SCOM – Monitoring a Service – Part 2 basic service monitor #scom #application


This is part 2 of the multiple part series on monitoring a service (yeah how much can we say about this. ).

To start the links to other parts of the series:

And now on to monitor a windows service the very very basic way. We will create a new management pack to hold the service monitor and we will add a basic windows service unit monitor that creates an alert when the monitored service is not running. This is very basic and will do no more or less than stated I will screenshot a bit often here in parts 2 and 3 of this blog post and will assume some things in other parts.

Go into the SCOM Console and move into the Authoring pane.
Expand Management Pack Objects and select Monitors.
In the menu bar or in the Actions pane select Create a Monitor -> Unit Monitor.

The Create a unit monitor wizard opens up. Before we do anything else we need to have a management pack to save stuff in. We could have done this before, but in this case I will use the first monitor we create as an opportunity to create a new management pack. So near the bottom of this screen click the New button.

When the Create a Management Pack wizard opens we add a Name for the management pack. In this case I use “Services Part2”, but normally this would say something about the application you would want to monitor or the purpose of it. We can add a description here.

We finish this part of the wizard by clicking Next and Create. This will bring us back to the Create a unit monitor wizard and the newly created management pack will be listed as the destination management pack near the bottom of the screen. Next we define what kind of monitor we want near the top of the screen. In our case this is Windows Services -> Basic Service Monitor. Click Next to continue.

In the general properties we will define a name for the monitor. In this case I will just use “FCS AM Service” as Name and Description to keep it simple.
Now we need to specify a Monitor target. So click the Select button in the middle of the screen.

We see a big list of targets (and we see even more when we select the View all targets option). We need to think of where we could possibly target this. Well, one of the things we know is that it runs on windows computers. That could give us Windows Computer and Windows Operating System for instance (if we say that we dont want to specify a specific operating system). I will go with Windows Computer for now.

We need to specify the Parent monitor now. As we are monitoring the running state of a service we will use the availability parent monitor. And click Next.

So now it asks us for the Service name. It is easier to browse there, so we use the small button with the three dots.

Pick a machine where you know this service is installed. Find the service you want to monitor in the list and select it. In my case I pick the Microsoft Forefront Client Security Antimalware Service.

When we click OK it will bring us back to the wizard and it gives us the name of the service (as windows would understand it).

Click Next and we can configure what the health should be if the service is not running. In the box where it says Health State for the row where it says Service is not running we can select what state we want by clicking and using the dropdown that appears to either select Critical or Warning. For this example I just think this is a security service so I will leave it as Critical.

Next step is to define if we want to generate alerts for this monitor. Lets go ahead and do that and check the checkbox. Next we need to define when to generate an alert. In my case I said that the state of service down should be Critical, so my choice is to generate an alert when the monitor is in a critical health state. If you had Warning in the previous screen you will need to use the warning state here as well in order to get alerts.
The checkbox to Automatically resolve the alert when the monitor returns to a healthy state is very usefull in most cases. So if the service returns to running state (either automatically or because you start it manually for instance) it will also close the alert for you in the SCOM console.
In the alert properties we can define an Alert name. BY default it displays the name of the monitor here. In my case I add some words to make it say “FCS AM Service is not running”. I copy that to the Alert description box below it and add some words to it suggesting to start the service. I will not add more fancy stuff here although the small button with three dots will give you possibilities to add the server name in the description for instance. Next we can also set Priority and Severity of the alert. I will leave it default for now. That will give us the following screen.

Now we can push the Create button to create the monitor.
We will have a monitor now for one service in a new management pack with alerting when this service is not running.

New I can pick a machine and stop this service and see if I get an alert in the monitoring pane in Active Alerts.

After starting the service the alert disappeared within the minute.

So that is the most basic quick and dirty way to monitor one service.

Now lets see in Part 3 of this series how we can do this using the Windows Service monitoring template and at the same time make a choice if we want to monitor the processor and memory usage of this service (process) and at what threshold it should start complaining.


If i need to create an availablity report where in i can add the Specific Monitor. e.g I want to monitor server1 on computer 1 for availablity and then put it in the report as an individual object. If i create a basic Unit Monitor with name Service1 for Computer1 and target it to Windows Computers like you explained in part 2. when i create the Report i cannot serach for the name if i click add object or add group. I just want to Report this particular item

If we have the same service running on multiple machines and if I stop the service on one of the machines, why do i get multiple alerts from all the machines where the service is installed?

Thanks in advance.

HI Arun, Check your targetting. If it is targetted at All Windows Computers for instance it is different from targetting at Windows Computer. One is a group and one is an entity. If you target at a group for monitoring stuff will go wrong in this case. By the way, Windows Computer is also not always the greatest target to use. It was just a simple one for the current examples. There are documents available which explain targetting for SCOM. But my guess is your target is wrong in the monitor.

what if I want to monitor all auto start services on all the windows servers. as well as new auto start services installed at a later time?

can this be done?

HI Mushi-D,
I guess if you really had to you could create a discovery through a script which runs through the registry hive where services are listed and check for the setting saying it is automatically starting. and discover all those services and store them. perhaps on a daily interval, so it will discover new stuff you install.
Next would be to try to create a monitor targetted at that to monitor if the service is running.
Perhaps somebody has already created this, so would suggest to check around for something like this.

Hi Bob,
When I stop the service, it takes a while for the alert to be generated in the SCOM console. Is there a way to make it generate faster?

Also Bob, is there a difference between this method of adding the service monitor and using the wizard?

Thanks for these guides they are great.

I have a question similar to one above. I have created a simple service monitor and I only want it to monitor the service on 2 servers. However, my simple monitor is checking our whole environment. I can t seem to find a setting to monitor single entities? Could you do a blog post or provide a link? I ve been searching the internet but can t find guides for this problem.

HI John, well most commonly the way is to target the same class but keep the monitors disabled. And re-enable them for those two machines you want monitored.

About Author:

Leave A Comment

Your email address will not be published. Required fields are marked *