCOM data hit's the index though the UF is currently configured to send data directly to the indexers. We ARE receiving data for OS level metrics but not SCOM which is what we are trying to install. Also, when I'm running the Powershell scripts manually, I get errors. I am including them

Here are the errors I am getting when I attempt to run the commands as admin in Powershell:
alt text

Question1:
How do I get the UF on the SCOM machine to send data to the Indexing tier?

Other Comments / Questions:
On a heavy forwarder, I have installed all of the components for SCOM (powershell / scom add-ons) as well as configured them, however I don't see anyplace for me to set my 'SCOM server' within settings / configurations for the app to pull the data from.. Linux obviously won't run powershell by default, so I was also curious about how this actually works?

  1. Does the Heavy forwarder collect data from the SCOM?
  2. Does the Heavy Forwarder just transform the data before it hits the indexers and scripts are still ran locally on the SCOM machine? a. If that's true will I need to change my outputs.conf for the SCOM machine for ALL data types, and start sending data to the HF instead of the indexing tier?

Here are the errors I am getting when I attempt to run the commands as admin in Powershell:

1 Solution

tmarlette
Motivator

Yes. The Powershell script itself that was written by Splunk has a variable in it that is not set properly. We had to adjust the poweshell script to account for this, and then it works fine.

it's been awhile but if I remember right, it has a hard time with the way it handles the different objects / categories written within the .conf file. That Variable within the powershell script is the one that causes the issue.

View solution in original post

0 Karma

sshres5
Communicator

I deployed it to one of the SCOM servers with UF. I configured the inputs.conf and getting
[ERROR] The remote server returned an error: (404) Not Found.
at getSplunkServerVersion, C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_microsoft-scom\bin\scom_command_loader.ps1: line 651
on ta_scom.log ..

Also based on the documentation, add-on needs to be installed on search head too, and needs to be on windows. Is your search head on Windows? Is it possible to use it on UNIX search head?

I am wondering if anyone has just used powershell to get alerts, events and used it part of a regular TA.

0 Karma

tmarlette
Motivator

My search head is Linux, and that works just fine. The add-on needs to be on the search head to parse the data, but it has nothing to do with the powershell function of this. You can actually deploy to your search head and delete the inputs.conf on your search head in the app as it's unnecessary.

as a suggestion to resolve:
1. try running the powershell script with the parameters in the .conf file manually via powershell on the machine.

if it works, it's not the script, it's permissions or something else. If it doesn't, then the script could be busted.

0 Karma

tmarlette
Motivator

Yes. The Powershell script itself that was written by Splunk has a variable in it that is not set properly. We had to adjust the poweshell script to account for this, and then it works fine.

it's been awhile but if I remember right, it has a hard time with the way it handles the different objects / categories written within the .conf file. That Variable within the powershell script is the one that causes the issue.

0 Karma

agupta2607
New Member

Hi, Can you please provide some information regarding the changes you did to get the logs in splunk.

We have already UF installed on the SCOM server.

Thanks
Ajay

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Have you ever figured this out? I have almost the same problem. Our SE says that it is a known problem and he is trying to find the solution to this problem, but if you have the answer, so much the better. If I find an answer, I'll be sure we get it documented here.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...