adam.beedell · SRE/Machine Learning Student · ✭✭✭✭✭

I think you're talking about the legacypowershellimpersonation setting, it's on the advanced settings page now, there's a few threads on it using that as a search query. Wrong password is nor usually the message though. Could be.

SELECT aa.AlertActiveID, CASE WHEN ao.AlertConfigurations.Severity = 2 then 'Critical' WHEN ao.AlertConfigurations.Severity = 3 then 'Serious' WHEN ao.AlertConfigurations.Severity = 1 then 'Warning' WHEN ao.AlertConfigurations.Severity = 0 then 'Informational' WHEN ao.AlertConfigurations.Severity = 4 then 'Notice' ELSE…

Did you define a threshold in the "socket" (noting Kevin's comment that the Exit code status doesnt look right) Actually you know what, if the cert is either already expired or greater than 30 days I dont think it outputs anything right? @"isaacs" 

Does it output something readable? If so that's it say?

Got an agent on the remote server? If no you've got some potential PS remoting stuff to worry about. If Get-ADFSCertificate fails this probably outputs weird Did you test in the "edit script" button? @"KMSigma.SWI" what's the correct word to describe when you run the script the first time for it to generate the output...…

There's a little checkbox down from this screenshot around local vs remote execution - not a safe assumption that it's running where you think it is That said neither mode explains the two different tests exactly, it's more about me trying to understand how it's producing the output it's producing. I'm pretty suspicious…

Imagine it as you press that button, and a robot made of your primary server's CPU starts evaluating alerts in your environment as potentially-related. If you've got 2 alerts, it hasnt got a lot of thinking to do. If you get 1000/sec then it's got a lot of thinking to do. This scales based on the depth of the environment…

The latest versions are less lightweight as they're installing more software as default now, but performance is good and bugs are few. 2024.1 is fairly tidy so far but it's early days. For such a small estate it doesnt matter much to be honest

You can evaluate the macros seperately by sticking them in an email action and using the simulate button ${N=SwisEntity;M=CustomProperties.Site} - Looks fine at a glance but looks aimed at a node alert, so if not that then maybe an issue. ${SQL: Select Substring('BEN something',1,3)} - Looks ok at a glance but there's some…

2023.4.2's pretty good

add ?debug to the end of the URL when you've got that netpath open @"cnorborg" if you dont know that trick it's sweet

I'd probably try a stringsplit on the linebreak in a CTE, then transpose that, then stringsplit for columns or something. I guess those are triple spaces for you? https://stackoverflow.com/questions/5493510/turning-a-comma-separated-string-into-individual-rows This is better but probably something you've got open already…

Probably about the same query but without the WHERE statement then

Got anything visible in your audit/event log? Anything intensely spammy?

That is an ancient version, do you need to be on 2020.4.2?

I dont have UDT so cant solve it direct for you or anything, but If you use F12 or Hubble (search solarwinds enable hubble) you can see the query "current connection information" is definately not the term for what you're after, this info will live on a table, and each column will be a column on that table, so you're…

Surprised that didnt just work tbh

Create a SAM Monitor, add the powershell component. Something like: # Define partial names of services to include $partialNamesToInclude = @("*PCC Server*") # Define partial names of services to exclude $partialNamesToExclude = @("PutSomethingHereIfNeededIGuess") # Pass the server IP of machine being checked $remoteserver…

Pretty sure you need the ODBC drivers but not a local SQL instance, I think you get those from particular feature installs Something like SWQL -> SQL -> DB on whatever setting you set in the config wizard

ALTHOUGH if for an application you would have the possibility of multiple comonent user notes so you'd need to do a custom SWQL with a top 1 and a filter probably.

This if a component alert, else pretty similar for application but one level up

I'm using it at the moment, guide below, before you read that though. If using the certs, you must protect these certs as if they were the highest value asset in your estate. It's possible to have alerting/reporting looking after a service account in a way that's much harder to do with a certificate, it has an affect of…

(This gets really hard to maintain as you scale)

Nah it's out of the box, classic dashboards only though. If you cant see it then check for typos if you still cant see it maybe config wizard. I've typoed on my end "All Alerts*..." oops. You could potentially put the "how to fix" in stuff like the application or component description, but there's a limit for how generic…

Once you've got the datasource, the alert follows from that (you may need to join up the node status and wherever the data lives)

You need to make sure you've git a datasource for who rebooted it. There's a windows event for this if it's windows. You can get that event with log forwarding or SAM via an event log monitor or a powershell monitor. Probably the forwarding option would be needed for the scenario of someone powers it off when they shouldnt…

I have an example but it's very custom and so doesnt serve well as an example, I can tell you some routes through having been through this 1) Do as you described, use either REPLACE()s to deal with line breaks, and/or 2) Use FOR XML PATH and use that to build a table. (this is a faff but if it's a set and forget thing it's…

Probably not the best channel to post this question in Could install the linux agent depending on distro or configure snmpd.conf, then add as a node, then do whatever else that box needs. Could also add AWS to cloud monitoring and see it through there.

This query kinda exists in the "all alers this object could trigger" widget It's not very easy to parse, but it's basically pulling all the alerts against the (in this case) Application table (maybe +components etc), then looping through the SCOPE section for each of those, and if matched then covered else not covered.…

Never saw this reply at the time, but FYI stuff like the -usebasicparsing thing is like profile-based issues, there's a bunch of those, and there's a class of fix which is basically 1) Confirm the account you'll be using for the script, dont change it without redoing later steps 2) On the account you're using above, do the…