Here are some SCOM tuning tips that I published back in 2012 that are just as relevant today as they were back then. This was taken from a SCOM support guide that I created for a large insurance company.
Reasons why we create new MP rules and monitors:
- To generate new monitoring that was not provided in the vendor packs
- To replace a vendor developed conditions that lacked sufficient overrides
- To setup a scheduled script, gather reporting data, or an administrative auto action
- To gather data for possible future alerting solution
Reasons why we recreate MP rules and monitors:
- To expose settings not available in the sealed overrides
- To replace poorly worded alert messages names or descriptions
- To add a repeat count, recovery, or other method to reduce alerts or to reduce frequency
- To consolidate multiple alerts for the same issue
- To consolidate alerts with the same troubleshooting steps
- To reduce alerts during maintenance, software updates, backups, network outages, and other factors
- To convert a rule to a monitor or vice versa to access available functionality
Reasons why we “disable” conditions ( or make alerts informational):
- We disable all warning or critical level alerts that are informational or successful in nature (reserving alerts for things that are broken)
- We disable application monitoring that duplicates base server monitoring (hardware, OS, custom)
- We disable all monitoring that doesn’t relate to actionable troubleshooting steps (if we can’t fix it we don’t want to see it)
- We disable a lot of external dependency monitoring. For example, Exchange alerts on AD availability that duplicates monitoring from the AD MP)
- We disable any problematic alerting conditions that do not work properly (identified by experience or community feedback)
- We disable any alerts that are determined not to be a real issue in our environment; or any environment. (For example, important sounding alerts that cannot be linked to a problem requiring intervention)
Reason why we implement overrides:
- To modify the priority or severity to meet our alerting needs
- To disable or enable rules, monitors, or discoveries (for effect or replacement)
- To modify thresholds and other setting on rules, monitors, or discoveries
- To limit alering activity to a specific group of objects (or exclude)
Overrides that don’t appear to be possible or are rarely available:
- Modify the alert name and description
- Modify the custom fields and alert suppression criteria
- Ability to add recoveries and diagnostics to sealed rules and monitors
- The ability to add views to sealed management packs as an override
- Common overrides are often not available like priority and severity