How to get OMS alerts in SCOM

June 27, 2017 at 1:21 am in OMS, SCOM by Dieter Wijckmans


During recent events and customer contacts I got a lot of question regarding integrating SCOM with OMS. Also recently with my webinar with Savision it popped up several times. This question actually makes sense because SCOM has already a lot investments in it + is mostly the start of your ITIL process… But how do you actually get alerts in SCOM from OMS? Well by using OMS and Azure Automation of course!


Step 1 Define what you want to forward to SCOM by defining a scenario and a search query

The scenario is key in this stage of the process. You need to define what you are looking for. Alerting in OMS is quite different than SCOM for example. In OMS you need to ask yourself “How many time did X happen in Y time” instead of “If this then that” kind of monitoring in SCOM.

This is very important to find the right search query. In this scenario I’m going to demonstrate the following scenario:

I want to have an alert in SCOM when there are 5 password attempts in the last hour on the administrator account

It’s possible to solve this issue with SCOM but hey we are going to use OMS + Azure automation right?

Step 2 get all the building blocks linked together:

The following high level steps need to be in place for this to work. For the purpose of preparing links are provided:


Step 3 Create the Azure Automation runbook

Open the azure portal by going to and select the subscription where your workspace is configured in.

Select the Automation Accounts logo:


Make sure you select the correct Automation Account


Now you get an overview of all the runbooks which are configured in your automation account. Select Runbooks in the middle bar:


In the next screen choose: “+ Add a runbook”


Choose “Create a new runbook”


Give the new runbook a name and choose Powershell as Runbook type:


Copy the following powershell code in the right window:

## check whether log source exists ##
$logsourceexist = [System.Diagnostics.EventLog]::SourceExists("OMS");
if ($logsourceexist -eq $false)
## Create the log
{New-EventLog –LogName Application –Source “OMS”}

## Get the content of the webhook
$RequestBody = ConvertFrom-JSON -InputObject $WebhookData.RequestBody
## This is just to show you what’s in it ##
$RequestBody | Export-Clixml -Path C:\Temp\Invoke-OMSAlertDiskCleanup_RequestBody.xml
## You can get all the values! ##
$user = $RequestBody.SearchResults.value.Account[0]
$computer = $RequestBody.SearchResults.value.Computer[0]
$counter = -split (Get-Content C:\temp\Invoke-OMSAlertDiskCleanup_RequestBody.xml | Out-String) | Where-Object { $_ -eq "Account" } | Measure-Object | Select-Object -exp count

## Let’s create this for the SCOM
Write-EventLog –LogName Application –Source “OMS” –EntryType Error –EventID 1 –Message “User: $user has too many failed logon attempts on $Computer. This happened $counter times. ”


Click the Save button and then the Publish button and click yes to publish the runbook to your azure automation account.



Your runbook is now ready to be triggered by our alert in step 4

Step4. Develop the search query in OMS and create the OMS alert

Ok I’m cutting some steps short here. I assume you already have your machine connected to OMS and are sending up your security logs. If not follow these guidelines to get you going:

So let’s we are going to solve this… First of all most of the search queries do not have to be constructed from the ground up. They can just be found in the solutions and tweaked a bit. For example this scenario can easily be extracted from the Security and Audit solution (if you have configured it of course):

Open up the Security and Audit Solution by clicking on the Security and Audit solution:


In the left part of the screen you have “Identity and Access, Click on it to open it


In the middle of the screen you get the amount of failed logons and eureka! Vlab\administrator is in there… Well for demo reasons I had my 5 year old try to login…

So click on the desired account.


The search query window opens and there you have your search query all ready to go…


Type=SecurityEvent AccountType=user AND EventID=4625 Account=’VLAB\Administrator’

Now click on the Alert button on the top left choices to instantly create an OMS Alert which will be our trigger for the process to get the alert in SCOM:


The Create alert window pops open and basically has 3 areas:

  • General: This is where you define your criteria for the alert to be fired
  • Schedule: This is where you define your frequency of checking + the amount it has to occur within this timeframe
  • Actions: This is where you define how you would like to be notified

First things first: The General part:


  • Fill in a name for the Alert
  • Choose the Severity
  • Search query is already filled in and copied from the search query window earlier on.
  • Time window this can be no lower than 5 minutes. For demo purposes we set it at 15 min

Note: You already see we have 6 results for the given timeframe so our alert is going to fire.

Second the schedule part:


  • Alert frequency is when the search query needs to run. We choose here every 5 min.
  • Generate alert based on: Here we define how many results the search query needs to return before we want to be notified. In his scenario there’s no point in alerting when someone mistyped the password just once. That is highly doubtable an attempt to hack.

Third the Actions pane:


  • Email notification: Well self explanatory
  • Webhook: If you have another application which is taking in a webhook url you can activate it here. In fact calling a runbook is also a webhook but more on that later.
  • Runbook: Here you can select a runbook of Azure automation which linked to your workspace. (note I selected a runbook I made earlier on. Select here the name you gave your runbook in step 3)
    • Click yes


    • select the runbook (note you can not change the automation account the one displayed is linked to your workspace)


Run on (choose hybrid worker)

      • Note a small bug is still live in the console. If you close this view after configuring the actions and check the config of the alert this will always highlight Azure although you have selected Hybrid Worker => no panic!


So now we already have the alert which is kicking of our runbook on our Hybrid worker on prem.

At this stage we have:

  1. An alert which is detected in OMS
  2. An alert is raised in OMS. This can be checked by clicking the red dot on the bell in the top toolbar of your OMS workspace


3. A runbook is triggered which:

    1. Extracts the data from the oms alert webhook
    2. Creates a log file on the azure hybrid worker
    3. logs the data in the eventlog of the hybrid worker.

Step5. Get the alert in SCOM

So now when we check the eventlog of the Azure hybrid worker on prem we normally find the following alert everytime the OMS automation runbook is triggered by the OMS alert:



Now it’s quite straightforward to get the alert in SCOM by using a standard Monitor (self resetting after a while)


Note: I used a custom targetting to Hybrid Runbook Worker to make sure the monitor is not run on all machines.

and eureka:


The MP I used for reference:



The alerts show up in SCOM triggered by our search query, transferred through OMS alerting, treated by an OMS automation runbook towards our Azure Hybrid runbook worker where it’s picked up by our management pack…

SCOM 2016: Import management packs install button grayed out

March 20, 2017 at 5:04 pm in SCOM 2016 by Dieter Wijckmans


During one of my installations of SCOM 2016 I came across “a first” for me which I would love to share.

Apparently the default behavior has changed when importing Management packs in SCOM 2016 which are already in the management group. In SCOM 2012R2 it was possible to just import the management pack over the existing management pack which makes sense as these are sealed management packs. As long as the version is equal or higher there’s not an issue.

In SCOM 2016 however this behavior somewhat changed causing the install button when you import MP’s from disk staying grey not able to continue.

In my case I was importing the SQL management packs. Apart from the error that the catalog was not up to date I came across the situation below:


After trying to delete the already installed mp’s the other mp’s were actually complaining that they are missing their dependent mp’s as shown below:


The solution I found to continue was in fact removing ONLY the “Microsoft SQL Server Visualization Library”. After that the install button magically became active and I could continue the install.


So in general if you can’t continue with the install make sure you try to remove the mp’s already in place. Start with the general ones and work your way down.

OMS: Getting the most out of OMS security features

February 24, 2017 at 12:55 pm in OMS by Dieter Wijckmans


Yesterday I hosted a workshop at Microsoft Belux about OMS security and compliancy features built-in in the OMS suite. It’s always nice to talk people through the different things which are included + give tips and tricks based on their questions.

As a lot of questions are returning I decided to bundle them in an overview blog post how you could effectively tune your environment. This is not a “how to” to setup OMS but just a summary of the small tips and tricks.


If you need a full “how to” setup OMS security check here:

1. Add your IIS logs to the mix

A significant portion of the insights on how you are doing regarding security comes from you IIS logs. Assuming that you have an OMS agent installed and added to your workspace it is invaluable to send these logs to your workspace as well for indexing and feeding the different users which are taking benefit from this knowledge.

  • Install an agent on the web server and connect it to your workspace. (I’m assuming you know how to do this)
    • Open your workspace and open settings by clicking the gear icon on top of your workspaceprintscreen-24-02-2017 0000
    • Go to Data => IIS Logs => tick the box “Collect W3C IIS Log files. From this moment on your IIS logs will be gathered, uploaded to OMS and indexed. They will be automatically used to feed the security solution amongst other solutions.

          printscreen-24-02-2017 0001

    To show you how important / reliant the Security solution is on IIS log data I’ve included the stats in my workspace.
    Go to Security and Audit:

printscreen-24-02-2017 0002

    Scroll to the right to Threat Intelligence and click on the Detected threat types dial:
    printscreen-24-02-2017 0003
    So check in the left corner you can see that the type of data is almost 50% based on the IIS logs. So make sure to add them
    printscreen-24-02-2017 0004

    2. Limit the amount of security events uploaded to your workspace

    Another handy tip is limiting the amount of data sent to your workspace to protect your usage. It used to be only possible to send all or nothing but just recently there’s a filter added to what events will be uploaded.

    To select this filter go to your security and audit solution:

    printscreen-24-02-2017 0002

    Click the gear icon on top left corner:

     printscreen-24-02-2017 0006

    use one of the predefined filters:

    printscreen-24-02-2017 0007

    For more info on the filters click the “For additional details” link.

    To summarize the different filters check the different scenarios.

    I’ve added to the list of events which are included in each scenario for your reference:


    3. Check your usage (especially in a POC scenario)

    Adding the security logs can have a significant impact on your uploaded data in your workspace and can cause overage payments or bad POC due to suspension of your workspace due to breach of max amount data uploaded a day.

    To check the usage of the security events follow the following procedure:

    Go into the main screen of your workspace and select usage:

    printscreen-24-02-2017 0008

    Scroll to the middle of the screen and look for Data Volume by solution => click on “Security”

    printscreen-24-02-2017 0009

    Check the graph to see which machines are consuming the most of the usage and try to take corrective actions.

    printscreen-24-02-2017 0010 

    In summary

    These are just some tips and tricks to get the most out of your security solution. This solution is heavily dependant on other solutions (anti malware, compliancy,…) so the more solutions you deploy and configure the more clear the picture will be on how you are doing on the security field.

    Stay tuned for more tips and tricks which will help you to get the full grasp and value out of your OMS investments.

Speaking @ ITPROCEED 14/06/2016 in Mechelen

May 25, 2016 at 10:18 am in Uncategorized by Dieter Wijckmans


It’s that time of the year again! Everyone is waiting for the summer to hit Belgium (I heard it will happen on a Wednesday this year!). Have some time and relax… BUT… Not before we go out with a bang at ITPROceed!

This is THE not to miss event in Belgium focusing on ITPRO’s. This event will be packed with sessions of both national and international speakers who use their expertise and gathered knowledge to prepare you for the next steps in your ITPRO career. ITPROceed is organized by the different Belgian user groups and backed up by Microsoft.

All the new technologies which will revolutionize your ITPRO world will be showcased giving you a real look and feel what the next steps will be to move your environment forward.

I myself will give you insights in the world of OMS. My session is scheduled on the “Transform the datacenter” track. During a demo loaded session I’ll showcase how you can use the latest and greatest in OMS to get the insights and reports you want.

If you are interested in OMS and what it can do for your organization this is a not to miss session.

Ow and by the way… Did I mention the entrance is completely FREE! Number of tickets is limited so sign up today!

More info here:

OMS Webinar: Get insights in your big data 07/03/2016

February 26, 2016 at 4:43 pm in LiveMeeting, OMS by Dieter Wijckmans


printscreen-26-02-2016 0000

On 07/03/2016 I’ll be hosting another webinar on the excellent Microsoft Belux platform. This webinar about OMS will focus on getting the insights you need from the big data which resides in your workspace.

It’s basically a next step in your journey into a new way of creating your insights in your environment. This session will be filled with tips and tricks to select the correct solutions and create your first search queries to create something no one else can: your insights.

This session assumes you already have a basic knowledge of OMS and have already set up a workspace with data flowing into it. If not you can always check my get started fast series here:

Hurry up as seats are unlimited and selling fast!

Register here and hopefully see you 7th of march at 10AM!

SCU 2016: Prepare to have your mind blown!

December 24, 2015 at 4:47 pm in OMS, operations manager, SCOM, scu, scu2016 by Dieter Wijckmans


I got the news that I have the privilege (that’s how I definitely see it) to speak once again at SystemCenterUniverse in Dallas on the 19th of January 2016.


I consider this a huge privilege as I have a special relationship with this particular event. This is in fact where my wild journey through the System Center Universe as a speaker started. 2 years ago SCU held a fierce battle to determine who would be the new SCU_Jedi winning a session at this event… I was lucky enough to pull it off and suddenly I was presenting among the (what I consider) big shots in the System Center world…

Most of them are still presenting today if you look at the list of speakers it is quite impressive:

The first but not complete list:

As you can see al the usual suspects are there!

For the full agenda please check here:

this year again there’s a 2 track approach so you have the ability to cross over and see a session out of your comfort zone to learn really new cool stuff!

My session will be about the vast power of OMS and how it can create new possible insights in your environment. A truly not to miss session if you ask meSCUheader

Can’t fly in?

Too bad… You are missing out…

Not really! Because SCU is (I think) the only event who offers free streaming of the event over the web. There are even a lot of viewing parties organized near your location where you can easily follow the event from your location!

OK but why should I fly in then?

Well that’s very simple as well! IF you have the ability to fly in you get a chance to mingle with peers and talk to the speakers. There are no designated areas for speakers or whatsoever so everyone is really accessible to have chat or answer your questions…

So this is probably expensive right?

A full day of training on different subjects for only 150$ that’s a bargain if you ask me!

Last but not least

This is one of the events who are really embracing the social media (twitter, facebook,…) to reach out to attendees onsite but also across the world to engage during and after the event.

Make sure you follow: @scu2016 and #scu2016 on twitter for the latest updates and feeds!


Hopefully see you all there!

Use OMS to calculate SCCM patch window

December 23, 2015 at 4:12 pm in Azure, OMS, SCCM by Dieter Wijckmans

This blog post is part of the Coretech Global Xmas blogging marathon. To find all cool content please take a look at

Recently I have been exploring OMS a lot and came across a cool user scenario which really showcases the benefits of having all data in one place. Using this big data to connect the dots between different systems and creating even more insights in your environment and the relationships between the different systems.

One demo which really had some eyes popping was in fact the calculation of the SCCM patch window with OMS. A lot of people already know that there’s a specific System Update Assessment solution which points out which machines are missing which updates. But there’s more to this solution that meets the eye on first sight.

You can use this solution, but also the data gathered by OMS for all your updates, to calculate very precisely how long it will take to patch a particular machine to create a patch window accordingly.

Let’s get started shall we!

For this demo I presume you already have an active OMS subscription + workspace. For more info please refer to my OMS quick start guide to get you going fast:

Log on to your workspace and make sure you have machines connected + the solution installed:

First click on Solutions Gallery:

printscreen-23-12-2015 0000

Find System Update Assessment Solution and make sure it is added to your workspace. If it’s not yet added make sure to click the icon and add in the next screen

printscreen-23-12-2015 0001

Make sure to add the Solution to your workspace

printscreen-23-12-2015 0002

If you add the Solution for the first time it will perform an Assessment to gather the data for your environment:

printscreen-23-12-2015 0003

When the Initial Assessment has been complete you will get your info on the tile which represents the System Update Assessment:

printscreen-23-12-2015 0004

TIP: No worries my environment is not that badly patched but if you are looking into taking this solution for a test drive you can always install Azure VM’s with an earlier image (a couple of patch Tuesday’s ago) to have a machine which is in fact missing updates)

Click on the tile to open the detailed pane shown below:


printscreen-23-12-2015 0005

Click on the Required Missing updates pane:

printscreen-23-12-2015 0006

The next window will give you by default a graphical overview of the patches missing + the days ago the patches were released. This gives you a nice overview of how severe your machines are not patched. You also get a nice pie chart to give you an overview on how many patches are missing + the category of the patches.

printscreen-23-12-2015 0007

Note on the right there’s an indication in minutes how long it will take on Average to install these missing updates:

printscreen-23-12-2015 0011

This is not just a “Guesstimate” but OMS is actually using data out of the logs collected by all machines to give you an accurate time of install of this particular set of patches missing on this machine.

The number (in this case 81) is indicating that in fact they have data for all patches missing regarding the install time they will take to install.

At this time you can clearly state that the machine will probably be patched in approximately 14 minutes. You can build in some margin but definitely don’t need an hour to patch this machine.

Create your own insights!

printscreen-23-12-2015 0012

This is just the pretty eye candy view of the Solution!

If you want to have the data by update you can dive into the big data gathered and create your own insights in your patch strategy. This can be achieved by using the “raw data” in the Search Query view and creating your own views. Let’s see how we can find out for example which patches will take more than 60 seconds to install so we can put them in a different patch group:

Click on “results” next to updates right underneath the search query window

printscreen-23-12-2015 0007

At this point you get the 81 results with all their data but… no install time?


printscreen-23-12-2015 0008

Click “Show More” on the bottom of the screen to unveil the InstallTimeAvailable / InstallTimePredictionSeconds / InstallTimeDeviationRangeSeconds properies

printscreen-23-12-2015 0009

 printscreen-23-12-2015 0010       

This is the data gathered for all the updates which are identified as missing on my systems.

InstallTimeAvailable: Will give you an indication whether enough data is gathered in the OMS system to give you an actual prediction of the install time. For new updates it can take some time to find the right data to be reliable to give you an accurate prediction of course.

InstallTimePredictionSeconds: This is the prediction based on all the data gathered through the OMS system (note this is not only based on your environment but across all environments connected to OMS showing the huge advantages of the Big Data approach of Microsoft Operations Management Suite.

InstallTimeDeviationRangeSeconds: Will give you an indication how much fluctuation is possible on the prediction. In this case the value is 0,83 meaning this can either be minus or plus.

Now to find out how many of the updates (81 of them) have an install time of more than 60 seconds we need to use the Search Query power:

Click in the Search Query window on the top of the screen and start typing Install at the end of the line:

printscreen-23-12-2015 0013

OMS will give you suggestions on which parameter you want to search. In this case we are going to search on “InstallTimePredictionSeconds =”

So just click on it to get it into the Search query as shown below. At this point we can put “Greater than” 60 and run the search query by clicking the search Icon on the right or hitting Enter:

printscreen-23-12-2015 0014

There we go… We have 6 patches will take longer than 60 seconds to install so we can take appropriate action regarding these patches in SCCM:

printscreen-23-12-2015 0015


This is just a small example of the huge amount of insights you can create with OMS to help you further tune the management of your environment.

OMS: Manage your Linux servers with OMS (step1)

November 3, 2015 at 8:28 pm in OMS by Dieter Wijckmans


Today the OMS agent installation bits for Linux came online in public preview giving OMS the possibility to pull in performance and event data into the OMS workspace from Linux machines.

This is basically the next step to get OMS to monitor your entire environment. It is a clear example of the possibilities of OMS to monitor your entire datacenter not bound by OS or system.

Where do I get it?

Log on to your workspace and go to your overview => settings => connected sources and download the Agent for linux:

printscreen-3-11-2015 0000

How do I install it?

Obviously you will need the access to your Linux machines.

The install docs can be found on github on this url:

In general you just need to run these commands:

$> wget
$> md5sum
$> sudo sh ./omsagent-1.0.0-47 --install -w <YOUR OMS WORKSPACE ID> -s <YOUR OMS WORKSPACE PRIMARY KEY>

What distro’s are supported?

The following distro’s are supported:

  • Amazon Linux 2012.09 –> 2015.09 (x86/x64)
  • CentOS Linux 5,6, and 7 (x86/x64)
  • Oracle Enterprise Linux 5,6, and 7 (x86/x64)
  • Red Hat Enterprise Linux Server 5,6 and 7 (x86/x64)
  • Debian GNU/Linux 6, 7, and 8 (x86/x64)
  • Ubuntu 12.04 LTS, 14.04 LTS, 15.04 (x86/x64)
  • SUSE Linux Enteprise Server 11 and 12 (x86/x64)

More will come pretty soon but the mainstream distro’s are already on there

Can I give feedback?

YES and you are very entitled to do so!

These are the channels to get your feedback / suggestions to Microsoft:

  • UserVoice: Post ideas for new OMS features to work on here
  • Email: scdata@microsoft. Tell us whatever is on your mind
  • Monthly survey: if you are an OMS customer, you know we send out a survey every month asking our customers about the features we’re working on next.
  • Elite Linux customer panel: If you are a die-hard OMS Linux user and want to join our weekly calls and talk directly to the product team apply through this survey.


What can I see in the OMS workspace?

printscreen-3-11-2015 0001

All data will flow in and your events and performance will be uploaded to your OMS instantly.

Expect a more detailed post in a short while. In the meanwhile just try it!

OMS phone app now available on all platforms: First look

October 22, 2015 at 3:03 pm in OMS, operations manager by Dieter Wijckmans


This is one thing I really like about the new strategy of Microsoft: All platforms (I know it’s not the official statement but still)

The OMS app was already available on WindowsPhone platform (in preview) and quite frankly it makes sense to actually develop for your own native platform first.

But today Microsoft has announced the availability of the OMS app across all the different platforms (Ios, android and winphone).

printscreen-22-10-2015 0003

The install is crystal clear as you are used to through the store.

More info here:

Direct link:

NOTE: Fellow MVP Cameron Fuller has a blog post about the experience on an ipad here:

A first look:

A couple of screenshots of the possibilities and look and feel on iPhone:

First start of the app (really like the look and feel):


Login screen looks very familiar:


Auto switch between corporate or personal


Signed in and detected that your workspaces, it’s indeed possible to switch between the different workspaces:


You have 3 options:

  • Dashboard: Is your personal dashboard which you can change by using the familiar pen icon
  • Overview: The general overview of you environment with all the solutions installed
  • Searches: Launch different searches in your workspace

Starts into your dashboard:




Also possible in landscape :)




Settings tab can be reached by tapping the 3 red dots on the top of the screen.

My wishlist:

  • Push notifications on home screen for predefined scenarios
  • Add new searches in the app to answer specific questions of people calling outside office hours
  • Ability to choose where to start (dashboard or overview)
  • change order of the solutions in the overview pane


The app is intended as an extension / dashboard for your OMS workspace. It’s not possible to add servers or delete servers from your workspace nor add solutions. This is not a drawback in my opinion as you only want to see things happening in your workspace on the go. This is a first version of course but I had no issues installing and connecting it. I will keep an eye on the data usage on my cell phone plan though just to see how it will affect my usage of mobile data and of course my battery life.

Technet Belux Webinar: 16/10/2015: OMS, What’s it all about…

October 15, 2015 at 12:15 am in LiveMeeting, technet, Webinar by Dieter Wijckmans

It has been a while since I actually did a webinar for Technet Belux but it’s an honor and a privlege to be back on this platform answering one of the biggest question I get almost everyday at clients and at conferences:

“OMS, What’s it all about?”

During this session I’m going over the basics of the new OMS platform so you can be armed to position it in your environment or just have a starting point to start exploring the vast possibilities of OMS.


Expect the answers to the following questions during this session:

  • What can it do for me?
  • Do I need to take a look at it?
  • What can it do to make my life as an ITPRO easier?
  • Is this yet another tool that Microsoft is pushing us to use?
  • Will it replace my good old on prem SCOM solution?
  • ….

All these questions are actual questions I got from the community and clients.

“But hey… my question isn’t on there!”

No worries use the Q&A and get a chance to get yours answered!

So what are you waiting for? Make sure to register today to reserve your virtual seat for Friday 16/10/2015 as they are unlimited!


Register here:

Hopefully see you there!


RECORDING is live and can be found here: