The other day I was asked to assist with implementing the scenarios below:
I’ve decided to blog about it as I am likely to need it again in the future and it may help someone else as well!
Create an ‘Alert Generating Rule’ as below: (more info... and how to) Note: Rules are used here instead of monitors as monitors will affect Parent Monitors while rules will not.
Operations Console > Authoring > Rules > Create a new rule
Note
Create a new destination management pack if required.
Next
Configure the event expression as depicted in the image.
We will use the following event id’s in this section:
632 – A member was added to a global group.
633 – A member was removed from a global group.
Note there are two ways to do this:
Method 1 is preferred.
Next steps:
Create an ‘Alert Generating Rule’ as below: (more info... and how to)
We will use the following event id in this section:
612 – An audit policy was changed.
Disclaimer: This is a complex scenario and I am not sure that my proposed solution is the simplest...it works though! :-)
The following is relatively easy to do though:
· Create an alert for each Unsuccessful Logon.
· Create an alert for each Unsuccessful Logon for a specific user.
· Create one suppressed alert (i.e. repeat count is increased) for all Unsuccessful Logons.
· Create one suppressed alert per user account that attempted an unsuccessful logon. Add 1 to the ‘RepeatCount’ for each subsequent occurrence in a 24 hour period. Create a rule to auto-resolve all related active alerts. Create a rule to send hourly notifications when the ‘RepeatCount’ exceeds xx. I documented only this scenario below.
(Create one suppressed alert per user account that attempted an unsuccessful logon. Add 1 to the ‘RepeatCount’ for each subsequent occurrence in a 24 hour period. Create a rule to auto-resolve all related active alerts. Create a rule to send hourly notifications when the ‘RepeatCount’ exceeds xx.)
Enable newly created rule for ‘all objects of class: Windows Domain Controller’ by using an override. (more info...)
Rule - Count Unsuccessful Logons" below must match the rule name that is used to create the surpressed alert.
# Script requires Microsoft.EnterpriseManagement.OperationsManager.ClientShell.Startup.ps1 to be in "c:\Program Files\System Center Operations Manager 2007" - Change as required.
add-pssnapin "Microsoft.EnterpriseManagement.OperationsManager.Client";
Set-Location "c:\Program Files\System Center Operations Manager 2007";
.\Microsoft.EnterpriseManagement.OperationsManager.ClientShell.Startup.ps1;
get-alert | where {($_.Name -eq "Custom Rule - Count Unsuccessful Logons") -and ($_.ResolutionState -eq "0")} | resolve-alert -comment "CLOSE daily informational alerts" | out-Null;
Enable newly created rule for ‘all objects of class: Root Management Server’ by using an override. (more info...)
# NotifyULogon.ps1 # Author: Johan Vosloo # Date: 29-10-2009 # Credit: Adapted from http://contoso.se/blog/?p=290 # Script requires Microsoft.EnterpriseManagement.OperationsManager.ClientShell.Startup.ps1 to be in "c:\Program Files\System Center Operations Manager 2007" - Change as required.# Change the Notification Recipient below.$Recipient = security@paris.com;add-pssnapin "Microsoft.EnterpriseManagement.OperationsManager.Client";Set-Location "c:\Program Files\System Center Operations Manager 2007";.\Microsoft.EnterpriseManagement.OperationsManager.ClientShell.Startup.ps1;# The name i.e. "Custom Rule - Count Unsuccessful Logons" below must match the rule name that is used to create the surpressed alert.$alertdata = get-alert | where {($_.Name -eq "Custom Rule - Count Unsuccessful Logons") -and ($_.ResolutionState -eq "0") -and ($_.RepeatCount -gt "3") -and ($_.CustomField1 -lt 0)} | Foreach { $_.Id; $alert_id = $_.Id; $alert_name = $_.Name; $alert_TimeRaised = $_.TimeRaised; $alert_Desc = $_.Description; $alert_RepeatCount = $_.RepeatCount; $alert_Severity = $_.Severity; $alert_priority = $_.Priority; $alert_MonitoringObjectDisplayName = $_.MonitoringObjectDisplayName; If ($alert_RepeatCount -gt 3) { # Send Email If ($alert_ID -eq $NULL) {"Alert ID is NULL, dont send e-mail";} ELSEIF ($recipient -eq $NULL) {"Recipient is NULL, dont send e-mail";} ELSE { # Change the from address and the mailserver below $smtpServer = "mailserver.paris.com"; $smtpClient = new-object system.net.mail.smtpClient($smtpServer); $From = notification@paris.com; $To = $recipient; $Title = "Notification from Ops Mgr. $alert_name $alert_Severity"; $Body = @" Notification from Operations Manager 2007 RepeatCount: $alert_RepeatCount Raised: $alert_TimeRaised Name: $alert_name Object: $alert_MonitoringObjectDisplayName Priority: $alert_Priority Severity: $alert_Severity Description: $alert_description"@ $SmtpClient.Send($From,$To,$Title,$Body); # Update Custom Field 1 on the alert. Else the script will send multiple e-mails for the same alert $alert = Get-Alert | where {$_.Id -eq $Alert_ID}; $alert.Customfield1 = "Ops Mgr has sent e-mail to $recipient"; $alert.Update(""); }; };};
Disclaimer: This is another complex scenario and I am again not sure that my proposed solution is the simplest...it works though! J
(Create one suppressed alert per locked out user account. Add 1 to the ‘RepeatCount’ for each subsequent occurrence in a 24 hour period. Create a rule to auto-resolve all related active alerts. Create a rule to send hourly notifications when the ‘RepeatCount’ exceeds xx.)