This time I wanted to try LINUX monitoring using SCOM 2012. It has been a long time since I used to setup a LINUX system and it took me a short time to remember all the basic commands. Although you don’t need that much shell hacking but it always helps if you know at least a few commands.
This post will have 4 parts:
Part 1 – Setup SUSE LINUX
Part 2 – Configure SCOM 2012
Part 3 – Agent Deployment
Part 4 – Monitoring Application Server
The first and thing is to choose the appropriate distribution. There are several distributions around e.g. Fedora, CentOS, SUSE, RedHat and so on. The problem is, not all are supported by SCOM 2012 and not all are easy to setup.
Here you will find the supported configurations http://technet.microsoft.com/en-us/library/hh212713.aspx .
After a few try and errors installing different LINUX distributions I decided to setup SUSE LINUX 11.1. It is supported by Microsoft and it has a well designed setup wizard. How can you get the distribution? Got to the SUSE homepage and after registration you can download the OS from http://www.suse.com . I downloaded these two files
- SLES-11-SP1-DVD-i586-GM-DVD1.iso
- SLES-11-SP1-DVD-i586-GM-DVD2.iso
I used a Windows 2008 R2 SP1 Hyper-V virtual machine 50GB disk and 2GB RAM. After you downloaded the ISO files mount the first ISO file into your VM “Power on” the machine.
If you want to navigate through the menu dialogs or move your selection around you can use “TAB-Key” and to accept/confirm a selection press “ENTER”.
Part 1 – Setup SUSE LINUX
Choose “Installation”
Change the keyboard layout and agree to the license terms
Select “Start Check” to check your ISO files
Select “New Installation”
Setup your region and time zone
Select “Physical Machine (Also for Fully Virtualized Guests)”
Check all your settings. If you want to change e.g. “Keyboard Layout” use TAB-Key to jump from menu to menu.
Confirm the installation…
And W00H00…the installation starts 
The next step is very important, enter the root password. Root user is the equal to the Windows local administrator. Root has all permissions!
Next enter the hostname for the computer and enter a domain name. This domain name must not be a valid Active Directory domain name. Make sure you deselect “Change Hostname via DHCP” .
The next dialog is also very important. Here I turned off the firewall because it is a LAB environment and I didn’t want to have to many possibilities to fail. Turn on “VNC Remote Administration”! This will give you the possibility to connect remotely to your machine using the VNC client. Verify also the “Network Interfaces” there you should have a virtual Ethernet card and this card should be configured with DHCP.
The next step will verify the internet connection…make sure it is successful.
No I don’t want technical support, updates and so on Select “Configure Later”
Verify your data and hit “Next”
Choose which authentication method you want. I selected “Local /etc/passwd”, this uses the local passwd file to authenticate the user. The setup is equal to a Windows system in a WORKGROUP…I know the LINUX guys will hate me
Next setup a local user, in my case named SCOM
Hit “Next”
Verify the Resolution you want/need and hit “Next”
Now your installation is finished. Congratulation!
Now login using your root account and password
If everything is ok your LINUX desktop will load and you should see something like this
The problem is now you cannot use you mouse or keyboard 
. Microsoft has integration components for that or we just use VNC Viewer to connect to the machine.
You can download the free VNC Viewer here and install it (just the viewer not the server!) on one of your Windows clients.
After the installation start the viewer and enter the IP address of your LINUX machine followed by a :1. Yes right, enter e.g. 192.168.0.115:1 and press o.k.
Now you must login again and voilà you are able to use mouse and keyboard!
Right click “root’s Home” folder and select “Open in Terminal”
Now opens your command shell and you will be able to fool around. To check your network settings type ifconfig (its like ipconfig for Windows) and press enter. If you have a valid IP vor the eth0 adapter the you are ready for the next part.
Next time we will setup SCOM 2012…
Have fun!
Hello Stefan,
Thank you for your great step-by-step guide. I have one question please, the steps here also apply to other Linux distributions too, for example I want to monitor RHEL 5.9 using SCOM 2012 SP1 ?
Greetings.
Hi Bogdan
Yes, this procedure applies to other distributions as well. BUT you must import the correct management packs. This is easy for RedHat distributions, because the names of the MPs correspond to the distribution name. For your convenience here the link where you can find the latest MP’s (it is not easy to find and causes sometimes confusions).
Cheers,
Stefan
Hi Stefan,
Thank you for your feedback, but I cannot see the link for the latest MP’s.
Meanwhile, I successfully follow your steps using MS SCOM 2012 SP1 to monitor SUSE Linux Enterprise Server 11 SP3 but I was a little surprised on the part 3 of the guide during step “3. Discovery wizard”, when I started the discovery process I immediately received a “SUCCESS” status and not a “FAILED” one like yours. 🙂
So in my case it wasn’t necessary to follow step “4. Redeploy certificate”. Works like a charm.
Cheers.
Bogdan.
Hi Bogdan
Sorry, was a bit late yesterday :), here the link http://www.microsoft.com/en-us/download/details.aspx?id=29696 .
There are plenty of cases where the deployment could fail and you get a FAILED status. I am happy to year that yours just worked.
Cheers,
Stefan
Thank you Stefan 🙂
But what if I have my SCOM 2012 SP1 management server in one domain and I want to monitor the Linux RHEL 5.9 which is in another untrusted domain.
I guess that the first step would be to create a separate Resource Pool with the SCOM Gateway server.
Also, do I need to manually import SCOM certificate like you did in step #4. Redeploy certificate ?
Cheers,
Bogdan.
Hi
You need to exchange each others certificate for each server which is in the Linux Resource Pool.
For DMZ servers create a separate Resource Pool and add the Gateway Server.
Cheers,
Stefan
Hi Stefan,
For this particular scenario I follow these steps:
1. I create a separate Resource Pool this time, containing only the SCOM Gateway server;
2. Importing the RedHat MP ( Microsoft.Linux.RedHat.Library.mp and Microsoft.Linux.RHEL.5.mpb);
3. On both the SCOM RMS and SCOM GW servers, I edit the hosts file, adding the name of the RedHat 5.9 linux server. Test ping, works okay.
4. For the accounts created earlier (LowPrivAccount, HighPrivAccount and AgentMainAccount) I also add the SCOM GW on the More secure tab.
5. For the profiles (UNIX/Linux Action Account, UNIX/Linux Agent Maintenance Account and UNIX/Linux Privileged Account) I also add the SCOM GW on the More-secure Run As accounts tab;
6. Create the user “monuser” on the RHEL server;
7. Edit the visudo file using Linux – RHEL elevation script;
Now.. on the Discovery Wizard, RHEL server is discovered correctly but after I hit Manage I receive the following error:
“Agent verification failed. Error detail: The server certificate on the destination computer (RHELinux:1270) has the following errors:
The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable.
The SSL certificate contains a common name (CN) that does not match the hostname.”
Of course I follow your advise copying the certificate from RHEL to the SCOM RMS server, sign it with scxcertconfig.exe tool and re-copied back again on RHEL, restart the SCX CIM server with the command scxadmin -restart, but it FAILS again.
My question is, for the SCOM GW servers, do I need to re-sign the certificate using the scxcertconfig.exe tool from the SCOM Gateway instead of RMS ?
Hi
Well, you have few Problems:
1) As I understand your GW is in a separate RP and which you use for monitoring the DMZ XPlat systems. Because this GW is the ONLY Server in the pool you don’t need to exchange any certificates. It is only necessary if the Linux agent is reporting to two or more management / GW Servers in the SAME pool, because each one could sign the certificate when deploying the agent and therefore if one fails the other must have the proper key.
2) Your “Agent verification failed” error is because your hostname of the server does not match the DNS name. You have two choices, either modify the Linux host name or use this procedure http://stefanroth.net/2014/02/03/scom-linux-agent-deployment-signed-certificate-verification-operation-was-not-successful/
Cheers,
Stefan
Hi Stefan,
Thank you for your advise, what a learning experience 🙂
From the Linux server I run the command “/opt/microsoft/scx/bin/tools/scxsslconfig –h server01 –d domain.com -f –v” and “/opt/microsoft/scx/bin/tools/scxadmin –restart”.
From the SCOM server I re-run the Discovery wizard and it works, the status was successful indeed 🙂
But..the Linux agent is grey out and I immediately receive an “Access Denied Error – The Run As account does not exist on the UNIX/Linux Server”. Error Message “WSManFault – Access is denied”.
Regards.
I am trying to install the SCOM agent on a sles 12 system, and am running into an issue. I followed all of the instructions in http://blogs.technet.com/b/kevinholman/archive/2012/03/18/deploying-unix-linux-agents-using-opsmgr-2012.aspx, down through setting up the profiles, but when I get to the step to discover the sles system, specifying the resource pool set up in the instructions, I get message: “Data at the root level is invalid. Line 2, Position 1”. I was going to try installing the scom client software on the sles12 system, but can’t find a way to get the rpms needed to do this. Do you have any advice for this situation?
Thanks very much…Vicki