Forefront Identity Manager (FIM) Eventlogs, Events and Monitoring
Greetings from Redmond. Today I want to discuss something universal to all people involved with FIM and Windows servers in general, Event Logs. The Event Logs are one of the places you will find information, warning and error messages from the FIM product and its components. It is not the only place (see also FIM 2010 or FIM 2010 R2 troubleshooting) but it is one of the places.
Let's look at each FIM 2010 component and see what it adds to the system upon installation:
| FIM Component | EventLog | Source | Event ID Ranges* |
| Add-ins and Extensions | Application | Microsoft.ResourceManagement.OutlookClientHealthSource | 1-65535 |
| Add-ins and Extensions | Application | Microsoft.ResourceManagement.PasswordManagementHealthSource | 1-65535 |
| Add-ins and Extensions | Application | Microsoft.ResourceManagement.PasswordProxyHealthSource | 1-65535 |
| Certificate Management | Application | Enterprise Library Caching | 1-65535 |
| Certificate Management | Application | Enterprise Library Configuration | 1-65535 |
| Certificate Management | Application | Enterprise Library Manageability Extensions | 1-65535 |
| Certificate Management | FIM Certificate Management | FIM Certificate Management | 1-65535 |
| Certificate Management | FIM Certificate Management | FIM CM CA Modules | 1-65535 |
| Certificate Management Client | Application | FIM CM Update Client | 0-520, 4097-4873, 5120-5632, 24576-28416, 51200-57345, 61440-61444 |
| FIM Service | Forefront Identity Manager | Microsoft.ResourceManagement | 1-65535 |
| Password Change Notification Service | Application | PCNS Filter | 1-5,2000-2002,4000-4001,6000-6023,7000 |
| Password Change Notification Service | Application | PCNSSVC | 1-5,2000-2005,2100-2305,4000-4301,6000-6039,7000 |
| Synchronization Service | Application | FIMSynchronizationService | 1-8, 100, 2000-2004, 4000, 6000-6600, 6800-6999 |
* This is a semi-general range of events of FIM 2010 RTM. See the attachment for the list of events in the RTM version of FIM 2010. Any event IDs could be added to future releases of the product which is why the product team lists ranges (see below).
If you happen to have SCOM installed in your environment then you can download the free FIM Management Pack (MP) to start monitoring your system. You will notice the FIM MP looks for specific FIM events and some FIM availability but does not include monitoring to systems it could interface with such as Active Directory or SQL. Those are other Management Packs you can download.
The word transparency is tossed around Microsoft like the flu. Allow me to sneeze...
So that's what transparency the flu looks like!
...and say this -- I've only seen one customer use the FIM MP to watch over FIM. Sometimes it is due to the customer using another monitoring solution (it's ok, we forgive you) and those that do use SCOM either don't know about the FIM MP or they install it and never use it. Whatever your situation, I am providing you an attachment with a list of event IDs you can use to at least start monitoring the FIM Event Logs. This will not give you a full view of your FIM environment but it is a start.
One final note. You will notice the Management Pack includes a Word document which lists ranges of event IDs and that list doesn't fully match the table above. Better said, my table includes some ranges that the Management Pack Word document does not include. Enjoy!
Best,
Jeff Ingalls