SCOM Activity Log
Wait, what? An activity log in SCOM? Did I read that right?
You sure did! If you haven’t heard it yet, Microsoft recently published some auditing reports as part of SCOM 2019 UR2 that enable you to track management pack actions, override tracking, management pack objects, etc. The official Microsoft release notes are here:
SCOM UR2 auditing reports
Auditing has been a long-awaited feature request for SCOM and now we can finally see it happening. These reports are very useful, and sure give you the power of surveillance over different aspects of your SCOM deployment. Here are the three new reports, and what they do:
Management Pack History:
This report shows all the management packs which are either installed or deleted on SCOM management servers.
Management Pack Objects:
This report lists down the newly added/deleted management pack objects on the SCOM management server. This report also shows the edits which happened on the MP objects.
This report shows Overrides configured in or applied to selected management packs over time.
The reports in themselves work quite well, but at the end of the day, that’s what they are – they’re reports. You must install the reporting component (if you haven’t already), give the report parameters like a specific date and time range, and the report gets run. Problem with that? They’re not real time.
That had me wondering, it sure would be very convenient if I could somehow see them as a rolling log of activities happening, whenever any actions happen. In other words, an Activity Log like we have for Azure resources.
Real-time SCOM Activity Log
As always SquaredUp stepped in to help and I figured I could leverage the “SQL tile” in SquaredUp to query the database tables where the auditing records are stored and show them in a dashboard. Since SquaredUp runs the query every minute, I’ll essentially have a real-time Activity Log for all the actions happening across my SCOM deployment!
Introducing to you – The SCOM Auditing Dashboard Pack.
This dashboard pack gives you the rolling log of the three auditing reports mentioned above, so you can quickly glance over them and see what’s happening currently. For a more detailed and archival data, you can either export the dashboard from SquaredUp, or run the reports from SCOM as usual.
Let me quickly demonstrate how this works.
First, I will create a new monitor, called “My monitor” and save it in a new Management Pack, (very creatively) named “My MP”.
There it is, my monitor is ready!
Now, let’s switch over to SquaredUp and see if my new dashboards have something interesting to show me.
My management pack history dashboard has already picked it up!
Next, onto the Management Pack Objects dashboards. Let’s see if the new monitor has made an entry. And indeed, it has.
Now let’s make an override to the parameters of this monitor and see if our Overrides Tracking dashboard picks it up.
The monitor was turned off by default, and now I’ve enabled it for a specific class via an override. I’ve also changed the alert severity of the alert.
There it is! The records have been added to the dashboard, pretty much in real-time.
Awesome stuff. Hopefully this will help all the SCOM administrators out there who’re struggling to manage SCOM auditing and overlook configuration changes being performed.
TL;DR: SCOM 2019 UR2 + SquaredUp = SCOM Activity Log!
Special shoutout to Shawn for helping me with the queries!