Authoring rules for Windows 2008 events, and how to cheat


So…. with the introduction of Server 2008 into OpsMgr… as a monitored agent, you might need to re-evaluate some of your old rules.

 

Almost all (if not all) of the basic event ID’s and parameters, in the security event log, have changed. 

 

For instance, I had a rule to alert me on every RDP logon to every server in my lab.  I did this on Server 2003, using the following data source configuration:

 

image

 

The logon event was 528, I used the Security event source (not really required in this case) and then I only wanted to alert on RDP/Console logon types… so that is where Parameter 4 came in.  I had to use LogParser to figure out which parameter is which, and talked about how to do that in these posts:

 

Using Event Description as criteria for a rule

How to find all possible event ID’s for a given event source

Using OpsMgr to see which servers have not been logged on to via RDP

 

Now – I realized, since I rebuilt my main Terminal Server with Server 2008, this rule isnt alerting anymore.

It is apparent that the new security event is now this:

 

image

 

 

So – off I go to update my rule.

 

I will use Event ID 4624, that part is easy…. but now – which parameter is the logon type of “10” now?

I can certainly use LogParser… and it will tell me, but in Server 2008 – there appears to be a shortcut:  Choose the Details Tab of the event you want, and all the parameters are listed, in order… and you simply have to count down:

 

image

 

Counting down from the top – that is Parameter 9.  So my new data source expression for the rule looks like this:

 

image

 

So – I will ONLY get alerts on those specific events.  But wait – I need to customize my Alert description!  I can use the same “cheat”.  In my alert description – I want to state something like “Username logged on to ServerName from IPAddress”.  I can get all of that right, and the parameters – right from this event:

 

image

 

Counting down – I can see this is parameter 6, 12, and 19.  So I make my alert description look like so:

 

image

 

And my alert?

 

image

 

Perfect!

Use this method to quickly figure out which parameters you want for your rule criteria, and your alert descriptions.

 

 

UPDATE – 2-25-2009 

I have to update this post – based on the comment from Raphael Burri  (http://rburri.wordpress.com/)

 

In addition to the easy way to find out parameters in Server 2008 – he commented on an even better way to bring rich alert descriptions in… without much work.

 

So for this example – I will create a new rule – which will alert me when someone types a bad password while accessing my Terminal Server:

The event in question – has changed from EventID 528 on Server 2000/2003 – to EventID 4625 on Server 2008:

 

image

 

Now – instead of using event parameter numbers in my Alert Description – I will use the event XPath name straight from the event!  Open the event… and choose the details tab.  Then choose the XML view.  It looks like this:

 

image

 

Now – to capture ANY of these “Event Data” fields… we could use parameters – counting down like the example I posted above.  OR – we can simply pull the parameter name – which is given to us right from the event:

Simply use this format:

$Data/EventData/DataItem/EventData/Data[@Name='EventParameterName']$

 

For instance… I want my alert description for this alert to state:

 

(Username) typed a bad password accessing directly from computer: (computername) from IP: (IP Address)

So from above – I can simply use the “Data Names” listed in the event data:

 

$Data/EventData/DataItem/EventData/Data[@Name='TargetUserName']$

$Data/EventData/DataItem/EventData/Data[@Name='WorkstationName']$

$Data/EventData/DataItem/EventData/Data[@Name='IpAddress']$

 

My alert description now looks like this:

image

 

The alert comes in as:

 

image

 

Thanks for the tip Raphael!

Comments (7)

  1. Raphael Burri says:

    Hi Kevin

    Great post! But instead of counting the parameters, you could display the ‘XML View’ of a Windows 2008 event and then use the XPATH statements directly.

    So the TargetUserName would work out as (one line)

    EventData/DataItem/EventData/Data[@Name=’TargetUserName’]

    respectively

    $Data/EventData/DataItem/EventData/Data[@Name=’TargetUserName’]$

    Longer statements but I love that my rules are much more readable like that if I ever have to come back and chenge them.

    Raphael

  2. Gavin says:

    Kevin

    What are you using to pull the logs together.  I am trying to pull the log files form about 40 servers on a frequent basis to a certailised server.  I have heard that logpaser cannot access Windows 2008 64 bit server

    Any help is appreciated.  This needs to be an automated background type process

  3. Ervin says:

    Hi Gavin,

    I do this kind of stuff w/ logparser. I use a scheduled script that exports the event data to a file (.evt) and then I use logparser to upload the content of the exported file to a database directly.

    This works fine, even for Windows 2008 64 bit server.

    I have now issues with the operation of Task Scheduler (Windows 2008 64 bit server) itself. If I run the task, either manually or schedulet, my script is not launched at all (although the history log states that it does). When I run the script manually, everything is just fine.

    Very annoying…

  4. vSphereKiwi says:

    @Ervin. Have you fixed the issue with Task Scheduler not running on Windows 2008 64bit? I think its not working because of "Startin (optional)" info within "Edit Actions" is missing. I know it says it is optional, but it should say mandatory instead. If you provide the folder name where you are running the script from without the quotes, it will work.

    I hope this info helps.

  5. Aniruddha Kaslikar says:

    Hello Kevin,

    I am trying to set the Event Source as "Microsoft-Windows-Security-Auditing" along with the event id & event level however something is wrong with it as the server for which i set up the Audit Logon Failure rule is not alerting on the SCOM server..FYI , I cannot bypass the Event Source for the windows 2008 server as it is a mandatory field i need to include in the expression….

    Just wanted to know the exact event source for the Audit logon failure event ID 4625.. Your help would be highly appreciated…

  6. Follow up question says:

    Hello Kevin,

    I am asking a simple question I know….but please humor me. When I am configuring the rule (Search for rule-> open properties-> Configuration Tab-> Edit the Data source) and on the "expression" tab where I am able to insert the parameter name, Operator, and
    Value. I would like to know what Parameter Name and Operator to tie the "$Data/EventData/DataItem/EventData/Data[@Name=’TargetUserName’]$" Value to? Looking for changes to the "Domain Admins, Enterprise Admins, and Schema Admins groups" and want to see what
    I can tie event ID’s 4728 and 4729 to.

    I am seeing alerts in the console for all security groups and want to narrow it down to just the specific Admin groups and currently unsuccessful.

  7. Satyajit321 says:

    TYPO: 528 instead of 529 FAILURE Event

    The event in question – has changed from EventID 528 on Server 2000/2003 – to EventID 4625 on Server 2008:

    528->4624
    529->4625

Skip to main content