Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Monitor Logon Failures in SCOM 2007

34 views
Skip to first unread message

Millan

unread,
Jan 3, 2008, 4:48:01 AM1/3/08
to
Hi,

I wonder if someone can walk me trough have to set up a monitor got logon
failures on SCOM 2007? I would like a warning at 20 login failures in 5
minutes.

I know how to overwrite for groups and that sort of config but I dont know
how to create the monitor itself. I know that you are ment to use the Windows
Operating monitor, but how?

I am new to SCOM and I need some walk trough steps.

Many Thanks

Emilia

Anders Bengtsson

unread,
Jan 3, 2008, 5:49:21 AM1/3/08
to
Hi Millan,

Try create a new monitor under Authoring pane. Create a Repeated Event Detection
monitor to detect failure logon events. Target your domain controllers. You
should also take a look at the ACS feature of Ops Mgr, http://contoso.se/blog/?p=198

-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se


M> Hi,
M>
M> I wonder if someone can walk me trough have to set up a monitor got
M> logon failures on SCOM 2007? I would like a warning at 20 login
M> failures in 5 minutes.
M>
M> I know how to overwrite for groups and that sort of config but I dont
M> know how to create the monitor itself. I know that you are ment to
M> use the Windows Operating monitor, but how?
M>
M> I am new to SCOM and I need some walk trough steps.
M>
M> Many Thanks
M>
M> Emilia
M>


Millan

unread,
Jan 3, 2008, 5:57:11 AM1/3/08
to
Hi Anders,

Thank you for that. I have created a monitor that tragets even 532 and it
seems to work.
But I wonder what all the Rules are. Under Rules I have something called
Failed logon attempt. Says its activated by default. Should I turn this off
to prevent getting double warnings?

I dont use ACS...

Many Thanks

Anders Bengtsson

unread,
Jan 3, 2008, 6:06:12 AM1/3/08
to
Hi Millan,

I dont have that rule in my environment in front of me, but I guess that
is a rule collecting some kind of logon event. Take a look at the rule and
see what it does. I dont think you should disable it as long as you dont
know for sure what it does.

-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se


M> Hi Anders,
M>
M> Thank you for that. I have created a monitor that tragets even 532
M> and it
M> seems to work.
M> But I wonder what all the Rules are. Under Rules I have something
M> called
M> Failed logon attempt. Says its activated by default. Should I turn
M> this off
M> to prevent getting double warnings?
M> I dont use ACS...


M>
M> Many Thanks
M>

M> "Anders Bengtsson" wrote:
M>

Millan

unread,
Jan 3, 2008, 9:44:05 AM1/3/08
to
Hi again,

I can get the alert to work. I went to authoring pane and Windows Operating
monitor. Under security I created a new unit monitor and selected Repeated
Event Detection. Have tried all 3 kinds, Timer, manual and Windows event
reset. Then I have set event ID to equal 529 and tried with both Event source
and without. Then under Repeating settings I have said Count Mode = Timer
(have tried with count aswell). Then I have set 30 sec for testing and logged
on incorrectly to one of the servers many times. I can see the event in the
event viewer of the server but no alerts gets created even tho I have set it
to create an alert at warning state.

Can you please help me? I want an alert when 20 logon failures have been
done in 5 minutes.

Many Thanks

Anders Bengtsson

unread,
Jan 3, 2008, 3:50:36 PM1/3/08
to
Hi Millan,

Try configure your repeated event monitor like

Target: suitable target
Log name: Application
Event Expression: Event ID equals X
Repeat Settings:
-Counter Mode: Trigger on count
-Compare Count: 20
-Based on a fixed simple recurring schedule
--Period: 5 Minutes
Alerting: Generate alerts for this monitor


-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se


M> Hi again,
M>
M> I can get the alert to work. I went to authoring pane and Windows
M> Operating monitor. Under security I created a new unit monitor and
M> selected Repeated Event Detection. Have tried all 3 kinds, Timer,
M> manual and Windows event reset. Then I have set event ID to equal 529
M> and tried with both Event source and without. Then under Repeating
M> settings I have said Count Mode = Timer (have tried with count
M> aswell). Then I have set 30 sec for testing and logged on incorrectly
M> to one of the servers many times. I can see the event in the event
M> viewer of the server but no alerts gets created even tho I have set
M> it to create an alert at warning state.
M>
M> Can you please help me? I want an alert when 20 logon failures have
M> been done in 5 minutes.

0 new messages