A list of all possible security events in the Windows Security Event Log

This may be old news, but it is a handy reference for OpsMgr admins, when asked to monitor for specific events from security event logs:   Windows Server 2003:  http://technet.microsoft.com/en-us/library/cc163121.aspx Windows Server 2008:  http://www.microsoft.com/download/en/details.aspx?id=17871 Windows Server 2008 R2:  http://www.microsoft.com/download/en/details.aspx?id=21561

5

How to collect performance data for SQL databases (multi-instance objects)

I have had several blog posts in the past discussing how to write rules and monitors against multi-instance objects.  Special care must always be taken when writing workflows against classes where an agent can host more than one instance of the same class type.  Examples would be Logical Disk, SQL DB Engine, SQL Database, etc….

8

Monitoring Windows Services – Automatic, Manual, and Disabled, using CheckStartupType

The Basic Service Unit Monitor is a very common monitor type to check the running status of any Windows Service.   The design of this Monitor by default – is to ONLY monitor the service – if the Startup Type is set to “Automatic” This is because many services are set to manual or disabled…

11

How to create a group of objects, that are CONTAINED by some other group

I had an interesting customer request.  The customer has a boundary of responsibility where the OS/Hardware team is responsible for ALL C: drives on all servers.  However, the individual application teams are responsible for ALL OTHER disks, which are used for applications. Therefore, for notification purposes, the customer wanted to create groups of ALL disks,…

3

How to create a monitor to inspect the value of a registry key

In my previous post similar to this topic, we discussed how to check for the existence of a registry key or value, and alert/change state if it was missing.  But what if you want to inspect the contents of a registry value for specific data? For instance – what if we want to inspect a…

17

How to create a monitor for existence of a registry key

There are many examples of using a discovery for a new class or extended class, based on a registry key. What if – you just want to monitor for a specific registry key – and turn your agents to a warning or critical state if it is missing?    Consider the scenario: CompanyX stamps the…

18

Why do I have duplicate SQL databases or logical disks in the console after a version upgrade?

This is a rare but interesting scenario… which can cause you to see and monitor duplicate objects (and get duplicate alerts) for specific types of discovered hosted objects that have a parent class which was upgraded from one version to another. For instance – if you upgrade SQL 2005 > SQL 2008, or Windows 2000…

0

How to monitor events logged by another computer or cluster

Or – How to use the <AllowProxying> XML item.   When you monitor the event log in OpsMgr, there is some built in security that the agent modules perform.  Normally this wont affect you, except for unique situations where events are logged from/by another computer, or in the case of MS Clusters, where events get…

2

Using OpsMgr for intrusion detection and security hardening

Here is an interesting little concept of how to use OpsMgr. Because I have a lab, that is exposed to the internet over port 3389, I get a LOT of hacking attempts on this lab.  Mostly the source is from bots running on other compromised systems.  These bots just do brute force attacks against the…

13

Adding event time to an alert description

We have several “Time” variables, to which you can add to a notification subscription format, which will include a timestamp of something related to the alert.  For instance: From: http://blogs.technet.com/kevinholman/archive/2007/12/12/adding-custom-information-to-alert-descriptions-and-notifications.aspx   $Data/Context/DataItem/LastModified$                                UTC Date/Time DataItem was modified $Data/Context/DataItem/LastModifiedLocal$                         Local Date/Time DataItem was modified $Data/Context/DataItem/TimeAdded$                                   UTC Time Added $Data/Context/DataItem/TimeAddedLocal$                           Local Time Added $Data/Context/DataItem/TimeRaised$                                  UTC Time Raised…

5

Writing monitors to target Logical or Physical Disks

This is something a LOT of people make mistakes on – so I wanted to write a post on the correct way to do this properly, using a very common target as an example. When we write a monitor for something like “Processor\% Processor Time\_Total” and target “Windows Server Operating System”…. everything is very simple. …

18

Making groups of logical disks – an example from simple to advanced

I have been seeing this question come up a lot lately – as customers try and create groups of their disks – in order to create overrides for “certain” disks.  So – I am creating this post to give some real world examples.   Well – I will start this simply.  Say we want to…

4

Creating custom dynamic computer groups based on registry keys on agents

I have had a few requests now for this, so I thought I would take the time to write up the process.     Lets say I have three support levels of servers:   Level 1 – servers critical to business operations (ex: customer facing web applications, SQL back-ends) Level 2 – important servers (ex:…

23

Quick tip – using regular expressions in a dynamic group

Here is a quick tip on using a regular expression when creating a group.   OpsMgr dynamic inclusion rules are case sensitive. If I have a group that I want to contain all computers that START with “OM”…. I can use the following expression:     The “^” tells regex to start a new line……

5

How to find all possible event ID’s for a given event source

I recently got this question from a customer… and felt it would be good to blog about this. The customer wants to create an Alert, anytime there is a event in the System event log, from a USER32 event source:   HOWEVER – it is a best practice in SCOM – to create our event…

3

What is a group anyway?

So – this is a first part, of a multi-post series on creating groups.   The most common reason we create groups in OpsMgr… is to scope Notifications, Views, and to use for overrides. Most of the groups my customers create are dealing with Windows Computer objects.  The reason for this, is that the Windows…

10

Populating groups from a SQL server CMDB – step by step

Boris wrote a cool article HERE on how to populate a group of computers in OpsMgr, from an external source…. such as active directory.  In his published example – you run an LDAP query to AD, to return a recordset list if computers, in order to populate them into a group.  This post will extend…

33