Discussion:
SCOM Domain / Enterprise Admin Group Auditing
(too old to reply)
KThomas
2008-01-04 21:13:02 UTC
Permalink
I have reviewed the documet at http://contoso.se/blog/?p=109 and it is great
for MOM 2005 but I want to create the same monitoring in SCOM 2007. The
issue I cannot seem to resolve is using the "matches wildcard" option with
the Event Description.

What I have tried with my SCOM Rule is
"Use parameter name not specified above" since Event Description is not a
default option. The custom parameter I use is $Data/EventDescription$ with
operator of "mathces wildcard" and the value "*Domain Admins*"

Any help is appreciated... TIA

KThomas
KThomas
2008-01-04 21:16:04 UTC
Permalink
The rule does work and alert if I just look for the Event IDs of 632 and 633
Post by KThomas
I have reviewed the documet at http://contoso.se/blog/?p=109 and it is great
for MOM 2005 but I want to create the same monitoring in SCOM 2007. The
issue I cannot seem to resolve is using the "matches wildcard" option with
the Event Description.
What I have tried with my SCOM Rule is
"Use parameter name not specified above" since Event Description is not a
default option. The custom parameter I use is $Data/EventDescription$ with
operator of "mathces wildcard" and the value "*Domain Admins*"
Any help is appreciated... TIA
KThomas
Anders Bengtsson
2008-01-04 21:53:58 UTC
Permalink
Hi KThomas,

Try $Data/Context/Context/DataItem/EventDescription$ or $Data/Context/EventDescription$
instead.
Also, in Ops Mgr 2007, you have the ACS feature that can help you monitor
security within your organization.



-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se


K> The rule does work and alert if I just look for the Event IDs of 632
K> and 633
K>
K> "KThomas" wrote:
K>
Post by KThomas
I have reviewed the documet at http://contoso.se/blog/?p=109 and it
is great for MOM 2005 but I want to create the same monitoring in
SCOM 2007. The issue I cannot seem to resolve is using the "matches
wildcard" option with the Event Description.
What I have tried with my SCOM Rule is
"Use parameter name not specified above" since Event Description is not a
default option. The custom parameter I use is
$Data/EventDescription$ with
operator of "mathces wildcard" and the value "*Domain Admins*"
Any help is appreciated... TIA
KThomas
KThomas
2008-01-04 22:56:01 UTC
Permalink
Thanks for the response... I will try them on Monday. One thing that is
interesting is when I use $Data/EventDescription$ for the Alert Discription
it works fine. I will let you know if the other two options you suggested
work.

I am aware of ACS and currently looking at what it takes to deploy it and in
our environment it could require a lot of resources from the data storage
(database) side but I not 100 % on everything that it takes at this point.

Thanks Again,
KThomas
Post by Anders Bengtsson
Hi KThomas,
Try $Data/Context/Context/DataItem/EventDescription$ or $Data/Context/EventDescription$
instead.
Also, in Ops Mgr 2007, you have the ACS feature that can help you monitor
security within your organization.
-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se
K> The rule does work and alert if I just look for the Event IDs of 632
K> and 633
K>
K>
Post by KThomas
I have reviewed the documet at http://contoso.se/blog/?p=109 and it
is great for MOM 2005 but I want to create the same monitoring in
SCOM 2007. The issue I cannot seem to resolve is using the "matches
wildcard" option with the Event Description.
What I have tried with my SCOM Rule is
"Use parameter name not specified above" since Event Description is not a
default option. The custom parameter I use is
$Data/EventDescription$ with
operator of "mathces wildcard" and the value "*Domain Admins*"
Any help is appreciated... TIA
KThomas
Anders Bengtsson
2008-01-05 15:41:37 UTC
Permalink
Hi KThomas,

here is a step by step guide for you, http://contoso.se/blog/?p=250


-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se


K> Thanks for the response... I will try them on Monday. One thing that
K> is interesting is when I use $Data/EventDescription$ for the Alert
K> Discription it works fine. I will let you know if the other two
K> options you suggested work.
K>
K> I am aware of ACS and currently looking at what it takes to deploy it
K> and in our environment it could require a lot of resources from the
K> data storage (database) side but I not 100 % on everything that it
K> takes at this point.
K>
K> Thanks Again,
K> KThomas
K> "Anders Bengtsson" wrote:
K>
Post by Anders Bengtsson
Hi KThomas,
Try $Data/Context/Context/DataItem/EventDescription$ or
$Data/Context/EventDescription$
instead.
Also, in Ops Mgr 2007, you have the ACS feature that can help you monitor
security within your organization.
-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se
K> The rule does work and alert if I just look for the Event IDs of 632
K> and 633
K>
K>
Post by KThomas
I have reviewed the documet at http://contoso.se/blog/?p=109 and it
is great for MOM 2005 but I want to create the same monitoring in
SCOM 2007. The issue I cannot seem to resolve is using the
"matches wildcard" option with the Event Description.
What I have tried with my SCOM Rule is
"Use parameter name not specified above" since Event Description is not a
default option. The custom parameter I use is
$Data/EventDescription$ with
operator of "mathces wildcard" and the value "*Domain Admins*"
Any help is appreciated... TIA
KThomas
KThomas
2008-01-07 15:22:02 UTC
Permalink
Anders.... Thank You!, Your solution worked.

I have been trying to find a list of values that could be used in the custom
parameters field but I never found one and assumed that I needed to use some
type of variable.

Thanks Again,
KThomas
Post by Anders Bengtsson
Hi KThomas,
here is a step by step guide for you, http://contoso.se/blog/?p=250
-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se
K> Thanks for the response... I will try them on Monday. One thing that
K> is interesting is when I use $Data/EventDescription$ for the Alert
K> Discription it works fine. I will let you know if the other two
K> options you suggested work.
K>
K> I am aware of ACS and currently looking at what it takes to deploy it
K> and in our environment it could require a lot of resources from the
K> data storage (database) side but I not 100 % on everything that it
K> takes at this point.
K>
K> Thanks Again,
K> KThomas
K>
Post by Anders Bengtsson
Hi KThomas,
Try $Data/Context/Context/DataItem/EventDescription$ or
$Data/Context/EventDescription$
instead.
Also, in Ops Mgr 2007, you have the ACS feature that can help you monitor
security within your organization.
-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se
K> The rule does work and alert if I just look for the Event IDs of 632
K> and 633
K>
K>
Post by KThomas
I have reviewed the documet at http://contoso.se/blog/?p=109 and it
is great for MOM 2005 but I want to create the same monitoring in
SCOM 2007. The issue I cannot seem to resolve is using the
"matches wildcard" option with the Event Description.
What I have tried with my SCOM Rule is
"Use parameter name not specified above" since Event Description is not a
default option. The custom parameter I use is
$Data/EventDescription$ with
operator of "mathces wildcard" and the value "*Domain Admins*"
Any help is appreciated... TIA
KThomas
Loading...