ServiceNow – SCOM Connector – Setup

Part 1: ServiceNow – SCOM Connector Overview
Part 2: SCOM Connector Setup

This is the second part of my series about the ServiceNow SCOM Connector.

The ServiceNow SCOM Connector supports different versions of SCOM. Since the ServiceNow Jakarta version also SCOM 2016 is supported. SCOM 1801 is not supported yet.

Steps to perform:

  1. Activate Plug-In
  2. Create SCOM Service Account User
  3. Install/Configure MID Server
  4. Create ServiceNow Credential
  5. Configure SCOM Connector

Step1: Activate Plug-In

ServiceNow has an Event Management Application, which is part of IT Operations Management (incl. Discovery, Service Mapping and Orchestration) and needs to be licensed separately. Because of this the plug-in needs to be activated by Hi-Support.

Step2: Create SCOM Service Account User

Before you can start to configure the SCOM connector in ServiceNow, you need to create a service account in Active Directory, which has Operator permissions in SCOM, if you want to use the bi-directional connection. With that ServiceNow is able to close alerts, if the incident/alert is closed in ServiceNow and also write the incident number into the Ticket ID field. Alerts will be transferred depending on the assigned SCOM scope – that is the only option to filter. The Active Directory service account also needs Admin permissions on the used MID Server. To be able to use the service account with the SCOM connector in ServiceNow, you need to add the user as a credential in ServiceNow.

 

Step3: Install/Configure MID Server

To connect your on-prem SCOM instance you need to install a ServiceNow MID Server. This server is really a service running on a Linux or Windows machine in your network. You can even install multiple MID Server instances on one machine. Here are some requirements for the MID Server, which are important. Attention: the MID Server computer needs to be able to connect to your ServiceNow instance through port 443 before you run the setup!

Download the MID Server install files from your ServiceNow instance MID Server > Downloads.
Extract the file to a folder on you Windows MID Server (like C:\ServiceNow\Dev1).
Run the C:\ServiceNow\Dev1\agent\installer.bat and follow the instructions.
After installation, you need to validate the MID Server in your ServiceNow instance MID Server > Servers.

If you already have a running MID Server, then you can use that. You cannot use an existing MID Server, if it already connects to SCCM through the SCCM Connector or another connector, which needs to run the MID Server service with its own service account.

The MID Server, which connects to your SCOM instance needs some additional files, which provide SCOM commands.

Upload those to your ServiceNow instance through MID Servers > Jar Files.

See step 1-4 in this config document.

Step4: Create ServiceNow Credential

To add the credential in ServiceNow, login to your ServiceNow instance with admin permissions. Go to Discovery > Credentials. Click New.
Give the account a name and enter the user id (with domain name i.e. domain\username) and the password. If you already have a running MID Server then you even can specify this MID Server here. Click Save.
Only deploy the credential to those MID Servers, who need it (security constraint).

After creating this ServiceNow credential you need to change the MID Server service to run with the SCOM service account.

Step5: Configure SCOM Connector

Go back to your ServiceNow instance (logged in with Admin permissions).
Browse to Event Management > Event Connectors (Pull) > Connector Instances.

Click New.

SCOMInstance

Give it a Name.
Select the Connector definition: SCOM.
Enter the Host IP: IP address of the Management Server or Management Server NLB to connect to.
Select Bi-directional, if required.
Select the MID Server, which has the SCOM service account configured to run the ServiceNow MID Server service.

Click Save.

Now the Connector Instance Values appear and can be adjusted.

SCOMInstanceValues

For all SCOM versions higher than 2012 you need to select scom version = 2012.
Additionally you need to check the date format, if it differs to these defaults.

Then click Test Connector.

If the test was successful, then you should see the first events flowing in within 5 min.

The next part of the series will be Event Rules.

 

 

 

 

 

 

Advertisements

ServiceNow – SCOM Connector – Overview

This is the first part of a series about ServiceNow Event Management with the SCOM Connector.

Part 2: SCOM Connector Setup

System Center Operations Manager is a great monitoring tool, but when you start to think about ITIL Event Management, then you realize that the second level event correlation is missing and the automatic integration into other ITIL processes like Incident, Request Fulfillment etc.

You probably think, but there is Service Manager, the ITSM tool from Microsoft, which can be integrated also with SCOM. Yes, but it only only has the direct event to ticket link and no additional event correlation.  Also you need a workflow engine like Orchestrator, SMA or Azure Automation to create the references, etc. A lot more separated components, which also need to be maintained.

ServiceNow is a cloud hosted service and one of the leaders in the ITSM area. It has an integrated workflow engine and the intention here is that you only need one console (ServiceNow).

Background

The Event Management application is part of the IT Operations Management area, which also covers CMDB Discovery, Service Mapping and Orchestration. With the Event Management application you connect one or more monitoring sources, which could also be emails sent to your ServiceNow instance, and create ServiceNow events out of it.

The SCOM Connector is only one option to connect external sources to the ServiceNow Event Management application. The SCOM connector takes the SCOM alerts and creates ServiceNow events out of them. The identifier is the SCOM Alert ID. With that it also can later identify which alert to close (bi-directional integration).

EventManagement Overview

You can see in the picture that ServiceNow takes the events and creates alerts out of them. The beauty of the alert is that it has a relation already to the Configuration Item, which is affected by this alert (Requirement: a filled and maintained CMDB).

ServiceNow has event rules to handle the incoming events:

  • Event rules can:
    • determine which events can be ignored
    • transform data from the events into fields from the alert
    • define how to map the correct Configuration Item for each alert

On top of the alerts there are multiple things that can happen:

1. Alert deduplication

Alerts with the same message key, will be correlated to one alert. This is really deduplication.

SCOM alerts have the SCOM Alert ID in the Message Key field of the ServiceNow alert. ServiceNow can automatically deduplicate (multiple events : one alert) on the same Message Key or the same Metric Name. The Message Key does not work or SCOM alerts, but the Metric Name works. If the events do not deduplicate correct to one alert, then check, if the Metric Name is filled. If not, then you can manipulate the Metric Name through an event rule (I would recommend to override it with the MonitoringObjectFullName).

2. Correlation through alert correlation rules

ServiceNow already tries to find alerts, which belong together based on machine learning, but you can create your own correlation rules. The correlation rule always defines, which one is the first alert, and which the second. Then you define what the relationship type is and in which timeframe the alerts should be correlated.

3. Alert flapping detection

Alert flapping detection is a general setting for all alerts, there are no rules, which can be defined. You configure the interval, frequency, quite interval and the minimum time in seconds to wait before an alert gets updated.

4. Alert action rules

With alert actions you can define if i.e. incidents should be created automatically for defined alerts. You can also link knowledge articles automatically or define recovery actions (this requires Orchestration).

I mentioned Configuration Items already, which shows that Event Management has a strong relation to Configuration Management and the CMDB. In order to leverage the full capabilities of Event Management, you will need to have a vital CMDB (minimum have all objects in your CMDB which you monitor in SCOM plus adding them to services => you will see why in the next section)

What do I get, when I connect SCOM to ServiceNow?

  1. One central alert console for all monitoring sources
    EventManagement AlertConsole
  2. ITIL automation
    – Central Knowledge repository
    – Automatic Incident creation and alert closure, when incident is closed (only with bi-directional integration checked)
  3. Service Dashboards
    EventManagement Dashboard
    You can define the services you have in your company. Through the relation between the alert and the CI you can see the affected services, where the CI belongs to.
    This dashboard only shows alerts, which are affecting the displayed services!
    EventManagement ServiceMap
    By double clicking one service, you get into the service map view
  4. Central Metric Dashboards, which visualizes the performance data, collected in SCOM (only available with Metric Collection, which needs to be licensed separately)

What is missing?

Alerts which are set into maintenance mode in SCOM are still transferred to ServiceNow, but they do not bring over the field “MonitoringObjectInMaintenanceMode”, therefore you cannot identify them.
I raised this problem with the Event Management product group and hope that they will fix that soon.

Important Notice
Do not try to use ServiceNow to improve your bad monitoring config! Try to avoid alerts in your SCOM environment and give the correct severity there.