SCOM Console Linux Agent Upgrade Issue

When Microsoft releases a new UNIX\Linux agent version and you upgrade the agents, it is possible that the SCOM Console shows upgrade as done but the versions may revert back to the previous version. We will look into why this happens and how to solve it.

In low privileged environments, defined UNIX\Linux accounts in your SCOM require rights for monitoring actions and maintenance tasks. To achieve this, Microsoft has built a good way of running the agent by making use of sudoers file and RegEx expressions.

Parts of Sudoers File

Basically, there are four parts that needs to be configured in the sudoers file

  • Agent Maintenance
  • Install / Upgrade
  • Uninstall
  • Log File Monitoring

The Agent Maintenance, Uninstall and Log File Monitoring parts includes commands for certificate signing, agent configuration, uninstall and Log File Monitoring permissions (as names suggest).

When set correctly, you will most probably not face any issues in these parts other than Install/Upgrade. Because those parts do not include any command or executable names with version numbers. But for those commands which have RegEx expressions with numbers, it should be set correctly to reflect the current, previous and future versions.

Install or Upgrade

The Install or Upgrade part is the tricky one. With every version and distro, permitted executable names change and RegEx expressions should match the new ones. If not, the Linux agent upgrade process seems to complete very quickly compared to a normal one and shows the agent is updated to the latest version. When the agent restarts and discoveries start to run you will see the agent versions are listed as the previous one. This is because the upgrade processes were actually not run because the file name expressions did not match the latest version listed in the sudoers file as allowed.

I would suggest RegEx101.com for testing your sudoers expressions against newly released file names. If there is no match, visit the following link for the latest templates that need to be used and edit it accordingly.

When you create the new sudoers file, you should be able to upgrade the agents to the latest version without any problem.

Sudoers templates for elevation in UNIX/Linux monitoring

Good luck with your Unix/Linux monitoring in SCOM!