Before you ever considered a career in network administration, there was someone who helped keep you organised—your mother. Good old mom helped you keep your room clean, your teeth brushed, your belly full, and your homework away from the dog. Now that you’re all grown up, you’re in charge of the cooking and cleaning, as well as enterprise management projects that make you long for the days of Intro to Calculus. If only there were someone as helpful and efficient as mom to help you with your network chores.
Fortunately, there is—MOM. MOM is Microsoft Operations Manager, a set of Microsoft tools that provide enterprise-wide monitoring and management of users, servers, applications, and workstations. In this Daily Drill Down, I’ll take you home to meet MOM.
Hi, MOM!
As the number of systems and users grows in an organisation, management overhead seems to grow exponentially along with it. You have to keep track of users, manage servers, monitor performance, and stay on top of all the other tasks that keep your IT infrastructure running smoothly (or sometimes, just running). It can be overwhelming or impossible to do everything well without a good set of management tools. Operations management tools enable you to collect events and other information to keep tabs on performance and availability of systems and applications across the enterprise.
For example, if one of your SQL servers is having a problem, a good operations management package can alert you to that fact and direct the warning to the appropriate person or group to handle it. But a full-featured operations management tool does a lot more than just warn you when events occur.
Event collection and notification are key components of operations management, but it’s also important for an operations management system to monitor system performance and security, and to provide reporting and analysis of all the data that will rapidly begin to pile up in your management database.
Many organisations have turned to solutions such as CA Unicenter, HP OpenView, and the many applications from NetIQ that provide monitoring, reporting, and other administrative functions for enterprisewide management. If you have used NetIQ’s Operations Manager, MOM should be very familiar. When developing MOM, Microsoft licensed Operations Manager from NetIQ and tailored it to Microsoft’s operating systems and server applications. Microsoft chose NetIQ based on experience—Microsoft has been using NetIQ Operations Manager to manage its internal network for several years.
MOM provides several features to help you monitor and manage systems across the enterprise. First and perhaps foremost, it monitors a system’s operational state by monitoring the events generated on the system and recording those events to a centralised database. It collects system, security, and system log events from the monitored system’s event logs. MOM also can collect events from server applications and services. MOM can collect events from the Application, System, Security, DNS Server, File Replication, and Directory Service logs.
MOM also can collect data from specific application log events, such as Internet Information Services, Internet Locator Service, SQL Server, and generic text-based logs. It can collect data from UNIX syslog files, turn that data into events for monitoring and processing, and place those events into the database along with the events generated by Windows-based systems and applications.
MOM provides other mechanisms for generating events. You can configure rules to create missing events, which are events that you expect to take place at a specific, scheduled time but do not. You can also have MOM create timed events, which are events that it creates itself at specified times. For example, you might want MOM to generate an event at 1:00 A.M. every day to trigger a particular script or other action related to backup, monitoring, and so on.
In addition to collecting and monitoring events generated by Windows-based servers and the other methods I’ve described, MOM receives SNMP traps from any SNMP-capable device. You might use SNMP to obtain data from servers or workstations, but you can also accept data from routers, managed switches, or other devices that support SNMP. This opens the door for MOM to collect data from essentially any computer regardless of its operating system, as long as the computer supports SNMP and is configured to send traps to MOM.
In addition to collecting data from events and SNMP traps, MOM can collect performance data to help you monitor and manage availability and other performance-related issues. MOM collects data from Windows 2000 (or later) performance counters and through the Windows Management Interface (WMI). For example, you might monitor disk space on a SQL server or file server, configuring MOM to generate an alert when the capacity drops below a specified point.
Event and data processing
Gathering all this information from the enterprise would be pointless if you couldn’t do something useful with it. MOM lets you do just that. I’ll go into more depth on MOM’s architecture and components in an upcoming article. For now, I’ll offer an overview of how the components process data and pass it up the food chain for processing.
Agents collect the data at the node level and pass that information to consolidators, which further process the information. At both levels, rules determine the action taken for a given event. The consolidators also act as agents for the computers on which they are installed. At both levels, the event might result in a script or batch file being executed or SNMP trap being generated. A consolidator might also generate a notification by e-mail or pager and/or forward an alert up the chain for further processing.
At the next level are Data Access Servers (DAS), which serve as intermediaries between consolidators and the central server, where the database resides. DAS control the data coming to and from the database, controlling access, performing queries, caching data, and managing pooled database connections. DAS also service communications going to the consolidators, such as updated processing rules that need to be distributed to agents.
The central server hosts the SQL database and consoles that you use to manage MOM. The product includes an MMC console and a Web console that runs under IIS and provides Web-based access to the database. The administrator console provides full configuration and monitoring, while the Web console provides only monitoring—it doesn’t give you the ability to configure MOM or define rules.
Without a means to filter and preprocess the data coming from your managed systems, you and the database would quickly be overwhelmed with information. MOM uses event-processing rules to process incoming data at multiple levels. For example, the agents process events using rules, as do consolidators. Event-processing rules that MOM uses include:
- Alert-processing rules: Alert-processing rules let you determine how alerts are handled. You might need to take a specific action when an alert occurs for a specific event. Alert-processing rules let you control who receives alerts. You can direct an alert or notification to a particular individual or group for specific events.
- Collection rules: Collection rules determine what data is collected from a given source. They don’t generate their own alerts or provide any kind of response action. Missing event rules determine how and when MOM generates alerts or performs actions when a scheduled/expected event is missed.
- Consolidation rules: Consolidation rules enable an agent to consolidate multiple similar events into a single summary event.
- Event rules: Event rules are tied to a specific event and determine the action (alert or task response) MOM should take when the event occurs.
- Filtering rules: Filtering rules enable you to specify which events are stored and which are ignored—some events are trivial and have no impact on performance or management and should therefore be excluded from the database or further actions.
- Performance-processing rules: To support performance monitoring, MOM provides performance-processing rules. Measuring rules determine how MOM retrieves performance data through WMI. The results are stored in the database for viewing, and you can specify that a measuring rule generate a response action.
- Threshold rules: Threshold rules let MOM generate an alert when a WMI-collected counter value passes a threshold that you’ve set for the value in the rule. The threshold rule can generate a response action, but the threshold data—unlike the counter data—is not stored in the database.
There are lots of ways to control collection, event generation, and other aspects of the collection and response features in MOM, which I’ll cover in another article. At this point, understand that you have considerable control over the types of events that are generated, how those events are processed, and the action taken when a given event occurs, including who gets notified and how alerts are generated and forwarded.
4%
1%
