Working with Alerts, Events, Performance Graphs, and Tasks in the Operator Console(s)At first glance, you may think there is only one Operator Console (OC) — the "thick" one accessed via the Start menu — but that's not the case.! There is an additional, web-based "thin" flavor of the OC installed on the MOM server; it can be accessed using the URL http://www.yourMomServer:1272/. While the two are somewhat similar, you will find that the "thin" flavor is really intended for basic monitoring functions whereas the "thick" one is more applicable for in-depth monitoring. The "thick" flavor has Performance Graphs, Diagrams, and My Views, while the "thin" does not contain these features. The biggest difference between the two is accessibility: The "thick" one can be accessed on machines with the MOM client components installed, whereas the "thin" can be accessed from virtually anywhere as it is web-based. We will now cover the two consoles in greater depth. "Thick" Operator ConsoleThis console is the one most people are aware of after installing the MOM product on a machine. We are not going to go into depth about all of the features of this console as it has already been explained in Chapter 6, but we do want to highlight the monitoring-related pieces of it. When you first start up this console, you will be looking at the default Alert Views (see Figure 13-1). On the left side of the screen is the Alert Views pane, the middle part of your screen contains the Alerts and Alert Details panes, and on the right side of your screen is the Tasks pane. While these panes are populated with alert-related information upon first launching the console, these panes have a greater scope than just alerts. All of the panes are accessible via the View menu.
You can filter alerts (or any other entity for that matter) in the "thick" console via the drop-down labeled Group in the upper-middle portion of the console. When you expand the drop-down, you will be able to choose from the defined computer groups in your MOM installation. After selecting a particular group within the drop-down, all relevant information for the group is displayed.
Creating Custom Alert ViewsIn the Alerts View pane you will see an entry for All:Alert Views, Alerts, Service Level Exceptions SLE and an entry for every management pack that has been installed on the MOM server. If you select the All:Alert Views entry, all alerts from your custom alert views (a summation of alerts if you will) are displayed. It is in this pane that you can modify pre-existing alert views, remove alert views, or create new custom alert views. Try the following quick exercise:
Once you have created your alert views, you can further modify their filtering via right-clicking on a particular view and selecting Properties. A modal dialog box with the wizard that was used for the initial creation of the view appears. Another way of filtering the alerts you see is by expanding one of the MPs in the Alert Views pane and then selecting either Alerts or SLE. Thus, for every MP you have installed, there are the same two pre-created alert views filtered by each MP. (If you dig a little deeper, you will find that this works by the view filtering on a particular management pack's installed computer group.) Personalizing Custom Alert ViewsIn addition to filtering the alerts you see, you can also add/remove columns you wish to see in the Alert Details pane. A table listing the displayed and available columns is shown below. To access this capability, simply right-click on an alert view and select Personalize. Try the following exercise:
Events TabThe Events tab in the Navigation pane behaves no differently than the Alerts tab. You can create new custom events views and personalize custom events views, and there are the default events views called Events and Task Status. The Events view simply includes all events with no filtering at all (by default)! Task Status shows events that are related to task results. The table that follows shows the available columns to be displayed in the Events view.
Performance TabPerformance graphs are accessed in the "thick" OC via the Performance tab. Again, you can create new custom performance views and personalize custom performance views, and there are the default performance views under Performance. The table that follows shows the available columns to be displayed in the Events view (all of which are displayed by default).
Tasks PaneTasks are actions that can diagnose or repair a particular problem. Tasks are accessed in the "thick" OC via the Tasks pane. Some default tasks are always available to you, and there are MP-specific tasks that get installed as part of the corresponding MP. Computer Management, Event Viewer, IP Configuration, Ping, and Remote Desktop are all default Tasks. In one particular MOM instance managed by Derek, one of the authors, they have Microsoft Baseline Security Analyzer, MOM, SQL Server, Windows DFS, IIS, and Windows Base OS MP task groupings (which reflect the current MPs I have installed). To launch a task simply left-click on the task and it is launched in a new window. One very useful tidbit of information is that when you launch a task it is "targeting" the source computer of whatever alert/event you have highlighted! Thus, if Derek selects an alert that was generated by DereksMachine and then clicks the Ping task, a new window launches pinging DereksMachine. "Thin" Web Operator ConsoleThe "thin" OC has a title bar, a filter bar, the current date/time, Alerts tab, Computers tab, Events tab, and the Alerts/Alert Details panes. By default, when you browse to the URL, it will select the Alerts tab with the alerts/details displayed (see Figure 13-2). The only filtering that you can do via this interface is by clicking the "filter" link in the filter bar. Doing this opens a modal dialog box containing alert filtering by computer group, basic criteria, and advanced criteria. Like the "thick" OC, you navigate this console in much the same way, clicking on the various tabs for the alert's properties or selecting a different alert that then refreshes the alert properties. The alerts can be ordered by clicking the column names and an arrow is shown indicating ascending or descending order of content. Events work just like the alerts do in the "thin" console as well. There is virtually no difference excluding the event-specific information that gets displayed. A link in the lower-left corner of the alert detail's pane is labeled Help; Click this link to open an ⋅htm file with helpful information regarding the Web Console. Using the Web Reporting ConsoleIn addition to all of the monitoring capabilities that the two OCs provide you with, an additional source of monitoring information is the Reporting Console (RC) (see Figure 13-3). As you are aware, when you install MOM you gain access to several predefined reports via the RC, but there is even more! Each MP that you download and install may include additional reports for that specific MP's target software. You can select reports to be installed in the initial setup wizard of an MP. Do not be confused, the RC is nothing but an instance of Microsoft Reporting Services (MSRS)! Thus, if you are familiar with MSRS, you should be able to begin using it immediately and quite effectively. Launching the RC
Alert-Based MonitoringAlerts occur when preconfigured rules in the administrative console have their conditions met. Once an alert has been generated, the monitoring phase begins. As you are probably aware of by now, alerts are somewhat complex entities, containing several pieces of information. Some of the alert's information is static from its "birth" to its "death." Other alert information is dynamic throughout its life, changing over the course of time. Several tabs are displayed in the Alert Details pane in the "thick" OC; each tab represents a logical collection of related alert information. Properties TabThe Properties tab contains several pieces of useful, read-only information. Some of the most useful items are Severity, Resolution State, Time First Raised, Time Last Raised, Description, Age, and Repeat Count. The table that follows shows all available properties.
Custom Properties TabThis tab is useful for a handful of purposes, all of which relate to applying custom information against a particular alert. First we have an Alert Owner property, which can be used to assign alert ownership to a particular MOM operator. Later in this chapter, we go into more detail about using this feature effectively. The Ticket ID property is useful if the alert is being tracked alongside a separate ticketing system; thus you would enter that system's ticket ID in this property to help enforce the relationship. Custom fields are useful for any other custom information you may wish to track with your alerts. Events TabThe Events tab is useful when you have events that are related to a particular alert. An example of when this is useful would be when you have an alert described as "The response 'script: SQL Server 2000 Service Discovery' has been running more than 600 seconds and exceeded the time allowed to run." The event behind this alert has the exact same description but they could have been different. The point is that lots of events occur but may not necessarily lead to an alert getting generated! In the section "Event-Based Monitoring" later in this chapter you can go from an event to an alert in exactly the same manner. Product Knowledge TabOne of the biggest selling points of MOM is its extensibility. Software vendors can develop MPs in parallel with their software products and supply both to their customers. A vendor's MP contains their own internal knowledge of their software products; it is in the Product Knowledge tab that this information is shown per MP rule!
Company Knowledge TabIn addition to vendor-supplied knowledge there is also your own organization's accumulated knowledge about various software products (sometimes this exceeds the vendor's, too). By selecting this tab you can view any company-specific information regarding the alert's rule. You can create or update your company's information about a particular rule in one of two ways. The first is by simply clicking the Edit button on this tab via the Alert Detail's view. A second method is detailed below:
Event-Based MonitoringEvents are not as important per se as alerts, but it's not wise to disregard them either. A wealth of good information is contained in events. Let's now discuss the various attributes of an event using the "thick" OC. Properties TabThis tab contains much of the same information as the Alert's Details properties tab does. A few items of interest here are the Raises Alert, Provider Type, Source, and Time properties. The table that follows provides a listing of all available properties.
Alerts TabThe Alerts tab contains information only when an alert was raised as a result of the event you are currently viewing. As noted earlier, MOM makes it very easy to switch between events and alerts as they have a logical relationship. Now review the columns for the Alerts tab in the event details pane.
Parameters TabThis tab contains read-only information that is useful in diagnosing why a particular event was raised. Some rules have actions defined in them that receive parameters; it is these parameters that get tracked with the event that was raised as a result. The following table shows the columns defined in the Parameters tab in the event details pane.
Task-Based MonitoringThroughout the chapter we have discussed tasks quite a bit, but let's wrap them up here. Tasks are viewed in the "thick" OC via the Tasks pane (see Figure 13-4). There are two "flavors" of tasks, default and custom. By default, we are referring to the tasks that get installed as either part of the base MOM installation or from any MP you might have installed. Custom tasks can be created in the Administrator Console and are valuable when you need an action that has not been supplied to you by default. It is useful to have tasks inside of the MOM environment for the following reasons:
Performance MonitoringPart of MOM's greatness is its performance monitoring capabilities. Every resource that has a Windows NT Performance Counter Provider is a candidate for performance monitoring in MOM! There are literally hundreds of these counters and we cannot go into the details of each and every one as that would fill another book in itself. So, once you have identified a provider you wish to use to gather MOM performance data, the next step is either to verify a performance rule has already been defined, use it, or create a custom performance rule using the provider of interest to you. Performance rules define how MOM processes performance counter data. There are two types of performance rules, Measuring rules and Threshold rules.
Now that you know how to collect performance data inside of MOM, let's learn how to extract it. The steps below are used to create and view a performance graph in the "thick" console:
Advanced Monitoring TopicsFollowing are several "best practices" for MOM monitoring. While these topics could have been discussed in earlier sections, they are best addressed separately. The topics include suppressing duplicate alerts, meeting SLAs with MOM, and enforcing accountability with alert ownership. Suppressing Duplicate AlertsSuppressing duplicate alerts is an important topic. Who wants to keep getting informed that the same issue is occurring? You will find that most rules suppress duplicate alerts and this is also the default for new rules created via the Create Rule Wizard (there is a step in the wizard to configure this). You can also configure the formula used for determining a duplicate alert in the Admin Console (see Figure 13-5). Time for some more hands-on work. Here are the steps for viewing configurable items for suppressing duplicate alerts:
Again, if a rule suppresses duplicate alerts, the repeat count property of a generated alert will increment by one for each ongoing occurrence. If a particular rule does not suppress duplicates, you are going to receive a new instance of the alert for each occurrence. We highly encourage you to embrace suppressing duplicate alerts, as most of the time this is going to be the desired behavior of your rules. Meeting Your Service Level Agreements with Service Level Exceptions and Custom Resolution StatesAs you may or may not be aware, you can create/modify/delete Resolution States in MOM. This can become quite useful in the context of SLAs because it is in the Resolution State entity of MOM that you can define the service level agreement time. If any alert in a given state exceeds the time allowed, it becomes a service level exception. Here are the steps to set resolution state times allowed:
In order to know if you are meeting your SLAs, you must be able to track any SLA violations (or, we hope, lack thereof). By altering the properties of an alert view in the OC, you can restrict your viewed alerts to only those that have violated a particular Resolution State's SLA. Here are the steps for viewing alerts that violate an SLA:
Enforcing Accountability with Alert OwnershipLike any ticketing system certain individuals are going to be "owners" of specific problem domains. So, we may have a SQL DBA on our team who would take ownership of all SQL Server-related alerts, an IIS geek on our team who would take ownership of all IIS-related alerts, and so on. Each individual or group that you wish to be able to assign ownership of an alert to must be defined as either an Operator or Notification Group in the Admin Console. By using the Alert Owner property you can create alert queues and enforce accountability of resolving specific alerts. To automatically assign alerts to a predetermined owner, simply type the name of an existing operator into the owner field on the alert's tab for a particular rule in the Admin Console. |