Friday, November 22, 2013

SCOM Linux Agents

This is the part four of a set of articles related to SCOM

How to deploy

Before SCOM 2012 SP1, if you didn´t  have the supported Linux Versions like Red Hat or SUSE, it was hard to deploy a Linux agent, nowadays with the new management packs, it is much easier.
In this article, we are going to a make a sumary which covers the installation and basic troubleshooting in Linux systems, but it could also be useful with Unix agents.



To deploy a Linux agent, you have to install the management packs, related with your distribution, the management packs are on SCOM DVD.
When you have installed the management packs, you have to do some checks in the Linux Machine.
These checks are:
  • Connectivity
  • DNS
  • Users accounts
  • Create a resource pool
  • Runas accounts and profiles
  • Certificates
  • Manual agent approval

Connectivity

Make sure that the port 1270 and SSH port are open between SCOM machine and the Linux machine.
In CentOS/Red Hat, you can do something like this to open the SCOM port in the firewall,where 192.168.1.2 is the IP of SCOM machine:
iptables -I INPUT 1 -p tcp -s 192.168.1.2 --dport 1270 -m state --state NEW,ESTABLISHED
/sbin/service iptables save

DNS

You must have reverse and forward registers referring to Linux machine in the DNS servers that are configured on SCOM machine.

User accounts

You can run the agent as root, but is recommended, you should rather create a special account with enough permissions.
For example you can add a new account called scomservice in the sudoers file, like we show in this line:
scomservice ALL=(root) NOPASSWD: ALL
You can use password or certificate to autenticate with this account.

Create a resource pool / Group

You have to create a new resource pool or group where you can add the new Linux servers in the future and do specific configurations over this group.

Runas accounts and profiles

Go to Administration > Run As Configuration > UNIX/Linux Accounts and create a new Linux account, with privileges, for example, scomservice - non privileged  and use scomservice account but in the field which asks if you want to use privileged account, select "don´t use elevation with this account".  Create another account with scomservice but this time create it as privileged account, selecting "elevate this account using sudo".

Associate these accounts with the profile, to do this go to Administration > Run As Configuration > Profiles,open the properties of the UNIX/Linux Action Account add the account and apply it to the resource pool or group where the Linux machines are.

Certificates

You need to install a certificate to authenticate the agent and the server, you can follow this steps:

Manual agent approval

You have to set pendig agent installation to manual in this menu:
Administration --> Settings --> Security --> Review new manual agent installation pendig  management

Now, you can deploy the agent from wizard, following the instructions.
If everything goes well, the agent will appear in the menu Administration --> Pending agents and you have to approve it manually, few minutes later it will start to report activity to the SCOM server.

Troubleshooting

Sometimes, there are problems with packages installation and you have to troubleshoot them. The most tipical are little incompatibilities between your Linux system and the standard agent package, the bests ways to debug these are:
  • Install the package manually in the machine and show the output of rpm or dpkg commands.
  • Enable login scxadmin -log-set all verbose and check logs in /var/opt/microsoft/scx/log.
  • Review installed scripts, specially init script for syntax or function errors, sometimes we have seen some typos in these scripts.
  • Trace WinRM with StopTracing.cmd and StartTracing.cmd which are located in C:\Program Files\System Center Operations Manager 2012\tools and show results in TracingGuidsNative.log

No comments:

Post a Comment