Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SCOM Domain / Enterprise Admin Group Auditing

32 views
Skip to first unread message

KThomas

unread,
Jan 4, 2008, 4:13:02 PM1/4/08
to
I have reviewed the documet at http://contoso.se/blog/?p=109 and it is great
for MOM 2005 but I want to create the same monitoring in SCOM 2007. The
issue I cannot seem to resolve is using the "matches wildcard" option with
the Event Description.

What I have tried with my SCOM Rule is
"Use parameter name not specified above" since Event Description is not a
default option. The custom parameter I use is $Data/EventDescription$ with
operator of "mathces wildcard" and the value "*Domain Admins*"

Any help is appreciated... TIA

KThomas

KThomas

unread,
Jan 4, 2008, 4:16:04 PM1/4/08
to
The rule does work and alert if I just look for the Event IDs of 632 and 633

Anders Bengtsson

unread,
Jan 4, 2008, 4:53:58 PM1/4/08
to
Hi KThomas,

Try $Data/Context/Context/DataItem/EventDescription$ or $Data/Context/EventDescription$
instead.
Also, in Ops Mgr 2007, you have the ACS feature that can help you monitor
security within your organization.

-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se


K> The rule does work and alert if I just look for the Event IDs of 632
K> and 633
K>
K> "KThomas" wrote:
K>

KThomas

unread,
Jan 4, 2008, 5:56:01 PM1/4/08
to
Thanks for the response... I will try them on Monday. One thing that is
interesting is when I use $Data/EventDescription$ for the Alert Discription
it works fine. I will let you know if the other two options you suggested
work.

I am aware of ACS and currently looking at what it takes to deploy it and in
our environment it could require a lot of resources from the data storage
(database) side but I not 100 % on everything that it takes at this point.

Thanks Again,
KThomas

Anders Bengtsson

unread,
Jan 5, 2008, 10:41:37 AM1/5/08
to
Hi KThomas,

here is a step by step guide for you, http://contoso.se/blog/?p=250


-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se


K> Thanks for the response... I will try them on Monday. One thing that
K> is interesting is when I use $Data/EventDescription$ for the Alert
K> Discription it works fine. I will let you know if the other two
K> options you suggested work.
K>
K> I am aware of ACS and currently looking at what it takes to deploy it
K> and in our environment it could require a lot of resources from the
K> data storage (database) side but I not 100 % on everything that it
K> takes at this point.
K>
K> Thanks Again,
K> KThomas
K> "Anders Bengtsson" wrote:
K>

KThomas

unread,
Jan 7, 2008, 10:22:02 AM1/7/08
to
Anders.... Thank You!, Your solution worked.

I have been trying to find a list of values that could be used in the custom
parameters field but I never found one and assumed that I needed to use some
type of variable.

Thanks Again,
KThomas

0 new messages