SCOM: Tuning/Managing Alerts

Recently, i came at a customer site where the SCOM administrator left the firm, so Operations Manager was running on autopilot for quite a while. In fact they had over 8000 of unclosed alerts comming from rules!
For those of you who aren’t to familiar between the differences between rules and monitors. Here is an important one you should know.

  • Rules generate alerts. They do not make up the Health State of objects. So closing an alert comming from a rule is not too big of an issue. The rule will probably trigger a new alert if the bad condition still exists.
  • Monitors decide on the Health State of objects (green or red). They don’t necessarily generate alerts, but many of them do (i.e. free diskspace monitor)
    This is why you shouldn’t close alerts that are comming from a monitor. Monitors are self-healing, if i.e. free diskspace is back to normal, the alert will be automatically get closed and the objects health state will turn from red into green.

So how do find out wheter it’s a monitor or rule alert? Click on an alert in the “Active Alerts” pane.

Back to my case.

What i did first was closing all alerts comming from a rule. Of course by the use of our friend POWERSHELL.

#Resolve alerts that are created by a rule
get-scomalert -criteria ‘ResolutionState = ”0”’ | where-object {($_.IsMonitorAlert -eq $False)}| set-scomalert -ResolutionState 255

Secondly I ran the “Most common Alerts” Report for the last month or so.

The “Most commen Alerts” report is very useful in helping you with alert tuning/managing. If you address the most common alerts first, you’ll get an immediate gain resulting in less alerts. You could also schedule this report based on a Management Pack i.e. Active Directory. Persons responsible for Active Directory can then see on which alerts they have to work first.

Next thing to do is set responsibilities. As a SCOM administrator you shouldn’t have to worry too much about alerts comming out of the sql Management Pack. But we’ll address this issue some other time.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s