I have been working on implementing a new SCOM 2016 environment with Unix/Linux systems. One of the topics that is clearly lacking in documentation is how to utilize separate action accounts and passwords when deploying and managing systems behind firewalls and gateways.
This post below was first created by Silvana Deac with an relevant way to alleviate this trouble.
Hello all,[SCOM] UNIX/Linux Run As Account settings for multiple DMZ, different resource pools
I observed that this topic is lacking some explanations on how to configure different run as accounts for each DMZ zone when using linux/unix monitoring. If the targeting is wrong you will get an error like:
Log Name: Operations Manager
Source: Cross Platform Modules
Event ID: 4113
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: ComputerName
Description:
The account for the UNIX/Linux Action Run As profile associated with the workflow "Microsoft.Linux.Universal.Computer.Discovery", running for instance "computer.FQDN" with ID {random GUID} is not defined. The workflow has been unloaded. Please associate an account with the profile.
This condition may have occurred because no UNIX/Linux Accounts have been configured for the Run As profile. The UNIX/Linux Run As profile used by this workflow must be configured to associate a Run As account with the target.
The situation: You have multiple unix/linux run as accounts that should be used with a separate gateway or a separate resource pool or MS. So for example you want to monitor DMZ Zone1 using GW1 and account User1. You will define User 1 as a unix/linux run as account with a more secure distribution targeting the resource pool that holds GW1 or GW1 as an object directly.
You will go after this and configure the UNIX/Linux profiles (all three) and add User 1 targeting the same resource pool.
This will give you however error 4113 on GW1.
When looking at the discoveries from the Unix/Linux Core Libraries we have one that targets the Microsoft.Unix.ComputerGroup. So targeting objects of type unix/linux will not be enough since this discovery will fail.
How to solve:
You will configure custom Unix/Linux groups that can be dynamic or not and will add the DMZ servers to each of them: group 1, x, x+1 etc…
For the RunAsAccounts you will still have the targeting for User 1 set to ResourcePool of Gw1, but under RunAsProfiles you will select as a target for each 3 unix/linux profiles for User1 the corresponding custom group (Group1).
This way you`ll get rid of the 4113 events and monitoring will work.
No comments:
Post a Comment