Automatically restart service in event management - auto remediation

Henrik Jutterst · ‎09-12-2024

Is there anyone here who has set up a Flow to automatically restart a service in Event Management?

What is the best practice for this?
What if there is a Windows Server or a Linux Server - there are two separate SubFlows for this as I see?
Where do I kick of these SubFlows and how does the SubFlow know the name of the Service to restart?
Are there any permissions needed for this for the system users that try to remediate this?

Kind regards

Sayali_Suryawan · ‎12-02-2024

Hello Henrik Jutterst,

Question 1.

Is there any OOB SubFlow or Alert Management Rule for Event Management to detect if it's a Windows or Linux host and then perform the restart actions like Figure 01, or how is this handled? Or do we need to build that our self?

Answer:
Open the OOB Alert management rule (Windows server actions) and select "Alert filter." You found that if the CI is related to the Windows server, only the restart, start, or stop action will be performed.

You specify the condition, such as whether it is Windows or Linux, and it will only perform the action if those conditions are met.

Yes, there are OOB subflows available in the "Event Management Connectors" application. If you want to add some extra functionality, you can do that.

If you want to access this functionality, open "Service Operational Workspace" and open any alert record with the ci "window server." Then on the related list, - > playbook -> you can get it

Alternatively, you can open the alert record by clicking "Preview," as shown in the first image.

Question 2.

Is it possible or even recommended to have an automation of starting a service if it's down? Is setting the Execution to "Automatic" all that's needed here?

Yes, you are correct; you can set them to "Automatic" and they will start automatically whenever the condition is met, then they start. In OOB, if the configuration item is window server, only the alert record action will be performed automatically.

Please mark my answer if it was helpful.

Thank you.

View solution in original post

Patrick DeCarl1 · ‎09-23-2024

From that alert you can parse the service name if its truly the service name, or display name and pass that to the subflow to have the ssh or powershell action to restart the service.

Henrik Jutterst · ‎09-24-2024

Ok, but the main question is if I need to create my own SubFlow to see if the host is running on a Windows or Linux, but based on your feedback there is no such SubFlow and we need to create it ourself?

Henrik Jutterst · ‎09-25-2024

Ok, so there's obviously lack of information on how restarting a service from an alert is done and what the input data should look like in the Alert for this to work.

Question 3.

Do you know if there's a guide from ServiceNow how this should work and what the input data should look like?
How does ServiceNow know then name of the Service that needs to be restarted. It's not clear to me.

ping: @Patrick DeCarl1

Patrick DeCarl1 · ‎09-25-2024

"Ok, but the main question is if I need to create my own SubFlow to see if the host is running on a Windows or Linux, but based on your feedback there is no such SubFlow and we need to create it ourself?" <-- No, If you have a CMDB and the event / Alert is binding to the correct CI you will know what OS it is. Also if the event tool is passing in the service name you will just need to parse the service name from the message and make sure its pass into the flow.

Henrik Jutterst · ‎09-25-2024

Alright, I think I understand from your point of view then. The idea you suggest is to look if the service is down and only run for Windows Server CIs. And have another Alert Management Rule if the CI is a Linux server. Windows example below:

This is the Alert Management Rule that I was working with and the trigger conditions. We get the same starting string for all stopped services, regardless Windows or Linux:

And that was the reason why I was asking if there where any Flows to take care of what OS the CI was on.