Jimmy Harper's Operations Manager Blog

I ran into an issue the other day where Account Lockout events (Event ID 644) did not display properly in the "All Events With Specified Event ID" ACS report.  I'm looking for the name of the computer that is listed as "Caller Machine Name" in the event (the machine that passed the bad credentials that caused the account to be locked).  According to the following info from http://support.microsoft.com/kb/301677, this should be seen as Parameter 2:

Event ID: 644 (0x0284)
Type: Success Audit
Description: User Account Locked Out
Target Account Name: %1
Target Account ID: %3
Caller Machine Name: %2
Caller User Name: %4
Caller Domain: %5 Caller Logon ID: %6

Here is the event from the Domain Controller:

Looking at the report, I would expect the String02 column to display this computer name, but instead it is showing a SID....this is the SID for the account that has been locked out:

So, I look in the ACS database and see the following for the event (querying the adtserver.dvall5 view):

Looks like the TargetSid and String02 columns are reversed.  So, where does the Event Parameter --> Database Column mapping come from?  It comes from the EventSchema.xml file which is located in the %windir%\system32\security\adtserver directory on the ACS collector.  Eric Fitzgerald has a great blog on this at http://blogs.msdn.com/ericfitz/archive/2008/02/27/acs-event-transformation-demystified.aspx.  So, I open the EventSchema.xml file and search on '644' and find four instances of the following (relevant parts in red):

<Event SourceId="644" SourceName="SE_AUDITID_ACCOUNT_AUTO_LOCKED">
    <Call Name="AppendString" Param1="1" Param2="0" />
    <Call Name="AppendString" Param1="3" Param2="0" />
    <Call Name="AppendString" Param1="2" Param2="0" />
    <Call Name="AppendString" Param1="4" Param2="0" />
    <Call Name="AppendString" Param1="5" Param2="0" />
    <Call Name="AppendString" Param1="6" Param2="0" />
    <Call Name="AppendSidFromNames" Param1="4" Param2="5" />
    <Call Name="AppendNamesFromSid" Param1="3" Param2="0" />
    <Param TypeName="typeUserDn" />
    <Param TypeName="typeComputerName" />
    <Param TypeName="typeTargetSid" />
    <Param TypeName="typeClientUser" />
    <Param TypeName="typeClientDomain" />
    <Param TypeName="typeClientLogonId" />
    <Param TypeName="typeClientSid" />
    <Param TypeName="typeTargetUser" />
    <Param TypeName="typeTargetDomain" />
</Event>

Basically, what is happening here is Parameter 3 (Target Account ID) is being converted to SID and stored as String02, and Parameter 2 (Caller Machine Name) is being stored as TargetSID.  We need to fix this so that Parameter 2 (Caller Machine Name) is stored as String02 and the SID for Parameter 3 (Target Account ID) is stored as TargetSID.  To accomplish this, we only need to make the following change to each instance of Event 644 in the EventSchema.xml file:

Original:

    <Param TypeName="typeComputerName" />
    <Param TypeName="typeTargetSid" />

Change:

<Param TypeName="typeTargetSid" />
<Param TypeName="typeComputerName" />

All we are doing is switching the order so that typeTargetSid is listed second and typComputerName is listed third.  We could probably accomplish the same thing by switching the "Call Name" lines instead.

**Note that there are four instances of event 644 in the EventSchema.xml file....you'll need to change all of them.

So, after modifying and saving the EventSchema.xml file, I restart the Operations Manager Audit Collection Service on the Collector server (to force it to reload the event schema), and generate another account lockout.

Now, the event in the database looks like this:

And the report looks like this:

Perfect!!!

NOTE:

This change will NOT have any effect on existing 644 events in the database....it will only affect events that are created AFTER making the change.

I recently had a customer that wants to get an alert when a specific service is not Disabled and/or not Stopped.  I used the following steps to accomplish this using a "Timed Script Three State Monitor".  Even if you do not have this specific need, these steps can be used as a template for creating a monitor that uses a script to query WMI and change state or generate alerts based on the results.  If you don't have a need for three states (Critical, Warning, Healthy), there is a Two State Monitor that can be used for this.

Create a new Monitor, select Scripting\Generic\Timed Script Three State Monitor

Give it a name, target, etc. (I targeted the Windows Computer class, but Windows Operating System may be a better choice).  I try to make a habit of unchecking "Monitor is enabled" and enabling it with an override later....at least while testing it:

Set the schedule...this just depends on how quickly you want to know if the service gets changed:

Next, I used a basic VB script which accepts a service name as a parameter, queries WMI for the service, and puts the Service Name, State (Running, Stopped, etc.), and StartMode (Disabled, Manual, Automatic) into property bag values.  The full text of the script is below the screenshot:

---------------------------------------------------------------------------------------------------

Dim oAPI, oBag,strComputer
Set oAPI = CreateObject("MOM.ScriptAPI")
Set oBag = oAPI.CreatePropertyBag()
set oArgs=wscript.arguments
strComputer="."
ServName=oArgs(0)

Set namespace=GetObject("winmgmts:\\"& strComputer & "\root\cimv2")
set servinfo=namespace.ExecQuery("select * from win32_service where name =" & """" & servname & """")

for each objservice in servinfo

Call oBag.AddValue("ServiceName",ServName)
Call oBag.AddValue("State",objservice.State)
Call oBag.AddValue("StartMode",objservice.StartMode)
Call oAPI.Return(oBag)

next

---------------------------------------------------------------------------------------------------

For the script parameter, I just enter "ServiceName"....this will be replaced by an override later, or you can just enter your service name here:

Next, I set the "Unhealthy", "Degraded", and "Healthy" expressions for the monitor.  My goal is to set the state to Warning when the service is Stopped but NOT Disabled , Critical when it is NOT Stopped, and Healthy when it is Stopped AND Disabled.  I used the following expressions:

Unhealthy Expression:

Parameter Name: Property[@Name='State']

Operator: Does not equal

Value: Stopped

Degraded Expression:

Parameter Name: Property[@Name='StartMode']

Operator: Does not equal

Value: Disabled

AND

Parameter Name: Property[@Name='State']

Operator: Equals

Value: Stopped

Healthy Expression:

Parameter Name: Property[@Name='StartMode']

Operator: Equals

Value: Disabled

AND

Parameter Name: Property[@Name='State']

Operator: Equals

Value: Stopped

Next, I used the default settings for Health State, since they already match what I want to do:

Next, I configure the alert settings.  The settings in the screen shot below will generate a Warning alert when the monitor is in a Warning state (service is not Disabled), and a Critical alert when the monitor is in the Critical state (service is not Stopped).  The Alert Description will have the service name (using the ServiceName property created by the script):

Now that I have the monitor created, I need to enable it and set the Override for the Service Name:

I'm using the Alerter service for my test:

To test the monitor, I first set the Alerter service to Manual Startup and leave it stopped:

Then I verify that I get the Warning alert:

Health Explorer correctly shows the "Degraded" Warning state:

Now I want to test the Critical state, so I start the Alerter Service:

Now the alert is changed to Critical:

And Health Explorer shows the "Unhealthy" Critical state:

When I stop the service and disable it, the alert is auto-resolved and the state is changed back to Healthy:

I've attached my sample MP which includes the following monitors:

Service disabled and stopped - two-state monitor:

If the specified service is not Stopped AND Disabled, the computer will be put in a Warning state and a Warning alert will be generated.  When the service is stopped and disabled, the computer will be put in a Healthy state.

Service disabled and stopped - three-state monitor:

If the specified service is Stopped and is not Disabled, the computer will be put in a Warning state and a Warning alert will be generated.  If the specified service is not Stopped, the computer will be put in a critical state and a Critical alert will be generated.  When the service is stopped and disabled, the computer will be put in a Healthy state.

Usage:

Both monitors are targeted at the Windows Computer class and roll up to the Configuration Health.  Both monitors are disabled by default.  They are configured to check the service every 1 minute.  To enable one of the monitors, add an Override for the Computer or Group you wish to monitor and set the following Override parameters:

Enabled=True

Script Arguments = <Service Name>

Enjoy!!