I wonder if someone can walk me trough have to set up a monitor got logon
failures on SCOM 2007? I would like a warning at 20 login failures in 5
minutes.
I know how to overwrite for groups and that sort of config but I dont know
how to create the monitor itself. I know that you are ment to use the Windows
Operating monitor, but how?
I am new to SCOM and I need some walk trough steps.
Many Thanks
Emilia
Try create a new monitor under Authoring pane. Create a Repeated Event Detection
monitor to detect failure logon events. Target your domain controllers. You
should also take a look at the ACS feature of Ops Mgr, http://contoso.se/blog/?p=198
-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se
M> Hi,
M>
M> I wonder if someone can walk me trough have to set up a monitor got
M> logon failures on SCOM 2007? I would like a warning at 20 login
M> failures in 5 minutes.
M>
M> I know how to overwrite for groups and that sort of config but I dont
M> know how to create the monitor itself. I know that you are ment to
M> use the Windows Operating monitor, but how?
M>
M> I am new to SCOM and I need some walk trough steps.
M>
M> Many Thanks
M>
M> Emilia
M>
Thank you for that. I have created a monitor that tragets even 532 and it
seems to work.
But I wonder what all the Rules are. Under Rules I have something called
Failed logon attempt. Says its activated by default. Should I turn this off
to prevent getting double warnings?
I dont use ACS...
Many Thanks
I dont have that rule in my environment in front of me, but I guess that
is a rule collecting some kind of logon event. Take a look at the rule and
see what it does. I dont think you should disable it as long as you dont
know for sure what it does.
-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se
M> Hi Anders,
M>
M> Thank you for that. I have created a monitor that tragets even 532
M> and it
M> seems to work.
M> But I wonder what all the Rules are. Under Rules I have something
M> called
M> Failed logon attempt. Says its activated by default. Should I turn
M> this off
M> to prevent getting double warnings?
M> I dont use ACS...
M>
M> Many Thanks
M>
M> "Anders Bengtsson" wrote:
M>
I can get the alert to work. I went to authoring pane and Windows Operating
monitor. Under security I created a new unit monitor and selected Repeated
Event Detection. Have tried all 3 kinds, Timer, manual and Windows event
reset. Then I have set event ID to equal 529 and tried with both Event source
and without. Then under Repeating settings I have said Count Mode = Timer
(have tried with count aswell). Then I have set 30 sec for testing and logged
on incorrectly to one of the servers many times. I can see the event in the
event viewer of the server but no alerts gets created even tho I have set it
to create an alert at warning state.
Can you please help me? I want an alert when 20 logon failures have been
done in 5 minutes.
Many Thanks
Try configure your repeated event monitor like
Target: suitable target
Log name: Application
Event Expression: Event ID equals X
Repeat Settings:
-Counter Mode: Trigger on count
-Compare Count: 20
-Based on a fixed simple recurring schedule
--Period: 5 Minutes
Alerting: Generate alerts for this monitor
-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se
M> Hi again,
M>
M> I can get the alert to work. I went to authoring pane and Windows
M> Operating monitor. Under security I created a new unit monitor and
M> selected Repeated Event Detection. Have tried all 3 kinds, Timer,
M> manual and Windows event reset. Then I have set event ID to equal 529
M> and tried with both Event source and without. Then under Repeating
M> settings I have said Count Mode = Timer (have tried with count
M> aswell). Then I have set 30 sec for testing and logged on incorrectly
M> to one of the servers many times. I can see the event in the event
M> viewer of the server but no alerts gets created even tho I have set
M> it to create an alert at warning state.
M>
M> Can you please help me? I want an alert when 20 logon failures have
M> been done in 5 minutes.