Incoming E-Mails Addon

This Management Pack enriches SCOM with an E-Mail interface. Alerts can be created either by a generic rule or via a monitor that reacts on your custom filter pattern.
Read More...

Initial setup

The following steps on any with SCOM agent monitored Windows Server 2012 or higher are required.:

Install and configure SMTP service
Set registry keys
Import the Management Pack
Create an override Management Pack
Optional:
- Add mail-match-pattern in XML configuration file for monitors
- Configure mail routing to receive alert E-Mails via e-mail address

Install and configure SMTP service

To receive e-Mails the SMTP service needs to be installed and configured.

Open the Server Manager, choose … and adding IIS and IIS6 Management Tools

Next, adding SMTP Server and IIS ODBC Logging features

After installation, a restart may be required.

After installing, the SMTP service the listing IP address and the relay restrictions to the own IP addresses, localhost and your internal mail-servers (e.g. Exchange hub transport).

Specify listing IP address in IIS6 MMC

Restricting SMTP Service Relay restrictions to all which need to connect via SMTP

Set registry keys

Registry keys store basic information about the SMTP service. For convenience, paste the text in the yellow box into notepad and safe it as smtpmp.reg.:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\ABCIT\SCOMAddonsMailIn]

"XMLConfigFilePath"="C:\\Temp\\scom.Addons.MailIn.MonitorItemList.xml"
"EmlDirectory"="C:\\inetpub\\mailroot\\Drop"
"EmlArchive"="C:\\Temp\\MailArchive"
"NoOfLinesFromTop"="100"

XMLConfigFilePath:

Location of the XML file which holds information about the custom-mailmonitor-patterns.

EmlDirectory:

Path in which the SMTP service stores the emails. The value is the yellow box is the default location.

EmlArchive:

Storage folder for emails that have been already process by SCOM. – A rule will take care for automatic deletion of old files.

NoOfLinesFromTop:

Specifies how many lines of the email body are read by SCOM.

Double click the smtpmp.reg file and confirm the import of the settings:

After importing the settings in the registry will look as follows:

Import the Management Pack

In the SCOM Console, choose the Administration section, choose Management Packs and click on Import Management Packs.

Add the SCOM.Addons.MailIn.mpb file from your downloads folder and import it.

Proceed the wizard by confirming defaults.

Create an override Management Pack

Still in Administration, Management Packs, click on Create and name it SCOM.Addons.MailIn.Overrides to store customizations.

Follow the wizard by confirming defaults.

Configure mail-match-patterns in XML file for explicit monitors

Create a file named SCOM.Addons.MailIn.MonitorItemList.xml and store in C:\Temp for example and configure desired mail matching patterns.

A part of the text is enough for the match pattern. – E.g.:

Original subject: NYHKFW01 
_IP:_10.25.10.21_changed_state_to_Down_on_Saturday,_May_9,_2020 
Match pattern in XML: changed_state_to_Down 
Original MailFrom: "[email protected]"_<[email protected]>  
Match pattern in XML: [email protected]

The patterns are used to created objects and monitors will then be triggered if an email, that matches the description arrives.

At least 2 items must match to let SCOM create the object (MailMonitor Item).

The logic will try to match any specified information.

More values are specified in the XML will reflect in more concrete objects and matching Less values will make the matching not so accurate so to react more flexible on alerts, e.g. need to have for any message that was send by the air-condition system.

In regards of the minimum of 2 items match that means for example:

Mail-From & Mail-Subject matches
Mail-SourceServer & Mail-Subject matches
Mail-From & Mail-Subject & Mail-SourceServer matches

The XML file could look like this:

<MailInMonitorList>    
    <MailMonitorItem>
        <UniqueTitle>P360 APM Issue</UniqueTitle>
        <Description>Application errors in TEST system</Description>
        <MailFrom>[email protected]</MailFrom>
        <MailSubject></MailSubject>
        <MailBody></MailBody>        
        <MailSourceServer>Linux05</MailSourceServer>
        <SCOMAlertResetType>Manual</SCOMAlertResetType>
        <SCOMAlertResetTimeInSeconds></SCOMAlertResetTimeInSeconds>
    </MailMonitorItem>
    <MailMonitorItem>
        <UniqueTitle>SAP Auto Job Error</UniqueTitle>
        <Description></Description>
        <MailFrom>NightJobber</MailFrom>
        <MailSubject>ZLAS_STATUS</MailSubject>
        <MailBody></MailBody>        
        <MailSourceServer>SAPAppSrv05</MailSourceServer>
        <SCOMAlertResetType>Timer</SCOMAlertResetType>
        <SCOMAlertResetTimeInSeconds>7200</SCOMAlertResetTimeInSeconds>
    </MailMonitorItem>    
</MailInMonitorList>

The first line and last line are needed to indicate start and end of the object list.

UniqueTitle* is the key property and must be unique. It should be short and descriptive.
Description is only for usability to store information for those who check in SCOM
MailFrom* either text of From field text or the sender email address
MailSubject* text that is found in the mail subject
MailBody text that may be found in the body
MailSourceServer server or device that sends the email to SCOM
SCOMAlertResetType set it to Timer or Manual to influence how this object should be monitored;
- Timer : Monitor will be forced to reset after threshold (SCOMAlertResetTimeInSeconds) reached. -> Object is healthy again
- Manual: Monitor keeps in Error / Warning state until a SCOM Admin does the reset
SCOMAlertResetTimeInSeconds applies when Timer is specified as SCOMAlertResetType – value must be bigger than 900 (15 minutes) to avoid resource exhaust in SCOM.

( * ) – must contain values, of not item will be ignored

Mail routing to receive alert E-Mails via e-mail address

After completing the steps above, SCOM can receive mails and creates alerts only if the SCOM server is specified as SMTP server for the sending device (server, application, etc.).

To be more flexible, mail routing can be customized so that only an email address for the SCOM servers is required.

Example:

Create a DNS Alias (CName): scomalert.yourdomain.com which points to scomserver.yourdomain.com
In Exchange, use SendConnector: to specify that scomalert.yourdomain.com will be send to the SmartHost scomserver.yourdomain.com
In the SMTP Service: add additional alias domains to receive e-mails for scomalert.yourdomain.com

Adding Alias Domains in SMTP Server configuration

Now you can use [email protected] on your sender and the mail routing will take care that the messages are delivered to SCOM.

Management Pack Components

Discoveries

Everything in SCOM that has a health state is an object. Instead of checking all Windows computers whether those files exist, we define a dedicated computer class.

MailMonitorItem ManualReset:

Items specified in SCOM.Addons.MailIn.MonitorItemList.xml which have set the SCOMAlertResetType as Manual.

MailMonitorItem TimerReset:

Items specified in SCOM.Addons.MailIn.MonitorItemList.xml which have set the SCOMAlertResetType as Timer.

Monitoring Server:

The registry keys mentioned in (Initial setup / Set registry keys) are used to set the SCOM Root Management Server as e-Mail server and target for discoveries, rules and monitors.

Monitors

Monitors are for finding out which Health State an object has. – An object can be either Healthy (green), in Warning (yellow) or Critical (red).

MailMonitor Item

No direct monitor. Appears here because it is the base class of Manual- and TimerReset MailMonitor Items.

MailMonitorItem Manual Reset

Reacts if an incoming email matches the configured pattern in the XML file.

The SCOM administrator needs to reset this monitor manually.

By default, this monitor runs every 5 minutes

MailMonitoritem Timer Reset

Raises if an incoming email matches the configured pattern in the XML file.

After the specified threshold in the XML file reaches, the monitor is reset when it's checked the next time. In other words; the threshold is only checked when the monitor runs which is by default every 5 minutes.

Monitoring Server

Monitors the Windows SMTP Service

Note: XML file = SCOM.Addons.MailIn.MonitorItemList.xml

Rules

In this Management Packs rules perform alerting and cleanup jobs to avoid manual maintenance. Main parameters of the rules can be changed via override.

MainIn Generic CleanEmlArchive Rule

After an email was processed the EML message will be moved to an archive folder which by default is C:\Temp\EmlArchive.

All EML files older than 720 hours (30 days) will be deleted.

MailIn Generic Alert Rule

If an incoming email does not match the pattern configured in the XML file a warning alert will be created

If preferred warning can be changed to critical and the check interval can be checked as well.

MailIn Close Alerts Rule

To reduce the manual effort of closing alerts of the rule above, this rule will perform closure after a customizable value

Note: XML file = SCOM.Addons.MailIn.MonitorItemList.xml

Views

To make all discovered objects and their health state visible a state views are used.

The Closed Alerts subfolder helps to check information about last closures.

Management Packs

Management Pack	Version
SCOM.Addons.MailIn	1.0.0.190

Elements

TypeDefinitions

EntityTypes

ClassType (3)

ModuleTypes

UnitMonitorType (1)

Categories

Category (2)

Monitoring

Discovery (2)
Monitors

UnitMonitor (3)

Rule (3)

Presentation

Resources

Image (2)