SCOM Event Log Monitoring – Filtering based on content in the Description field

The following is information on how to get SCOM (System Center Operations Manager) 2007 to generate alerts based on the description field of windows event log entries.

1. If you want to filter based on content in the Description field, determine the parameter number that relates to the text you want to find. To find the parameter number, see the following post:

http://blogs.technet.com/stefan_stranger/archive/2008/05/13/opsmgr-2007-parameters-explained.aspx

2. When specifying what to search for, note that the content displayed in the Event Viewer is not always the same as what you need to filter against in SCOM.

E.g. security event id 560, under accesses, event viewer can show WRITE_DAC, but if you filter against parameter 15 for WRITE_DAC it will not work.

The following command will create a text file with all events of type 560, if you then search this file for the specific event you are looking at in event viewer, you can match with what SCOM sees and what the event viewer sees.

LogParser.exe -q:ON “SELECT Strings AS Parameters FROM Security WHERE EventID=560″ > 560.txt

Using the above you can determine that in SCOM that you need to filter for ‘Parameter 15 contains 1539′. You can also use this to find the parameter number (parameter number can be counted from the left starting from 1, not 0).

3. I haven’t had success in filtering based on event type yet (EventType), including it in the filter stopped scom from picking up the alert.

4. Create a test rule in the management pack you are creating the event log monitoring rule(s), which is basic search for application log, Source “User Event” and then use the logevent (http://support.microsoft.com/kb/315410) application to create a test event, to confirm that your management pack is actively running on the target device.

e.g.

logevent -s I -e 45 “Test Event”

Logevent download at: http://www.petri.co.il/download_free_reskit_tools.htm

5. You can also check the ops mgr windows event log to see it has downloaded your changes, but step 4 will tell you for sure. This will also contain information if ops mgr can’t keep up with the event log and is falling behind in monitoring the event log.

6. Monitors are for monitoring for things that affect the health of an object, rules are where monitoring for things that don’t affect object health.

There are 3 types of monitors for the windows event log, manual health reset, automatic after a set time, and automatic after a specific event has been received.

7. Use trial and error, start with basic filtering criteria, check that receive alerts and make it more specific, at each step checking if you receive an alert, being careful to not create a filter that is so generic that it will result in hundreds of alerts.

8. To avoid possible performance issues during step 7, test against a single device by disabling your rule and specifically overriding it to enabled for a specific device, and removing the override and re-enabling once you know it is working if so required.

9. Too many event log monitors could reduce the system wide performance of the monitored device(s).

10. It is possible to filter based on the entire description field, using a parameter with name EventDescription (howto: http://contoso.se/blog/?p=250), but it is recommended to use parameters instead as searching the entire description will have a greater system wide performance impact on the monitored device(s).

[...]

December 12th, 2008 | Tags: | Category: Infrastructure Management | Leave a comment

Effective alerting of infrastructure incidents

When a critical incident occurs that causes one or more of your systems to lose redundancy or result in loss of service, how do you ensure that the relevant people are notified?

The key requirement for such a solution is one that has the following features:

a) Escalation path
You don’t want an incident to go unchecked because the person the incident notification went to failed to get it for whatever reason. An escalation path ensures that someone is notified by escalating it to other contact methods for that person, or to other people until a receipt acknowledgement is received (typically by pressing a button in the case of voice alert, or replying to a SMS or email message).

b) Date scheduling
If you have staff that work on a shift basis, then you will want the system to be able to be programmed with those shift patterns.

c) Voice Alerting
Ideally, a combination of both SMS Text and Voice alerting capabilities, as voice calls can be heard easier on most devices out of the box than SMS Text messages and allows fallback to contact land based telephones.

[...]

October 16th, 2008 | Tags: | Category: Infrastructure Management | Leave a comment

Low cost intelligent call routing

I’ve been looking for a while for a call forwarding option that would allow intelligent call routing to a high level of detail and today I found it – allowing forwarding to be set on date and time along with a whole host of other features, the number of which is outstanding.

In the United Kingdom: http://www.ringcentral.bt.com/

In the USA: http://www.ringcentral.com/

Features (UK Version):
0800 Numbers
0844 Numbers
Voicemail with Email Delivery
Internet Fax
Auto-Attendant and Extensions
Dial-by-name Directory
In-Queue Music and Messages
Call Diversion with FindMe
Call Management
Time of day Routing and Answering Rules
Call Screening
Desktop Call Controller
Call Logs
RingMe Click-to-Call from the Web
Outlook Integration

[...]

October 15th, 2008 | Tags: | Category: Infrastructure Management | Leave a comment

Intel Premier IT Professional – Sharing best practices with the IT Community

http://ipip.intel.com/go/ [...]

April 29th, 2008 | Tags: | Category: Infrastructure Management | Leave a comment

Junk Mail Filtering Success – Mail sent to invalid addresses

In the office, the quantity of blocked junk mail has increased significantly and is now running at 1/2 million blocked messages per month.

After observing that my personal domain has started to see an increase in junk mail sent to invalid addresses, I configured our mail system to differentiate between junk mail sent to valid internal addresses and invalid internal addresses.

The results have been a huge success, showing that 50% of all mail received is sent to invalid addresses, cutting the size of our junk mail queues in half overnight.
[...]

April 11th, 2008 | Tags: | Category: Infrastructure Management | Leave a comment

Cisco reduces the frequency of non critical IOS updates to twice a year

“Cisco is announcing program changes for the publication schedule for Cisco Internetwork Operating System (IOS) Security Advisories.

Starting on March 26, 2008, Cisco will release bundles of IOS Security Advisories on the fourth Wednesday of the month in March and September of each calendar year.

This schedule change will not restrict us from promptly publishing an individual IOS security advisory for a serious vulnerability which is publicly disclosed or for which we are aware of active exploitation.

Cisco is adopting this approach in response to extensive feedback from customers, who seek further predictability for support planning and deployment cycles.

The current format of IOS Security Advisories will remain the same. The software table in the advisory includes a list of recommended releases (where possible) for each software train that addresses all of the security vulnerabilities included in the bundle.

All other non-IOS Cisco security vulnerabilities will continue to be announced per Cisco’s standard disclosure policy, available at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.”

Source: http://www.cisco.com/en/US/products/products_security_advisories_listing.html [...]

March 8th, 2008 | Tags: , , , | Category: Infrastructure Management | Leave a comment