DX Unified Infrastructure Management

Hi all

I have been banging my head on the desk for the last few days trying to get alarms fired based on Exchange powershell command output. This morning, I finally got it to work!

So I thought I would share it with all of you. We are running windows 2008 R2, Exchange 2010 and logmon v3.13

First thing to do is allow the system account of your Exchange server to run read-only powershell commands. We will use the 'command' feature of logmon and this can only run as the system account for the server on which the probe is installed.

Launch powershell and run

Set-ADServerSettings -viewentireforest $true (shouldn't need this for a single domain/forest setup)

get-rolegroup | fl name

You should get a name something like 'View-Only Organization Management' Make a note of this for the next command

Then run

Add-RoleGroupMember "View-Only Organization Management" -member EXCHSERVER

The system can now run most, but not all Exchange powershell cmdlets. Luckily, all the useful ones regarding databases are allowed.

Now create a batch file that logmon will launch. Update the paths according to your Exchange installation and drive letters. The batch file will contain one single line as below.

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nologo -noprofile -noninteractive -command ". 'E:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1'; Connect-ExchangeServer -server EXCHSERVER; &'e:\alerts\scripts\exch_powershell.ps1'"

And now can you can create your exch_powershell.ps1 file with all the commands that you want. My example below just pulls out the last database backup and works out how long ago it was.

get-mailboxdatabase -status | foreach-object {
    $noOfDays = (get-date) - $_.lastfullbackup
    $noOfDays = $noOfDays.Days
    "$_ last backup success > 9 days, it was $noOfDays days ago"
}

Test the batch file before you stick it into logmon.

Then for your logmon probe, under the General tab, Mode, choose command. Then under file, stick the path to your batch file in.

You can now go ahead and configure your watcher rules.

Turn up the logging to level 3 and watch it if you get stuck. It helped me a lot, as you can capture any Powershell errors there.

Good luck!

Paul

Nice post, very useful! Thanks

Hi,

I followed the same as per your comment, however when testing I got an alert with the command in the batch file and not the output of the command. Here is the batch file

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\test.ps1'"

Here is the PS1 file

Get-WmiObject -Class MicrosoftNLB_Node -computername "server-a" -namespace root\MicrosoftNLB | Select-Object __Server, statuscode

Am I doing something wrong here?

-kag

Hi kanandaguberan,

Can you paste the error message into a reply?

I have tested this on my laptop, with Win32_LocalTIme as I do not have NLB installed. Yours should work fine as long as your WMI namespace and class names are OK. You can run it like this to test, note the . for computername to run on local computer.

C:\>type test.ps1
$timeObject = Get-WmiObject -Class Win32_LocalTime -computername . -namespace ROOT\CIMV2

$timeObject.__CLASS + " " + $timeObject.Year + " " + $timeObject.Month + " " + $timeObject.Day
C:\>ps.bat

C:\>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\test.ps1'"
Win32_LocalTime 2016 10 11

By putting the object into a variable $timeObject, we can extract each property and put it on one line. This makes it much easier for logmon to consume.

Hope that helps

Paul

Hi Paul

I tried it with what you said and it did give me the output which you listed. I followed the same procedure of assigning the object to a variable and tested. However, it is still giving me the query as the output/alert and not the result of the query.

Thanks,

Ananda Guberan Kannan

+91-9790737408

Can you show me the contents of the batch file, the contents of the Powershell script and the output you see please?

Thanks

Paul

Hi Paul,

Can you help me with the watchers and variables. I am driving this through blocks as the code will give me 4 codes. May be I am doing something wrong on the configuration in logmon that gives me the alert with the batch file command and not the actual output of it.

-kag

OK can you show me your logmon configuration tabs please?

Hi Paul,

I have both the files in C Drive. In the PS1 file, I am just getting the status code as I will mention the server name in the command.

PS1 File:

$nlb = Get-WmiObject -Class MicrosoftNLB_Node -computername "ServerA" -namespace root\MicrosoftNLB

$nlb.__CLASS + " " + $nlb.StatusCode

Batch File:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\test.ps1'"

Logmon Watcher:

For testing, I have just given ‘*’ and created a text block in the variables as the output is a 4 line output. When I test the profile, below is the output that I get which is the same in the alert as well

-kag

When you are testing, you probably have the batch file selected under ‘Test file’.

Try using ‘Test string’ instead and see what the results are.

Also, put an @ symbol in front of the command in the batch file. This will stop it from displaying to the screen.

@C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "& '.\test.ps1'"

Just testing to see if this file will attach to the conversation.

LogmonExpectedVariables archive package

Above is a link to a package which you can import into your archive.

Drop it onto a robot running the logmon probe and you will see a 'LogmonExpectedVariables' profile.

Alter 'LogmonExpectedVariables.ps1' in the logmon probe directory 'C:\Program Files (x86)\Nimsoft\probes\system\logmon ' in order to extract the properties you want to monitor. Run the batch file from a command prompt to check you are happy with the output. It should simply show each property separated by a pipe |. If you want to capture one property, leave the pipes out.

You can leave the 'General' tab as it is, although you might want to change the 'Check Interval' from 5 seconds.

Ignore 'Format Rules', that stays blank.

In 'Watcher Rules' in the 'Standard' tab, the 'Match Expression' is a repeated regular expression that picks up the values between the pipes. You simply need one group for each property. For example: -

1 property /([^|]+)/

2 properties /([^|]+)\|([^|]+)/

3 properties /([^|]+)\|([^|]+)\|([^|]+)/

4 properties /([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)/

In the 'Variables' tab, create a meaningful name for each property. In the 'Variable Settings', click 'Match Expression' and put the positional number in the box next to it. Then enter the value that the property should be in the 'Threshold' box.

Return to the 'Standard' tab and write the message that you want the alarm to contain when the variables do not match the threshold. You can insert the variable values using ${variableName}

That should be all you need to do. To be honest, I never use the test button for a profile. Instead, I watch the probe log file and alarm console then change the scripts to simulate changing values. You should see an alarm when any of the properties do not match the threshold. A clear alarm will be sent when they return to normal. You should see the alarm disappear when you change the value back.

Enjoy

Paul

Nice info, Paul. Thanks for the post!

Thanks, just posted a logmon example package for people to try out.

Hi Paul,

Thanks a ton. The package worked perfectly even when I ran the batch file using cmd, however it throws me access denied error in logmon. Any suggestions?

-kag

Hi Paul,

I think I figured out the access issues. I am trying to run this query remotely into another server which might be blocking. I will just run this locally and find out what it results.

-kag