question

peewhy avatar image
0 Votes"
peewhy asked CyrAz commented

SCOM generates a false positive when a container volume volume is renamed after container redeployment or restart

Hello All ,

This is an issue i posted in the older forum. Kindly advise

https://social.technet.microsoft.com/Forums/systemcenter/en-US/be1b1d34-b010-4d93-9292-738e5059b7d9/scom-generates-a-false-positive-when-a-container-volume-volume-is-renamed-after-container?forum=operationsmanagergeneral

msc-operations-manager
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

StoyanChalakov avatar image
0 Votes"
StoyanChalakov answered peewhy commented

Hi @peewhy,

this is really strange. I can tell from the screenshots that the monitors targets the "Logical Disk" class indeed.
Can you please do a simple test. On the last screenshot with the "Override Properties", what happen if you select Enable --> False and then click the "Enforced" option to enforce the override?
Does the monitor fire for this particular disk then?

Thanks and Regards,
Stoyan

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This actually worked @StoyanChalakov . Many thanks
Since i have enforced the parameter , i am not receiving any false positive alert. Do you have any logical reasoning behind this ?

Also , i've been curious to know about what the enforce function works. Any pointers will be much appreciated.

0 Votes 0 ·
StoyanChalakov avatar image
0 Votes"
StoyanChalakov answered peewhy edited

Hi py,

I had the same challenge with Kubernetes containers, where there were many pods with the exact same type of disks.
First things first, there is only one community MP, which monitors containers and it is pretty specific, so there is great chance that you cannot use it.
This being sad, there are no other MP for SCOM (for now), which can help you monitor containers.

Now to the question: How to solve the issue with the disks and their dynamic names? This is what I did:

  • Create a dynamic group in SCOM with the Linux disk, where the disk name contained "overlay" (In my case it contained "kubelet")

  • Create an override on the alerted monitor and override it for the group (Enabled=False). This will stop the monitor from alerting.

  • Go ahead and do the same for the Linux logical disk discovery - override it also for the same group.

This will stop the disks from being discovered and of course will stop the alerts.

Hope I could clarify this for you!



(If the reply was helpful please don't forget to accept as answer, thank you)
Regards,
Stoyan






· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @StoyanChalakov

Thanks for checking on this matter.


We already have a dynamic group in place to detect the filesystems type of 'overlay' & 'nsfs' . I also see the discovered objects in the group and still it is alerting.
19152-1.png

The surprising fact is the server and file system is discovered in in the group yet it is alerting.
Discovered object in the group
19074-1.png

Alert
19171-1.png

Do you suggest i create another group with disk name rather than filesystem type ?

I have double checked the rule for the group and it is enabled=false.

Kindly advise


0 Votes 0 ·
1.png (7.6 KiB)
1.png (10.0 KiB)
1.png (17.2 KiB)
StoyanChalakov avatar image
0 Votes"
StoyanChalakov answered

HI PY,
actually if your group is populated with the disks, then the group configuration is fine.
Now we need to check why the rule is still alerting. Most probably the rule traget is different then the objects in the group.
Can you please do me a favour and check the following:

  • In the SCOM console, go to the alert, richt click and select Overrides

  • Afterwards select the "Override rule" and then you will get the options:

For all objects of class :<<Class Name>>
For a specific object of the class: <<Class name>>

I need to know what Class exactly is the GUI showing in the options? Is it "Logical Disk" or is it something else?

Thanks



(If the reply was helpful please don't forget to accept as answer, thank you)
Regards,
Stoyan



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

peewhy avatar image
0 Votes"
peewhy answered

Hello @StoyanChalakov

Thanks.

here is another latest example in another environment.


Group

19842-1.png

Discovered object

19748-1.png

Alert

19843-1.png

Override

19851-1.png

Override properties

19749-1.png

Kindly advise



1.png (10.8 KiB)
1.png (9.7 KiB)
1.png (18.4 KiB)
1.png (28.6 KiB)
1.png (49.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CyrAz avatar image
1 Vote"
CyrAz answered CyrAz commented

(Continuing from the old thread on technet forum)

The proper way to do this override is not a dynamically populated group, because what you really want here is to avoid these volumes to get discovered in the first place instead of having them discovered and disabling their monitoring, as I explained in the technet thread.

You answered that you did not have the ExcludeFileSystemName nor the ExcludeFileSystemType overrides for the Discover Universal Linux Logical Disks.
That is likely because you are still running an older version of the Microsoft.Linux.Universal.Monitoring MP, as these overrides only became available with version 7.6.1064.0 (which was released with SCOM 2016 UR1, if I'm not mistaken).

Could you check which version of the MP you are running, and update it if it's too old?

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

I cannot disagree with Cyril here, the proper way would be to override the discovery of those.

Cheers,
Stoyan

0 Votes 0 ·

Thanks @CyrilAzoulay - Appreciate

I checked the Universal Linux Monitoring MP version and it was a previous version
Current Version - 7.5.1005.0
Latest version - 7.6.1092
i imported the latest version in the lab and found the missing override for the discovery in the latest version.


On a lighter note, Can i not mark more than one answer as "Accept answer" : D


0 Votes 0 ·

Indeed you can't... too bad for my reputation :p
I believe you can still upvote my post though !

1 Vote 1 ·
Show more comments