SCOM 2012–Create Agent Maintenance Account to support SSH Key

December 31, 2012 Leave a comment

So I guess my last post for 2012, I am working on setting up monitoring of some Linux servers using SCOM 2012 SP1. One of the requirements is to setup a account for Agent Maintenance. I am going to explain how I setup the Ubuntu server to accept a user account and support a SSH as authentication. And hopefully at the end we will have a account that will work with SCOM 2012.

I am using Ubuntu version 12.04 LTE, I have deployed a standard server that is ready for me to logon with my default account I created on install.

Operations Manager contains three predefined profiles to use in monitoring UNIX and Linux computers and performing agent maintenance:

image_thumb43

The Linux Action Account is used for basic health and performance monitoring, the Linux Privileged account is used for monitoring protected resources and actions that require higher privileges and the Linux agent account is used for agent maintenance operations.

I am using Ubuntu version 12.04.1 LTS, I have deployed a standard server that is ready for me to logon with my default account I created on install.

Logon to the Server using your favourite method, I am using Virtual Machine manager 2012 console.

SNAGHTML95778c_thumb1

Create a user:

sudo adduser <username">

Follow the instructions to create a standard user account.

SNAGHTML88b07e

Next we need to configure sudo elevation for the user account we just created.

Use the vusudo program to edit the sudo configuration.

sudo visudo

Find the section root ALL=(ALL:ALL) ALL

Insert under it the same but replace root with the username you just created and add “NO PASSWRD: ALL

eg

<Username> ALL=ALL:ALL) NOPASSWD: ALL

SNAGHTMLca4c73

This is allow the user account to sudo without supplying a password which is a requirement of SCOM monitoring.

Next we need to create some authentication keys.

1.Download yourself a copy of Putty Generator and open it.

2.Select Generate and move the mouse around the blank area at the top until it has generated you a set of keys.

The text displayed at the top is the public key.

3.Copy and past that into notepad (we will need this later) but exclude the last part (rsa-key-20121229)

4.Type in a passphrase in the two available boxes

5.Select “Save Private Key” and save it to a safe place.

 

image

 

You have now generated a set of keys made up of a public and private key, the private key is protected with a Passphrase, the next step is to configure the server with this.

1.Logon to the server with the user account we created above using Putty.

2. Create a folder and file

mkdir /home/scom-agentacct/.ssh

nano /home/scom-agentacct/.ssh/authorized_keys

3. Paste in the public key you created using Putty Generator and save the file.

Next we need to set the permissions on the new folder and the file.

1. Specify exclusive owner access to the directory

cd /home/<username>

chmod 700 .ssh

2. navigate to .ssh directory

3 Give the user read and write permissions to the authorized keys file:

chmod 600 authorized_keys

 

Ones this has been completed, go back to the SCOM Console and update the Run AS accounts and the Profile and test… Smile

Categories: SCOM, System Center, Ubuntu Tags: ,

SCOM 2012–Create Linux Privileged User Account.

December 31, 2012 Leave a comment

So I guess one of my last posts for 2012, I am working on setting up monitoring of some Linux servers using SCOM 2012 SP1. One of the requirements is to setup a account monitoring that will be allowed to elevate it’s permissions. I am going to explain how I setup the Ubuntu server for this monitoring account

Operations Manager contains three predefined profiles to use in monitoring UNIX and Linux computers and performing agent maintenance:

image_thumb43

The Linux Action Account is used for basic health and performance monitoring, the Linux Privileged account is used for monitoring protected resources and actions that require higher privileges and the Linux agent account is used for agent maintenance operations.

 

I am using Ubuntu version 12.04.1 LTS, I have deployed a standard server that is ready for me to logon with my default account I created on install.

Logon to the Server using your favourite method, I am using Virtual Machine manager 2012 console.

SNAGHTML95778c_thumb1

Create a user:

sudo adduser <username">

Follow the instructions to create a standard user account.

SNAGHTML88b07e

 

Next we need to configure sudo elevation for the user account we just created.

Use the vusudo program to edit the sudo configuration.

sudo visudo

Find the section root ALL=(ALL:ALL) ALL

Insert under it the same but replace root with the username you just created and add “NO PASSWRD: ALL

eg

<Username> ALL=ALL:ALL) NOPASSWD: ALL

 

SNAGHTMLca4c73

This is allow the user account to sudo without supplying a password which is a requirement of SCOM monitoring.

 

Once that is complete, pop back into the SCOM Console, create a Run As account for this monitoring account as per the previous article, and update the profile, ensure on the Run As wizard you select “Elevate this account using sudo for privileged access” and you correctly set the distribution.

 

SNAGHTMLcdba61

 

image

 

Useful Articles:

http://technet.microsoft.com/en-us/library/hh230690.aspx

http://technet.microsoft.com/en-us/library/hh212926.aspx

http://blogs.technet.com/b/kevinholman/archive/2012/03/18/deploying-unix-linux-agents-using-opsmgr-2012.aspx

In the next article, I will be creating an account to be used for agent maintenance and enabling public, private key logon.

Categories: SCOM, System Center, Ubuntu Tags: ,

SCOM 2012–Create Linux Unprivileged User Account.

December 31, 2012 Leave a comment

So I guess one of my last posts for 2012, I am working on setting up monitoring of some Linux servers using SCOM 2012 SP1. One of the requirements is to setup a account monitoring. I am going to explain how I setup the Ubuntu server for this monitoring account

Operations Manager contains three predefined profiles to use in monitoring UNIX and Linux computers and performing agent maintenance:

image

The Linux Action Account is used for basic health and performance monitoring, the Linux Privileged account is used for monitoring protected resources and actions that require higher privileges and the Linux agent account is used for agent maintenance operations.

 

I am using Ubuntu version 12.04.1 LTS, I have deployed a standard server that is ready for me to logon with my default account I created on install.

Logon to the Server using your favourite method, I am using Virtual Machine manager 2012 console.

SNAGHTML95778c

Create a user:

sudo adduser <username">

Follow the instructions to create a standard user account.

SNAGHTML88b07e

 

Once the user account has been created on the Ubuntu server you can the goto the SCOM Console and start the “Create Run As Account” wizard found under the Administration tab under Run As Configuration\Unix/Linux Accounts.

Follow the wizard ensuring you select Do not use elevation with this account, you have distributed these RunAs accounts to all the management servers that will be monitoring your servers and then save it.

 

SNAGHTML8c627a

 

SNAGHTML8ce48a

Once the Run As profile has been setup you then need to update the Unix/Linux Action Account profile, found on the Administration tab under Run As Configuration\Profiles with the newly created account.

 

image

 

image

And that’s it for this bit, once you have an agent deployed this is all you will need for basic monitoring.

The next blog post will cover setting up the privileged monitoring account and a third blog post will cover the setting up of the agent maintenance account so we can actually discover these machines Smile

 

Links of use during my journey of discovery:

http://blogs.technet.com/b/kevinholman/archive/2012/03/18/deploying-unix-linux-agents-using-opsmgr-2012.aspx

http://technet.microsoft.com/en-us/library/hh476947.aspx

Categories: SCOM, System Center, Ubuntu Tags: ,

HP P4000 Version 10 Software available

November 29, 2012 Leave a comment

HP P4000 Version 10 Software available now on HP’s website, I think I may have a few busy days ahead, it comes with Windows Server 2012 support and improved performance (apparently) I have not seen an mention of Microsoft System Centre integration though which I was expecting.

 

Go get it here: https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=StoreVirtualSW

Categories: Uncategorized

Ubuntu – Unable to locate package vlan

October 17, 2012 Leave a comment

Whilst building some Ubuntu servers today I ran into a minor issue which I thought I might share.

I was deploying to Ubuntu 12.04 servers onto some blade servers, the networking infrastructure requires I setup vlans on the servers in order for them to work. The first thing I need to do was install the vlan package but running the command sudo apt-get install vlan but when I ran this I got an error

 

Unable to locate package

 

SNAGHTML1ab1ee92

 

Got me thinking for a while, I tested I could ping and resolve externally and finally remembered that during install the server did not have internet connectivity and may not have updated it’s repository. A quick search on the internet suggested I run the below command:

sudo apt-get update

Which I did and re-ran the command to install the vlan package again and hey presto it installs.

SNAGHTML1ab094a0

Categories: Ubuntu Tags:

MMS Dates Announced

October 9, 2012 Leave a comment

MMS Dates announced will you be going?

 

April 8-12 2013

http://www.mms-2012.com/headlines/details/34ddda43-7b11-e211-84a1-001ec953730b

Categories: Uncategorized

Access Denied Setting System Center ACS Filter

September 26, 2012 Leave a comment

So today I was fine tuning my Microsoft System Center 2012 Audit Collection Services by setting a filter that would reduce the amount of noise the system generates. I need to keep this data for a few years so it can build up quite considerable.

So the Query I am testing at the moment is:

AdtAdmin.exe /setquery /query:"SELECT * FROM AdtsEvent WHERE NOT (EventId=551 OR EventId=562 OR EventId=573 OR EventId=577 OR EventId=578 OR EventId=697 OR (EventId>=594 AND EventId<=597) OR (EventId>=768 AND EventId<=771) OR (EventId>=832 AND EventId<=841) OR EventId=538 OR EventId=672 OR EventId=680 OR EventId=571 OR (EventId=624 And TargetUser LIKE ‘%$%’) OR (EventId=627 AND HeaderUser=’System’ AND ClientUser like ‘%$%’ And TargetUser = ‘TsInternetUser’) OR ((EventId = 538 or EventId = 540) AND (String01 = ’3′) AND HeaderUser like ‘%$%’) OR ((EventId > 671 and EventId < 678) and ClientUser LIKE ‘%$%’) OR ((HEADERUSER LIKE ‘%ADM_%’ OR HEADERUSER LIKE ‘%SYS_%’) AND (EventID = 528 OR EventID = 540 OR EventID = 680)))"

I navigated to c:\Windows\System32\Security\Adtserver in a elevated command prompt and ran the query and it errored with Access Denied…..

image

I was lucky as I have a working ACS Collector already on the network and I am migrating to a new one. After a bit of digging around I noticed that the permissions on the below registry Key are not set correctly. The Network Service as you can see from the below images needs Allow permissions to “Set Value”.

HKLM\SYSTEM\CurrentControlSet\services\AdtServer\Parameters\

Entry:

DbQueueQuery

Permissions on non-working server

 

image

Permissions on working Server

image

 

So to fix, just add the permission for the Network Service to Allow “Set Value” close the GUI and registry editor and try again.

Categories: SCOM, System Center
Follow

Get every new post delivered to your Inbox.