HackaSCOM runner-up: MP to discover and monitor files, folders, and changes

Anders Öberg

In our latest HackaSCOM we saw two great management packs (MPs) created for the community – the winning MP that predicts thresholds using ML and the MP we’ll explore today that discovers and monitors files, folders, and changes that occur.

Anders Ӧberg created this MP in just 24 hours and that’s despite a power outage that disrupted his proceedings and lost some of his code. So, it’s super impressive what he was able to accomplish. We think this will be a much-valued MP in the SCOM community.

Let’s get into the details of what Anders built.

How the management pack was built

At the core of the MP is a probe, which also acts as a data source, written in PowerShell. There’s an input file, placed on the agent, that holds the directories that you want to monitor. (Anders had to show this using a text file due to his SCOM instance going down.)

It’s a two-way discovery. One is from the local agent so, as a Server Admin, you can put the folders in the file and have the basic inventory; or you can do this as a SCOM Admin. The great thing is that you aren’t limited to the SCOM console to add monitoring.

The MP lets you add the ‘recurse’ flag, if you want to, depending on what you want to monitor – the whole sub-directory tree or just the flat directory.

You can set the monitor to run at a frequency of your choice.

Then, when sub-directories are added to directories, the monitor will report that in SCOM (mimicked in the right-hand, blue pane).

You are then able to see the input parameters from file, when it was executed, and on which host. Below that, you can see the detail text to see the file count change and the folders that were created on each directory. You can get the details for folders and files, catalogs and directories, being removed too.

You can also see the file or folder size changes.

In the above image, you can see that the FileCounter has changed to show another file has been added (from [4] to [5]) and the FileSize has changed from [18] to [48] after the text was added to that file.

You will also be able to see when a file is deleted with the same types of information.

A more complex example would be a deep file path with a text file at the end of that.

You will still be able to see the full details of what was added and when in the SCOM report.

You can also see that, when that text file is changed, other directory details are changed – as is normal in a directory as deep as this one.

This would all be reported as alerts or properties within SCOM.

In the future

Future developments for the MP could be to add alerting for when file sizes are getting too big. All the components already exist in the new MP to hook it into the existing SCOM file size alerting. 

Get the MP

The code is now available on GitHub so you can download it and play with yourself to use in your SCOM environment.