List of events included in Audit Collection Services reports

The following table contains list of events that are included in Audit Collection Services reports that are shipped with System Center Operations Manager 2007 R2:

Access Violation – Account Locked report: 539, 534, 4740, 6279
Access Violation – Unsuccessful Logon Attempts report: 529, 530, 531, 532, 533, 534, 535, 536, 537, 539, 4625
Account Management – Domain and Built-in Administrators Changes report: 632, 633, 636, 637
Account Management – Passwords Change Attempts by Non-owner report: 627, 628, 4723, 4724
Account Management – User Accounts Created report: 624, 4720
Account Management – User Accounts Deleted report: 630, 4726
Usage – Object Access report: 560, 567, 4656, 4663
Usage – Privileged logon report: 575, 4672
Usage – Sensitive Security Groups Changes report: 631, 632, 633, 634, 635, 636, 637, 638, 639, 641, 658, 659, 660, 661, 662, 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4754, 4755, 4756, 4757, 4758
Usage – User Logon report: 528, 540, 4624
System Integrity – Audit Log Cleared report: 517, 1102
System Integrity – Audit Failure report: 516, 4612
Policy – Privilege Added Or Removed report: 609, 622, 4704, 4705
Policy – Object Permissions Changed report: 4670
Policy – Audit Policy Changed report: 612, 4719
Policy – Account Policy Changed report: 643, 4739
Planning – Logon Counts of Privileged Users report: 576, 4672

This information might be helpful to anyone interested in setting up filter on the ACS Collector side in order to limit the list of events that are stored in the ACS database. By default, all security events from ACS forwarders are stored in the ACS database. In my test environment, approximately 57% events stored in the ACS database are not included in any of above-mentioned ACS reports. This means that a lot of data in the ACS database is irrelevant for reporting purposes and that ACS database size can be reduced significantly by setting up ACS Collector filter.

To set up ACS Collector filter and to limit the list of events that are stored in the ACS database, AdtAdmin.exe /SetQuery command line utility must be used. It uses Windows Management Instrumentation (WMI) Query Language (WQL) to filter events before they hit the ACS database.

For more information on how to use AdtAdmin.exe command line utility, you may refer to the following Microsoft TechNet article:
AdtAdmin.exe /SetQueryhttp://technet.microsoft.com/en-us/library/bb381343.aspx

List of events included in Audit Collection Services reports

How to configure security events collection by using Audit Collection Services from computers in untrusted environment?

As you may know, in order to enable SCOM Agent-based monitoring of devices in untrusted environment (such as workgroup computers), SCOM Agent must be configured for certificate-based authentication.

If you want to go further and decide to collect security events from such computers by leveraging Audit Collection Services feature (assuming that the appropriate infrastructure for ACS is in place), you will soon notice that it does not work without additional configuration of ACS Collector, as well as ACS Forwarder components.

The following event in Operations Manager event log indicates that AdtAgent service running on ACS Forwarder is unable to authenticate against the ACS Collector:

Event Type:       Warning
Event Source:   AdtAgent
Event Category:               None
Event ID:             4369
User:                    NT AUTHORITY\NETWORK SERVICE
Description:      Forwarder unsuccessfully tried to connect to the following collector(s):
<<ACS Collector computer name>>:51909, status: 0x40 (TCP connect), source: registry addresses tried: <<ACS Collector IP address>>:51909

Similar to the System Center Management service (HealthService) which you have probably already configured for the certificate-based authentication by using the MOMCertImport.exe tool, ACS Collector and ACS Forwarder(s) must also be configured for certificate-based authentication.

To configure “Operations Manager Audit Collection Service” (AdtServer) running on the ACS Collector for certificate-based authentication, run AdtServer.exe –c command (by default, it is located in the %SYSTEMROOT%\System32\Security\AdtServer folder.

To configure “Operations Manager Audit Forwarding Service” (AdtAgent) running on the ACS Forwarder for certificate-based authentication, run AdtAgent.exe –c command (by default, it is located in the %SYSTEMROOT%\System32 folder.

Once this is done, AdtAgent will still be unable to authenticate. However, in this case you will see the following error in the Operations Manager event log (note that error number is different).

Event Type:       Warning
Event Source:   AdtAgent
Event Category:               None
Event ID:             4369
User:                    NT AUTHORITY\NETWORK SERVICE
Description:      Forwarder unsuccessfully tried to connect to the following collector(s): <<ACS Collector computer name>>:51909, status: 0x2746 (TCP connect), source: registry addresses tried: <<ACS Collector IP address>>:51909

Last step required to resolve this problem is to create name mapping to the certificate in the Active Directory environment where ACS Collector is located. In order to do that, you must first export computer certificate from the ACS Forwarder into the DER encoded binary X.509 (.CER) file. Then, create an “empty” computer account whose name must match NetBIOS name of ACS Forwarder. Right-click on the newly created computer account and then select Name Mappings option. Under the Security Identity Mapping option, import X.509 certificate. After that, make sure to restart AdtAgent service on the ACS Forwarder. It should now successfully authenticate against the ACS Forwarder, followed by this event in the Operations Manager event log:

Event Type:       Information
Event Source:   AdtAgent
Event Category:               None
Event ID:             4368
User:                    NT AUTHORITY\NETWORK SERVICE
Description:      Forwarder successfully connected to the following collector: <<ACS Collector computer name>>:51909, status: 0x0 (success), source: registry addresses tried: <<ACS Collector IP address>>:51909

For more information, refer to the following Microsoft TechNet articles:

This whole process is also explained in the Operations Manager 2007 Security Guide which is available as free download from Microsoft, as well as in the System Center Operations Manager 2007 Unleashed book.

How to configure security events collection by using Audit Collection Services from computers in untrusted environment?

System Center Operations Manager 2012 Beta – Installation

As part of the Operations Manager 2012 Community Evaluation Program (CEP), I was able to get my hands on Operations Manager 2012 Beta for evaluation purposes.

I have prepared test environment for that purpose and evaluation of OpsMgr 2012 Beta started with the installation. In my case, I have decided to use a Windows Server 2008 R2 virtual machine which has SQL Server installed locally and which is also Active Directory Domain Controller. Of course, this is not recommended nor best practices configuration for production environments, but it should work for testing purposes within lab environments.

After promoting server to Active Directory Domain Controller, and after successful installation of the SQL Server 2008 R2 (using the SQL_Latin1_General_CP1_CI_AS collation), I’ve decided to start the installation of OpsMgr 2012 Beta. Let me now share my experience…

In my test environment, all SCOM features are installed on the same server. They are:

  • Management server,
  • Management console,
  • Web console and
  • Reporting server.

Note that in OpsMgr 2012 there is no root management server (RMS) – all management servers are now peers and workload is split among all management servers in a management group. This now means that clustering is not required to provide fault tolerant and highly available solution.  Thumbs-up for that!

If you also decide to put all SCOM features on the same server, before running setup make sure that Web Server (IIS) role is installed on it. You can easily do that by using the Add Roles Wizard.

When running Add Roles Wizard to install Web Server (IIS) role, the following role services must also be included:

  • IIS6 Metabase Compatibility role service,
  • ASP.NET, including required role services for it,
  • Windows Authentication role service,
  • Static Content role service,
  • Default Document role service,
  • Directory Browsing role service,
  • HTTP Errors role service,
  • HTTP Logging role service,
  • Request Monitor role service,
  • Request Filtering role service,
  • Static Content Compression role service and
  • IIS Management Console role service.

Then, another software requirement for the Operations Manager 2012 is Microsoft .NET Framework 4 which you can find on Microsoft Download Center at the following location: http://www.microsoft.com/download/en/details.aspx?id=17851

In order to save some time, it is better to install .NET Framework 4 after the Web Server (IIS) role. If you have installed Web Server (IIS) role after installing .NET Framework 4 you will receive the following errors in the prerequisites checker of the OpsMgr 2012 Setup Wizard:

The ISAPI and CGI Restrictions are disabled or missing: Web Console cannot operate properly because the ISAPI and CI Restrictions in Internet Information Services (IIS) are disabled or missing for ASP.NET 4.0.

ASP.NET 4.0 Registration Check: The ASP.NET 4.0 handler is not registered with IIS.

Hopefully, this error is well documented in the Quick Start Guide to Microsoft System Center Operations Manager 2012 Beta, as well as on Microsoft TechNet. To resolve it, there are two steps which must be taken:

You must open a Command prompt as Administrator and run the following command which registers ASP.NET 4.0 with
IIS: %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe –r

You should receive the following output:

Start installing ASP.NET (4.0.30319) and changing IIS configuration to use this version of ASP.NET.

Finished installing ASP.NET (4.0.30319) and changing IIS configuration to use this version of ASP.NET.

Secondly, run Internet Information Services (IIS) Manager, open ISAPI and CGI Restrictions properties of the web site, select ASP.NET v4.0.30319, and then click Allow.

NOTE: ISAPI and CGI Restrictions in IIS for ASP.NET 4 are not enabled by default so this step is also applicabe in case if you have installed IIS before installing .NET Framework 4.

Once this was configured, prerequisite checker of the OpsMgr 2012 Setup Wizard did not report any issues and I was able to proceed with the installation.

There were two more errors on which I bumped into, but they might be specific to my test environment only.

On the Configure the operational database page of the OpsMgr 2012 Setup Wizard, setup wizard was not able to successfully validate SQL Server using NetBIOS computer name with an error saying: “This SQL server could not be found”. I solved this issue by typing LOCALHOST as the server name.

Second problem was related to the fact that OpsMgr 2012 in my test environment is running on a server which is also an Active Directory Domain Controller.
Management Server was in “Not Monitored” state because Run As accounts did not have the “Allow log on locally” right. You can identify this kind of
problem by the occurrence of the following event in Operations Manager event
log:

Log Name: Operations Manager
Source: HealthService
Event ID: 7002
Task Category: Health Service
Level: Error
Description: The Health Service could not log on the RunAs account <service account name> for management group <management group name> because it has not been granted the “Allow log on locally” right.

After granting “Allow log on locally” right, health state of the management
server turned into healthy (green) state.

Operations Manager 2012 is now up and running and I am looking forward in evaluating it.

System Center Operations Manager 2012 Beta – Installation

An error occurs when upgrading Message Queuing Management Pack for Operations Manager 2007

When upgrading MSMQ Management Pack to version 6.0.6615.0, you might receive the following error:
The requested management pack was invalid. See inner exception for details.
Parameter name: managementPack

In addition, the following events are written to the Operations Manager log on the SCOM Root Management Server:

Event Type: Error
Event Source: OpsMgr SDK Service
Event ID: 26319
Description:
An exception was thrown while processing ImportManagementPack for session id uuid:6e44bef7-2a3a-4304-9443-d7cbf155c41b;id=326.
Exception Message: The creator of this fault did not specify a Reason.
Full Exception: System.ServiceModel.FaultException`1[Microsoft.EnterpriseManagement.Common.ManagementPackException]: The creator of this fault did not specify a Reason. (Fault Detail is equal to : Verification failed with [1] errors:
-------------------------------------------------------
Error 1:
: Could not load ManagementPack [ID=Microsoft.MSMQ.Library, Keytoken=31bf3856ad364e35, Version=6.0.6615.0]. ManagementPack not found in the store.
Version mismatch. For ManagementPack [[Microsoft.MSMQ.Library, 31bf3856ad364e35, 6.0.6587.0]] requested version from the database was [6.0.6615.0], and actual version available is [6.0.6587.0]
-------------------------------------------------------

Could not load ManagementPack [ID=Microsoft.MSMQ.Library, Keytoken=31bf3856ad364e35, Version=6.0.6615.0]. ManagementPack not found in the store.Version mismatch. For ManagementPack [[Microsoft.MSMQ.Library, 31bf3856ad364e35, 6.0.6587.0]] requested version from the database was [6.0.6615.0], and actual version available is [6.0.6587.0]).

Event Type: Error
Event Source: OpsMgr SDK Service
Event Category: None
Event ID: 26319
Description:
An exception was thrown while processing ImportManagementPack for session id uuid:6e44bef7-2a3a-4304-9443-d7cbf155c41b;id=326.
Exception Message: The creator of this fault did not specify a Reason.
Full Exception: System.ServiceModel.FaultException`1[Microsoft.EnterpriseManagement.Common.ManagementPackException]: The creator of this fault did not specify a Reason. (Fault Detail is equal to : ManagementPack Version [6.0.6615.0] is not upgrade compatible with older version [6.0.6587.0]. Compatibility check failed with 1 errors:
-------------------------------------------------------
Error 1:
: SecureReference: [Microsoft.MSMQ.QueueAccessProfile] is not upgrade compatible.
[SecureReference]: [Microsoft.MSMQ.QueueAccessProfile] exists in current version [6.0.6587.0] of ManagementPack but does not exist in the new version [6.0.6615.0].
-------------------------------------------------------

This issue is caused by the fact that any existing MSMQ Management Pack should be removed prior upgrade to the 6.0.6615.0 version. Message Queuing Management Pack Guide does not include this information (at the time when this blog post was created).

An error occurs when upgrading Message Queuing Management Pack for Operations Manager 2007

How to export list of Monitors and Rules included in the Management Pack?

In many cases it is useful to have exported list of all monitors and rules included in specific SCOM management pack.

Two cmdlets are available in the Operations Manager Shell for that purpose. They are: Get-Monitor and Get-Rule.

In order to export list of all monitors from specific management pack into CSV file, run the following command in Operations Manager Shell:

Get-Monitor -ManagementPack ManagementPackFileName.mp | Select DisplayName, Description, Name, Enabled, Target | Export-Csv

In order to export list of all rules from specific management pack into CSV file, run the following command in Operations Manager Shell:

Get-Rule -ManagementPack ManagementPackFileName.mp | Select DisplayName, Description, Name, Enabled, Target | Export-Csv

 In both cases replace the value of the ManagementPack parameter accordingly.

How to export list of Monitors and Rules included in the Management Pack?

No graphs (charts) are included in scheduled SCOM reports

Today I have noticed that SCOM reports that are scheduled to be delivered as e-mail attachments do not contain chart data.

Scheduled SCOM report - chart missing
Scheduled SCOM report - chart missing

At the time when affected scheduled report is executed, the following event is logged in Application log of the server running SQL Reporting Services:
Log Name: Application
Source: Report Server Windows Service (MSSQLSERVER)
Event ID: 108
Level: Error
Description:
Report Server Windows Service (MSSQLSERVER) cannot load the EnterpriseManagementChartControl extension.

After some investigation, it turned out that this is a know issue which is documented in the following knowledge base article:

Scheduled reports that you create by using SQL Server 2008 Reporting Services (SSRS) do not display chart data in System Center Operations Manager 2007 R2http://support.microsoft.com/kb/972821



After editing ReportingServicesService.exe.config file, you should be able to see chart inlcuded in SCOM report.

Scheduled SCOM report - chart included
Scheduled SCOM report - chart included
No graphs (charts) are included in scheduled SCOM reports

How to create SNMP Probe Based Two-State Monitor in SCOM?

Let’s say for example that you need to monitor value of specific performance counter on SNMP-enabled device and raise an Alert when it is above the configured threshold. In order to do that, SNMP Probe Based Monitor should be used.

To create such monitor, procedure is pretty straightforward. Click on the Authoring tab in the Operations Console, and open Monitors in the Navigation Pane. After that, open Actions -> Monitor -> Create a Monitor -> Unit Monitor -> SNMP -> Probe Based Detection -> Simple Event Detection -> Event Monitor – Single Event and Single Event.

I will not go into more details on how to create the monitor. Just follow the Create a unit monitor wizard and make sure that the appropriate community string and the object identifier (OID) is entered, as well as expressions for the unhealthy/healthy conditions.

Once you have finished the wizard and successfully created the monitor, you might notice that it doesn’t work as expected.

By default, Create a unit monitor wizard creates SNMP Probe Based Monitor which treats any collected value as string. As a result, an Alert is raised even in conditions when value is actually below the configured threshold. This is because result of string comparison differs from the comparison of numeric values. To give you an example, if you have configured monitor to raise an Alert when the collected value is greater than “30” (numeric), an Alert will also be raised if the collected value is “4”,”5”,”6”, etc. String value of “4” is greater than string value of “30” which is not the case with numeric values.

Problem resolution

In order to solve this problem, you need to dive into XML. In XML editor (XML Notepad for example), open the Management Pack in which SNMP Probe Based Monitor is stored.

Look after the text similar to the following:

<FirstExpression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type=”String”>/DataItem/SnmpVarBinds/SnmpVarBind[1]/Value</XPathQuery>

              </ValueExpression>

              <Operator>Greater</Operator>

              <ValueExpression>

                <Value Type=”String”>30</Value>

              </ValueExpression>

            </SimpleExpression>

</FirstExpression>

… and replace the XPathQuery Type and Value Type to the appropriate data type. In our case, it is Integer:

<FirstExpression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type=”Integer”>/DataItem/SnmpVarBinds/SnmpVarBind[1]/Value</XPathQuery>

              </ValueExpression>

              <Operator>Greater</Operator>

              <ValueExpression>

                <Value Type=”Integer”>30</Value>

              </ValueExpression>

            </SimpleExpression>

</FirstExpression>

 

Don’t forget to perform the same change for the <SecondExpression> definition also.

Save changes in XML file and import the Management Pack into the SCOM.

For more information about the ExpressionType and data types used in Operations Manager, refer to the following article: http://msdn.microsoft.com/en-us/library/ee692979.aspx

How to create SNMP Probe Based Two-State Monitor in SCOM?