torsdag 27. februar 2014

OpsMgr 2012: Report Models

Reports in Operations Manager is based on SQL Server Reporting Services. When building reports with Reporting Services you need to know the underlaying database, the data relationships and what queries to use. For this purpose we can use Report Models, although this is now deprecated in SQL Server 2012 we can still use existing models with SQL Server 2012.

Operations Manager ships with such models to help you build reports using data from the Operations Manager Data Warehouse database. You have to import the models into the Reporting Services. This is how you do it:

  1. Open the Reports page in your web brower. If you do not know the URL to your reporting server, look in Operations Manager Console > Administration > Settings > Reporting. You will typically see somthing like this:


    Open this URL in your browser, then replace ReportServer with:

     It would then look like this:

  2. Click the Upload File button:

  3. Click Browse and locate the file Event.smdl in folder ReportModels\Other on the Operations Manager installation media, and click Open and then OK.

  4. Locate the Event file that you just uploaded and point the mouse to the name. You will se a select box, click the down arrow of the select box and choose Manage.

  5. Click Data Sources then Browse and select Data Warehouse Main and OK. Click Apply to save the change and then click Home in the top left corner.

  6. Do the same with the file Performance.smdl.

To use the Report Model, you need to open up Report Builder. I did this with the SQL Server 2012 version, older SQL Servers will have older versions and the features will be different:

Then you need to select New Dataset and click Browse other data sources..., select the Event file that you uploaded and click Open and Create:

For now I will not go into details about the creation process but in short: you add fields to your dataset by selecting the entitiy, e.g. Class, Event, Event Parameter, Event Rule, Management Pack, Object or Rule. Then drag and drop fields to the designer. You can also define filters and set options for the dataset. When you are done you can Run the dataset to see the result before you save it.

With the dataset in place you can create a report and use the dataset you have created to extract data from the data warehouse database.

OpsMgr 2012: NiCE Log File Management Pack

I had the chance to take a look at a new management pack from NiCE. It will be available for FREE next week and it is a most welcome addition to the existing functionality that Opertations Manager already provide for monitoring log files. Another great blogger, Stefan Roth, already blogged about it here so I will not go into a lot of details here.

To get started you download a Quick Start guide in PDF format and the MSI installer file from

The installer, like most Management Pack installers, will extract the management pack to a specified folder. Then you have to import it to your Management Group using the Operations Manager Console. You can uninstall it from Windows Programs and Features after that. However, I would recommend to keep the management pack in a file repository, by version, so you can easily revert to older versions if a new version have problems or changed functionality that you do not like.

The Quick Start guide will tell you with NiCE Step-By-Step guides, how to get started. Quite helpfull.

After playing around with it for a bit I have to say that this is awesome, you should give it a try. Highly recommended.

Highly recommended

UPDATE 28. february 2014: I have found two problems with the current version (

1) Self Monitoring Rules targets Windows Computers
The purpose of the Self Monitoring Rules are to monitor the Operations Manager Event Log for warnings and errors in the Operations Manager event log related to this Management Pack. The problem is if you have Windows Clusters. Then the rules will also target the cluster address (the virtual node). This may result in event 26004 being logged on the active node. The event would look something like this:

Log Name: Operations Manager
Source: Health Service Modules
Date: 27.02.2014 14:41:49
Event ID: 26004
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: host.lab.internal
The Windows Event Log Provider is still unable to open the Operations Manager event log on computer 'cluster.lab.internal'. The Provider has been unable to open the Operations Manager event log for 720 seconds.

Most recent error details: The RPC server is unavailable.

This will be picked up by the monitor "Failed Accessing Windows Event Log" targeting the "Health Service" and make the agent go into a warning state.

The workarround is to disable the following Rules for Class Windows Computers:
Self Monitoring: NiCE Log File Provider (Errors)
Self Monitoring: NiCE Log File Provider (Warnings)

2) Missing Console Task
This problem may be related to my environment, however it is of greater impact. In my console I noticed that the console tasks was missing. For example in the Windows Computers view, I would normally see the following sections in the Tasks pane: State Actions, Tasks, Navigation, Windows Computer Tasks and Report Tasks. After importing the NiCE Log File Management Pack, only State Actions remained. Closing the console did not help. Starting the console with /clearcache switch did not help.

Only after removing the NiCE Log File Management Pack and restarting the console did the Tasks reappear. I tried to import the management pack once more and after restarting the console, the tasks was missing again. In the event log I found two events that occured at the time I imported the Management Pack, so they are likely to be related:

Log Name:      Operations Manager
Source:        DataAccessLayer
Date:          28.02.2014 16:43:55
Event ID:      33333
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      scom.lab.internal
Data Access Layer rejected retry on SqlError:
Request: ResourceByCriteria -- (LanguageCode1=ENU), (LanguageCode2=), (Category0=ad3be2e1-d1e2-bbf7-0c05-67ae8781a16a)
Class: 16
Number: 10316
Message: The app domain with specified version id (25189) was unloaded due to memory pressure and could not be found.

The other event was:

Log Name:      Operations Manager
Source:        OpsMgr SDK Service
Date:          28.02.2014 16:43:55
Event ID:      26319
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      scom.lab.internal
An exception was thrown while processing GetResourcesByCriteria for session ID uuid:89adfa9b-ddca-4143-a1e0-cf91c49e0703;id=35.
Exception message: The creator of this fault did not specify a Reason.
Full Exception: System.ServiceModel.FaultException`1[Microsoft.EnterpriseManagement.Common.UnknownDatabaseException]: The creator of this fault did not specify a Reason. (Fault Detail is equal to The app domain with specified version id (25189) was unloaded due to memory pressure and could not be found.).

UPDATE 6. march 2014: A new release has arrived where the second problem (Missing Console Tasks) outlined above has been resolved. To get this great management pack you need to register at the site and then you will be able to download it for free.

tirsdag 25. februar 2014

OpsMgr 2012: Event 26001 is logged regularly on Windows Server 2012 R2 host computers

Microsoft published a KB about this issue recently. You can find it here:

After disabling the two rules I noticed that this event still happend on the Windows Server 2012 R2 host computer. So I did some research.

First I wanted to see where this event came from and executed this PowerShell command against the host:
Invoke-Command -ComputerName host1 -ScriptBlock {get-eventlog Application | where {$_.EventID -eq 26001}|select -First 1}|select Source

Source: Microsoft.SystemCenter.VirtualMachineManager.2012.Report.VPortUsageCollection

Then I wanted to find the Rule, so using Tao Yangs OpsMgr 2012 Self Maintenance Management Pack I was able to back up the sealed management packs to a folder where I got hold of the XML source file for Virtual Machine Manager Management Packs and I assumed it was related to Reports so I opened this: Microsoft.SystemCenter.VirtualMachineManager.2012.Reports.xml

I searched the XML and was able to see that the Source was defined in a DataSource called Microsoft.SystemCenter.VirtualMachineManager.2012.Report.TimedPowerShell.VPortUsagePerformanceProvider wich in turn, when I search for that, was used by the rules Microsoft.SystemCenter.VirtualMachineManager.Network.2012.Vport.BytesReceivedPerSec and Microsoft.SystemCenter.VirtualMachineManager.Network.2012.Vport.BytesSentPerSec

By using PowerShell on the management server I could find the DisplayName and Target for this rule:
Get-SCOMRule -Name Microsoft.SystemCenter.VirtualMachineManager.Network.2012.Vport.*

DisplayName: Virtual port received bytes per second
DisplayName: Virtual port sent Bytes per second
Target: Virtual Port

So, I then disabled the rules in Authoring > Rules > Scope to Virtual Port. After that the event logs stopped.

tirsdag 4. februar 2014

Windows: Read Event Log with PowerShell

Here are some examples of listing events from the last 30 days.

Total Errors per day
Get-EventLog -LogName 'Application' -EntryType Error -After ((Get-Date).Date.AddDays(-30))| ForEach-Object{$_|Add-Member -MemberType NoteProperty -Name LogDay -Value $_.TimeGenerated.ToString("yyyyMMdd") -PassThru} | Group-Object LogDay | Select-Object @{N='LogDay';E={[int]$_.Name}},Count | Sort-Object LogDay | Format-Table -Auto

Errors by Event ID
Get-EventLog -LogName 'Application' -EntryType Error -After ((Get-Date).Date.AddDays(-30))| Group-Object EventID | Sort-Object Count -Descending

Warnings by Event ID
Get-EventLog -LogName 'Application' -EntryType Warning -After ((Get-Date).Date.AddDays(-30))| Group-Object EventID | Sort-Object Count -Descending