Microsoft OMS provide the ability to gather data from a huge variety of sources and to help to visualize this data. You determine what types of data you want to collect based upon the solutions which you activate in your workspace. These are added in the solutions gallery shown below: (check out the new “Containers” solution which is coming soon, good stuff still coming!)
OMS makes it easy to onboard the systems that you want to add to OMS in the Operations Manager console as shown below.
In OMS you can see the amount of data which is gathered on a daily basis and the breakdown per solution. The security solution currently uses the vast majority of the data when all solutions are added which is apparent based upon the graph below.
One of the current challenges with OMS is that you cannot currently choose which solutions apply to which systems which you have added to the Managed Computers list shown above. This means that for example if you enable the Security and Auditing solution it is enabled on all computers which are on your Managed Computers list.
The way this works is what computers you add to the Managed Computers list is added to the “Microsoft System Center Advisor Monitoring Server Group”. An example of the membership of this group is shown below (logically enough, this matches the systems that we added in Managed Computers above).
I expect that Microsoft is aware of this limitation and working to alleviate it, but this blog post will provide a temporary workaround to allow you to choose which systems you do not want to have a solution apply to.
The sample management pack I have created is called “Scoping OMS Solutions”.
The management pack includes a set of 10 groups which you can add Windows Computers to in order to exclude them from collecting data for that specific solution.
The information gathering rules are disabled by default and enabled for a specific group of systems which Microsoft has defined called “Microsoft System Center Advisor Monitoring Server Group”. Each of these groups are disable the rules which gather data for that specific solution.
To test the first level of this functionality, I added one system to my Exclude_OMS_Security and Audit group and verified that I was no longer receiving security information on this system after the change was made.
I was able to verify that security logs were continuing to be written to other systems:
If you want to see what computers you have added to your exclusions you can check that directly in the Authoring pane under Groups or you can use the views which are included in this sample management pack shown below:
As it stands, this management pack provides exclusions for the following OMS solutions:
- AD Assessment
- Change Tracking
- Malware Assessment
- SQL Assessment
- Security and Audit
- System Update Assessment
- Wire Data
So what’s not done in this pack and why?
- Alert Management – Not targeted at Windows Computer, if not needed remove the solution from OMS
- Capacity Planning – Not targeted at Windows Computer, targeted at Microsoft System Center Advisor Windows Server.
- Containers – No management pack available yet to assess the rules.
- Configuration Assessment – Unable to find the management pack which contains the rules or the underlying rules
This approach will not work for either directly attached agents or Linux agents
Summary: If you are looking for a way to disable a solution for a set of systems in OMS check out the sample management pack available at https://gallery.technet.microsoft.com/scriptcenter/Scoping-OMS-solutions-in-166a8565.
Update: 11/7/2017 – It appears that the rule which collects security data has changed. It’s now part of the following:
- Management pack: Collect security events by user configuration
- Rule: Collect Security Events