Many enterprises today run a mix of Windows servers and desktops alongside UNIX and Linux systems, with different strategies for managing them. In most cases, the Windows systems are placed into forests and are centrally managed, but the UNIX and Linux systems might or might not be centrally managed. Rarely are Windows systems managed alongside UNIX and Linux systems. For enterprises that do want to manage Windows systems alongside UNIX and Linux systems, there have always been third-party solutions available, but these are often complicated to install and unwieldy to use. These third-party solutions can also be costly and require significant investment in training and staffing to use successfully.

Microsoft has recognized the need to manage UNIX and Linux systems alongside Windows systems, and has over the years provided a means to integrate the systems to provide centralized authentication, authorization, and auditing. With the release of System Center Operations Manager (SCOM) 2007 R2, Microsoft provides support for managing select UNIX and Linux systems through SCOM, as well as extending Audit Collection Services (ACS) to integrate UNIX and Linux event collection, processing, and storage with that for Windows systems. In this article, I describe how to configure and use these exciting new features to manage your UNIX and Linux systems alongside your Windows systems.

 

Prerequisites

The ability to manage Windows, UNIX, and Linux systems together requires that you have SCOM 2007 R2 deployed in your organization. To integrate event log collection from your Windows systems with your UNIX and Linux systems, you'll also need to install ACS. In addition, only a subset of common UNIX and Linux systems are supported. The supported UNIX and Linux systems are AIX 5.3 and 6.1 (Power PC), HP-UX 11iv2 and 11iv3 (PA-RISC and IA64), Red Hat Enterprise Server 4 and 5 (x86 and x64), Solaris 8 and 9 (SPARC) and 10 (SPARC and x86 later than 120012-14), and SUSE Linux Enterprise Server 9 (x86), 10 SP1 and 11 (both x86 and x64). You'll also find that derivatives of enterprise versions of Linux—such as OpenSUSE—will work, but these are unsupported.

You'll need to install support for Web Services Management (WS-Man) 1.1 on the Windows servers that host your SCOM servers (which will manage the UNIX and Linux clients). On Windows Server 2008 R2, this is a feature called WinRM IIS Extension that you can add. You'll need to install IIS, too.

I recommend that you install the latest cumulative update for SCOM 2007 R2. You can find the latest update available at the Microsoft Download Center by searching for the keywords “SCOM cumulative update.” The cumulative updates address issues with the use of Server 2008 R2 and SQL Server 2008, and contain fixes that address many other problems. You'll need to apply the latest update to your SCOM 2007 R2 Root Management Server(s), any SCOM Gateway servers you might have, as well as every other SCOM server and all ACS Collectors. You'll also need to follow instructions for how to update the SQL Server databases that SCOM and ACS use.

You'll need to install the latest cumulative update for cross-platform support in SCOM 2007 R2. You can also find this update at the Microsoft Download Center by searching for the keywords “cross platform.” Unlike the cumulative update for SCOM 2007 R2 itself, there are separate downloads for a SCOM server and a SCOM Gateway server. You'll need to download the appropriate cross-platform cumulative updates and install them, beginning with your SCOM 2007 R2 Root RMS Server(s), then your Gateway Servers, and then every other SCOM server. Read the release notes carefully before applying the cross-platform cumulative update.

Finally, make sure you download the latest cross-platform management pack(s). Currently, there's an installer MSI file and five supporting documents for AIX, HP, RedHat, SUSE, and Solaris flavors of UNIX and Linux available at the Microsoft Download Center. (Use the search keywords “cross platform.”) Review the documents appropriate for the flavors of UNIX and Linux you intend to manage. The actual management packs are contained in the installer file. Double-click the installer file so that the management packs are extracted and written, by default, to a folder called SCOMCrossPlatformCU2MP, under C:\Program Files\System Center Management Packs. On 64-bit installations of Windows Server, the Program Files (x86) folder is used instead.

Specifying UNIX Accounts

SCOM 2007 R2 uses accounts to monitor and manage UNIX and Linux systems in much the same way as it does Windows systems. SCOM 2007 R2 uses two accounts with UNIX and Linux systems. The first is called a UNIX Action Account and is supposed to be a low-privileged account. The second is called the UNIX Privileged Account and—as the name suggests—is supposed to be a superuser (or root) account. The majority of UNIX and Linux flavors recognize only two types of users: superusers and ordinary users. Superusers are identified with a user identifier (UID) of 0, such as the user root, whereas ordinary users are identified with UID of any value other than 0. When you're initially configuring SCOM 2007 R2 Action and Privileged accounts, I recommend that you use only superuser accounts for the UNIX Action and Privileged accounts. Once you have SCOM 2007 R2 successfully managing UNIX and Linux systems, you can adjust the credentials associated with the UNIX Action Account.

  1. To specify credentials for the UNIX Action and Privileged Accounts, open the SCOM 2007 R2 Operations Console, select the Administration view, and click Accounts under Run As Configuration.
  2. Right-click in the Accounts pane, and select Create Run As Account from the context menu to launch the Create Run As Account Wizard.
  3. On the Introduction page (if displayed), select Next.
  4. On the General Properties page, select Basic Authentication from the Run As Account drop-down box, type into the Display name field text similar to "UNIX/Linux Privileged Account," and click Next.
  5. On the Credentials page, you'll need to specify the username and password of the account, then click Next. The account must already exist on your UNIX/Linux systems, or in a centralized directory that they employ (such as Kerberos or NIS+).
  6. On the next page, Distribution Security, ensure that the More secure option is selected, and click Create. The credentials you just specified will be displayed in the Accounts pane under the category Type: Basic Authentication. Right-click it, and select Properties.
  7. In the Properties dialog box, select the Distribution tab and use the Add button to specify the name of every SCOM server that will manage UNIX and Linux systems.

The next step is to associate the credentials you just created with the UNIX Action and Privileged accounts.

  1. Click the Profiles node under Run As Configuration in the Administration view, and double-click the UNIX Action Account entry in the Profiles pane.
  2. Click Next on the Introduction page (if it appears).
  3. On the General Properties page, click Next.
  4. On the Run As Accounts page, use the Add button to display the Add a Run As Account dialog box. In the dialog box, select the account you just created from the Run As account drop-down list box, and make sure the option All targeted objects is selected. Close the dialog box, and select Save to associate the Run As accounts with the UNIX Action Account.
  5. When the association is made, you'll be prompted with a warning stating that objects might not be monitored if credentials aren't distributed. As long as you selected the SCOM servers to which the account should be distributed when you created the account, you can ignore this warning.
  6. Repeat these steps for the UNIX Privileged Account.

Remember that with this configuration, you're using a superuser account for both the UNIX Action and Privileged Accounts. Once you've verified that you can discover and manage your UNIX and Linux systems, you should change the configuration and use a non-privileged account for the UNIX Action Account, if possible.

 

Deploying Agents with the Wizard

For SCOM 2007 R2 to manage UNIX and Linux systems, they must first be discovered and management agents must be deployed. SCOM 2007 R2 includes a Computer and Device Management Wizard, which you can use to try and discover UNIX and Linux systems.

 

Figure 1: Selecting Unix/Linux computers in the Computer and Device Management Wizard
Figure 1: Selecting Unix/Linux computers in the Computer and Device Management Wizard

 

  1. To find the wizard, open the Administration View in the SCOM 2007 R2 Operations Console, right-click any node, and select Computer and Device Management Wizard. Then, select UNIX/Linux computers, as you see in Figure 1.
  2. Clicking Next will take you to the Discovery Method step, where you can specify how to discover UNIX and Linux systems on your network.
  3. Click Add to launch the Define discovery criteria dialog box, which Figure 2 shows. You are given three options for discovering UNIX and Linux systems: by IP address, by DNS name, or by IPv4 address range. You also need to specify credentials to scan the network for systems. This is, by default, a superuser account (e.g., the root account), but you can specify an ordinary user account for discovery purposes. If you do, you must clear the This is a superuser account option and specify the root password. Clicking OK will save the discovery criteria.
  4. You can click Add again to add more discovery criteria. Note that, by default, SSH discovery is disabled. If you leave SSH discovery disabled, the Discovery Agent will only report on UNIX and Linux systems that it finds but won't attempt to install SCOM 2007 R2 cross-platform agents to manage the systems. If you enable SSH discovery, however, SCOM 2007 R2 will attempt to log on to each system it can connect with, using the credentials that you specified. If someone were able to set up a rogue system on your network—within the discovery criteria you specified—that person might be able capture the credentials used in discovery.
  5. When you're done adding criteria and credentials, simply click Discover to find UNIX and Linux systems. If the wizard finds systems, and if SSH discovery is enabled, the wizard will attempt to deploy agents to the UNIX and Linux systems. The discovery results will provide details about what systems were found and whether the agents could be deployed, as you see in Figure 3.
  6. For systems that the agent could be deployed to, select the check box next to the system name and click Next. For systems that were found but weren't fully discoverable, you can click Details to get more information about why the discovery process couldn't be completed. You might find that for systems that weren't discovered initially, rerunning the Computer and Device Management Wizard can yield success on subsequent attempts.

 

Figure 2: The Define discovery criteria dialog box
Figure 2: The Define discovery criteria dialog box

 

 

Figure 3: Selecting computers to manage
Figure 3: Selecting computers to manage

 

For the systems you selected, the Computer and Device Management Wizard will deploy and install the cross-platform agent for the architecture and install an X.509v3 certificate that the cross-platform agent will use to identify the managed UNIX or Linux system and to secure communications with the SCOM 2007 R2 infrastructure. Occasionally, a problem can occur with the certificate creation and installation, typically because of a mismatch in the system’s hostname and its DNS name. If a problem with the certificate is reported, you can follow the guidance in the Microsoft article "The Certificate Name Does Not Match the Hostname" (go.microsoft.com/fwlink/?LinkId=148011) to fix the problem, and rerun the Computer and Device Management Wizard using the process described above for the affected systems.

Manually Deploying Agents

If you can't use the Computer and Device Management Wizard to install agents to your UNIX and Linux systems, you can manually install them. You'll find the agents for each supported platform in the folder C:\Program Files\System Center Operations Manager 2007\AgentManagement\UnixAgents. Copy these agents to an FTP server or website so that you can download them to your UNIX and Linux systems. You can also add these to baseline images if you use them in your organization. If you applied the latest cumulative update for cross-platform support, you'll find that there are different versions of the agents in this folder. You should always use the latest agents. For information about how to install the agents for each supported platform, see the Microsoft article "Manually Installing Cross Platform Agents" (technet.microsoft.com/en-us/library/dd789016.aspx).

Once you've manually installed the agents onto your UNIX and Linux systems, you'll need to rerun the Computer and Device Management Wizard using the process I described. The wizard will find the systems with agents manually installed and ask whether you want to issue new X.509v3 certificates to them. Select the systems you want to install certificates to, and click Sign. Once the certificate(s) have been issued, the Computer and Device Management Wizard continues, and you need to select the system(s) you want to add to the pool of managed UNIX and Linux servers in SCOM 2007 R2—in a process similar to the automatic discovery of UNIX and Linux servers.

 

Monitoring UNIX and Linux Systems

With agents installed, you can begin to monitor your UNIX and Linux systems from the SCOM 2007 R2 Operations Console. Simply select the Monitoring view, then click the UNIX/Linux Servers State View node, as you see in Figure 4. When you select a system in the UNIX/Linux Servers pane with a cross-platform agent installed, you'll see a summary of the information SCOM 2007 R2 has about the system listed in the Detail View. You can also use the Health Explorer to analyze the system and core processes, such as cron, SSH, and Syslog. The information available in the Health Explorer varies depending on the target system. You can also put a system with the cross-platform agent installed into Maintenance Mode, much like a regular Windows Server. And in the State View, with the cross-platform agent installed, you can also run Tasks. There are three Tasks available: Memory Information, Run VMStat, and Top 10 CPU Processes.

 

Figure 4: Monitoring UNIX/Linux servers
Figure 4: Monitoring UNIX/Linux servers

 

Also in the Monitoring view, you can diagram and view other information about your UNIX and Linux servers, and you can configure performance monitoring. Expand the UNIX/Linux Servers folder, expand the OS folder beneath, and select the appropriate nodes. The nodes available and the data returned will vary by OS type and is dependent on support in the cross-platform agent and appropriate management packs installed, as you can see in Figure 5.

 

Figure 5: Drilling down into Unix Linux Servers configuration and state information
Figure 5: Drilling down into Unix Linux Servers configuration and state information

 

As more cumulative updates are released for cross-platform support, or as third-party management packs are released, the ability of SCOM 2007 R2 to manage UNIX and Linux systems will increase. However, if you download new agents or management packs, you'll need to rerun the Computer and Device Management Wizard to deploy these updates, or to sign certificates for agents you manually deploy.

 

Configuring ACS for Cross-Platform Support

To configure ACS for cross-platform support, you'll need to perform several steps on both your SCOM infrastructure and your UNIX and Linux servers. You can turn on cross-platform support for ACS only if you already have ACS installed and configured—including ACS Reports.

You need to download the latest ACS cross-platform support software by visiting the Microsoft Download Center and searching for “ACS cross platform.” You'll need to download both the Cross Platform Audit Collection Services software, which consists of 32-bit and 64-bit installers and supporting documentation, and the Cross Platform Audit Collection Services Management Packs.

You need a server that will act as a collector of audit events from your UNIX and Linux systems, and forward them to ACS. This server must be configured as an ACS Collector. You might want to consider creating dedicated SCOM Management Servers for your UNIX and Linux hosts, and make them ACS Collectors, too. On this server, you'll need to install the Cross Platform Audit Collection Services MSI file that you downloaded. Double-click the MSI in Windows Explorer to begin installation, and accept the license agreement.

  1. In the Audit Data Time Zone step, select either the current local time or the Coordinated Universal Time (UTC). You should pick the same option you used on your ACS Collectors, which is probably UTC.
  2. The last page of the installation wizard will caution you that cross-platform support for ACS can generate a lot of events, which might stress your ACS database. The actual volume of events generated will depend on many factors, including the number of UNIX and Linux servers you have and how you configure each. You can tune performance if necessary by using the standard ACS management tools. If you have many UNIX and Linux servers, you might need to install additional cross-platform collectors, depending on performance and fault tolerance. Finally, make sure that the Group Policy setting Audit object access is set to Success and Failure, if you're using it.
  3. Next, you need to import the ACS cross-platform management packs you also downloaded. Run the installer to extract the management packs to the folder System Center Management Packs\Operations Manager 2007 R2 Cross Platform ACS MP—under C:\Program Files or C:\Program Files (x86)—and import them into SCOM using the Import Management Packs wizard. If your SCOM 2007 R2 system is connected to the Internet, you can also download the management packs as you would any other management pack.
  4. Now, it's time to install the cross-platform audit reports to your ACS Reporting Server. On the dedicated ACS cross-platform collection server, log on as a user who has administrative privileges to the SQL Reporting Server used by ACS, open a command prompt, navigate to the folder C:\Program Files\System Center Operations Manager Cross Platform ACS, and run the following command:
  5. .\UploadCrossPlatformAuditReports.cmd “\” “http:///ReportServer\\[$\\]” “C:\Program Files\System Center Operations Manager Cross Platform ACS”
  6. Replace with the name of your ACS database, with the instance name of SQL Server (the default is MSSQLSERVER), with the name of your SQL Reporting Server, and append $ where is the name of the SQL Report Services instance if you're using anything other than the default instance. After installation, the reports added are written to the folder Cross Platform Audit Reports, as Figure 6 shows.
  7. At this point, you need to enable cross-platform support for ACS. To do so, you need to modify management packs. Best practice will have you modify copies of management packs that you create for modification. To modify Management Packs for ACS, select the Authoring view in the Operations Console and expand the Authoring node, then the Management Pack Objects node, and select Object Discoveries.
  8. In the Object Discoveries pane, search for ACS. A list of ACS endpoints for the various supported UNIX and Linux systems appears, but you care only about the entry Discovered Type: ACS Endpoint. Right-click Discover UNIX/Linux ACS Endpoint underneath the entry, and select Overrides, then Override the Object Discovery, then For all objects of class: UNIX Computer.
  9. In the Override Properties dialog box, select the Override check box, click Apply, then click OK.

 

Figure 6: Cross Platform Audit Reports
Figure 6: Cross Platform Audit Reports

 

For most enterprise deployments of Linux, there's no need to configure the servers or Syslog, and security events of interest will start to flow into ACS; you can view them SQL Reporting Services on your ACS Report Server. If you have non-standard Syslog configurations and are using Rrsyslogd or Solaris or AIX, you'll need to configure Syslog to write security-related events to /var/log/messages (for Linux-based systems). For Solaris and AIX systems, you'll need to follow the guidance available in the Microsoft article "Configure Syslog and Rules for Audit Events" (technet.microsoft.com/en-us/library/ee909515.aspx).

 

Centralized Monitoring

The steps I've described to get cross-platform support up and running for SCOM 2007 R2 aren't easy, and you might find that it takes some experimentation to get everything working correctly. That's especially true for ACS. However, the return on the time invested in getting integration working will pay off as you find that you can monitor your Windows, UNIX, and Linux systems from one place.