The VMware Management Pack forwards active alarms from vCenter to SCOM. The VMware Management Pack allows you to control what vCenter alarms are forwarded to SCOM.
There are two places where the the forwarding of vCeneter alarms can be controlled. The first place is the the "Monitor VCenter for new Alerts" rule VMware Management Pack, and the second is through setting a filter on the VMware Management Pack collector.
The SCOM rule "Monitor VCenter for new Alerts" in the VMware Management Pack is used to collect alarms from vCenter. When a vCenter alarm is detected in vCenter the "Monitor VCenter for new Alerts" rule will generate a identical alert in SCOM with a prefix of the format "VC Alert: xxxxx".
By default the "Monitor VCenter for new Alerts" rule checks for new alarms in vCenter every 5 minutes (300 seconds) and uses a bookmark for every vCenter alarm it forwards to SCOM. There are a number of other parameters which you can also override for the "Monitor VCenter for new Alerts" rule, but in this article we will only concentrate on the "UseBookMark" parameter.
Changing the behavior of the "UseBookMark" Parameter
- Setting the "UseBookMark" to False
By setting the "UseBookMark" parameter to False, all alarms in vCenter in a active state (see image below) will be forwarded to SCOM in ever polling cycle.
The result of not using a bookmark (UseBookMark is set to false) is that all active alerts will be forwarded to SCOM, causing an increase of the repeat count on the SCOM alert. If the SCOM alert is closed, and the vCenter alarm is still in an active state, a new alert will be created in SCOM. Moreover, when not using a bookmark (UseBookMark is set to false) a SCOM alert will be generated for each corresponding vCenter alarm as long as the vCenter operator hasn’t performed an acknowledged or 'Reset to Green' on the vCeneter alarm.
- Setting the "UseBookMark" to True
By setting the "UseBookMark" parameter to True, a vCenter alarm will only be forwarded to SCOM when it is new and has not yet been forwarded to SCOM. The behavior associated with this setting results in that when you close an alert in scom, the corresponding alarm in vCenter it will not be forwarded to SCOM again regardless of what state the vCenter alarm is in.
It could be that you would like to prevent particular vCenter alarms from being forwarded to SCOM. As a rule of thumb we advise to tune the alarm generation in vCenter so that you only receive the alarms that are relevant to you. If you cannot tune the alarms in vCenter, the VMware Management Pack allows you to filter out vCenter alarmsso that they are not forward to SCOM.The VMware Management Pack filters alarms by means of an alarm "black list", to filter using the blacklist:
- Create a csv file named AlarmFilter.csv (the file must have this specific name and extension).
- Open the AlarmFilter.csv and add four columns; AlarmName, EntityType, EntityDisplayName and OverallStatus. Add a new row and add a regex expression to filter out the alarm as shown in the table below.
AlarmName The alarm display name used in vCenter vCenter EntityType The entity type, for example: ComputeResource, Datacenter, Datastore, DistributedVirtualSwitch, Folder, HostSystem, Network, ResourcePool, VirtualMachine EntityDisplayName The display name of the Entity for example HostABC, WindowsServerPROD10 OverallStatus The status of the alarm, for example yellow or red. Multiple can be configured by regex, so for example to exclude yellow and red use the expression: (yellow|red)
- You do not need to enter an expression in every column of the row, if the column is left empty it will be ignored.
- Save the AlarmFilter.csv file to "C:\Program Files\Opslogix\OpsLogix VMware Collector\AlarmFilter\AlarmFilter.csv" on ALL SCOM Management Servers running the VMware Management Pack work load.
- Restart the OpsLogix VMware Collector NT Service
Examples of creating filters are shown below:
Example 1 - Filter all alerts from a hostsystem with severity yellow: Line 1 in the csv shown above.
Example 2 - Filter only alerts with name ‘Host Memory usage’ from a hostsystem with any severity: Line 2 in the csv shown above.
Example 3 - Filter only alerts starting with ‘Virtual Machine’ from an any entity type with only severity yellow or red: Line 3 in the csv shown above
Remember you can use regex for all columns.