Forums

Forums: Alert-Generating Rule for Syslog Messages

Fri, 03 Sep 2010 20:56:17 GMT

Hi,

I'm trying to set up an alert-generating rule to generate alerts for specific syslog messsages, and am running into a bit of a wall. Perhaps someone else has gotten this working?

As a bit of background, I've configured one of my monitored Cisco devices (an ASA) to forward syslog messages to my RMS. I also have the xSNMP Syslog Alerts working, so I know that the RMS is, in fact, receiving syslog messages. (A nestat -an | findstr 514 also shows that the RMS is listening on UDP 514)

However, while the xSNMP Syslog Alerts look for syslog events by severity, I would like to search for specific messages, by looking for certain event #'s within the "message" parameter.

While I want to look for specific events, such as 733104 & 733105 (Possible Syn Flood attack), for this example/as a proof-of-concept I am looking for 106001, as those are presently being logged. In other words, when it's working, I'll know that it's working within a few minutes.

The goal is to be able to set up an Alert-Generating Syslog rule raising an alert for syslog messages where "facility" = 16, and "message" contains "106001".

A sample alert (from xSNMP alerts) looks like:

Facility: 16
Severity: 2
Priority: local0.critical
Timestamp: Sep 3 20:28:16

Message: Sep 03 2010 14:29:22 FW1 : %ASA-2-106001: Inbound TCP connection denied from 69.69.31.28/1199 to xxx.xxx.xxx.xxx/135 flags SYN on interface Internet

I've followed the instructions at both, with no luck:

http://contoso.se/blog/?p=158

and

http://support.microsoft.com/kb/942863/en-us

...which slightly differ (the first one has the rule targeted at the MS, the second has it targeted at an agent, if memory serves). I've also tried rules targeted at "xSNMP Device" and "SNMP Network Device" to no avail.

Here's the rest of the steps I have taken in my rule attempts:

Configure my Cisco ASA to forward syslog messages to my RMS.
Authoring > Rules > New Rule
Rule Type = Alert Generating > Syslog (Alert)
Entered rule name & description
Rule category = Alert
Rule target (I've tried Root management server, agent, SNMP network device, xsnmp network device; should I be trying something else?)
Expression: "facility equals 16" (I decided to keep it simple and try to get everything, and then attempt to filter it down by a string with the messsage parameter; better more results than none, to begin with)
Set up the alert name, description, set severity to "Information" (for now, so any output doesn't get lost in the xSNMP alerts, which are all Critical & Warning).

The properties/configuration of the completed rule(s) shows the Data Source as "SyslogDS" and the Response as "Alert".

So far, no luck.

So, I guess the question is, how does one create an alert-generating syslog rule (that actually generates alerts)? I think the problem lies either within the targeting of the rule, or maybe the rule category?

Any insight appreciated!

Thanks!

Forums: Re: CU2 installation: Agents never show up in Pending

Fri, 03 Sep 2010 16:01:21 GMT

Are your management servers windows 2008, or 2003?

I've seen incomplete patch installs in 2008 when the patch was not started with 'run as administrator' option.

Forums: RE: Re: CU2 installation: Agents never show up in Pending

Fri, 03 Sep 2010 19:55:02 GMT

Found it.

I found a blog somewhere (wish I had the link to give them credit) that said that sometimes even though you use an elevated cmd prompt it doesn't always work. It said to disable UAC, reboot, and try again.

As soon as I did that, everything worked perfectly. No idea why, but it did.

Forums: R2: Trying to upgrade from SQL 2005 to 2008

Thu, 02 Sep 2010 19:11:23 GMT

http://technet.microsoft.com/en-us/library/dd789004.aspx

We're trying to run step #5, but it is failing. In the MSI install log we see:

...

(date) (time) Error: AddWebConfigAppSettingCA: Error: could not get MG ID from MG Server name

...

We see that error after the install stalls for almost exactly 20 minutes.

Any ideas? We're trying to upgrade an install that is currently functional.

All the permissions seem to be fine.

Forums: ACS in a DMZ scenario?

Fri, 27 Aug 2010 19:26:12 GMT

I have what I would consider a fairly typical setup with a DMZ which is separated from the corporate network by a firewall. The servers in the DMZ are on a separate domain and are reporting back to SCOM via gateway servers, other than that they have no communication to the internal network.

I’m in the early stages of starting to deploy ACS in our environment. What I’m wondering about is how to go about deploying ACS in this DMZ. I know that there is a 1 to 1 relationship with the collector and the database so I’m assuming that if that is how it has to be then I would have to have a separate database server for ACS in the DMZ. Can the ACS Collection service be run from a gateway server? If not any guidance on how to setup ACS for a DMZ environment.

Forums: Re: ACS in a DMZ scenario?

Fri, 03 Sep 2010 16:51:07 GMT

I’m in the financial industry, and the auditors are requiring that we centrally collect all security event logs. ACS was to be our solution for this to keep the overhead of security events for 400+ servers out of the operations database. I think I can live with a separate ACS database if that is doable, though I’m not sure how reporting on that database would work.

Forums: RE: In house developed monitor failures (EventID 1206 failed, got unloaded and reached the failure limit that prevents automatic reload. Management group "".)

Fri, 03 Sep 2010 16:07:38 GMT

I'm working with Cliff to resolved this issue.

As suggest, I try to run the script manually using the command line. The script complete sucessfully and return the expected XML.

The Mp containing the vbs is available here : http://pastebin.com/JL9KtQJm

Using the function LogScriptEvent(), I manage to figure out the call to oAPI.Return() hang when the propertybag is too big.

Forums: CU2 installation: Agents never show up in Pending

Fri, 03 Sep 2010 04:42:34 GMT

I'm in the middle of upgrading to CU2 and am having an issue getting the agents to show up as pending upgrade.

At first, I had done the installation with my account, which has all the access needed (even SA). Everything went fine, but I noticed the update packages didn't get put into the agentmanagement folders. I manually copied them in, but this didn't change anything (even after cycling the HS on the RMS and each MS).

Then I logged in as the action account, which is also local admin and SA. Install went fine again, it DID copy the files into place, but still the agents don't show up in pending.

I manually updated two agents, and they show up just fine as having the CU2 update in the agent view. But I can't get any of the other agents to show up in pending. Am I going to have to resort to a 3rd party tool to push the update out?

Forums: Servers with Multiple NIC's and agent health

Thu, 02 Sep 2010 23:46:18 GMT

I have a number of servers with two NIC’s. One NIC has a private IP address 10.x.x.x and the other has a public facing NIC. These servers sit behind a SCOM gateway server with two NICs. My problem is that in OpMan console these servers (including the Gateway) sometimes go gray from green and then back again. A ticket with MS determined the certs were OK. So I made sure that each NIC with a private IP address was in 1^st place in the binding order. No go. I then edited the hosts file so that the FQDN was hardcoded to an internal address. Still no go.

The health service and eventvwr on all of these servers show everything as OK. Thoughts?

Forums: Re: CU2 installation: Agents never show up in Pending

Fri, 03 Sep 2010 14:56:53 GMT

I should have mentioned that I followed his blog while doing my installation. I even saw his section about the agent patch files not being put in place which is what clued me into looking there. I've also posted this exact question to his blog in hopes that he might also see it and respond.

I get no errors at all. None on the RMS, MS's, GW's, or agents. They all just go along as if nothing is wrong.

I've contacted the team that manages our package deployment utility (similar to SCCM) to see what it'll take to make a package. I'm at a complete loss as to why this might be happening.

Forums: RE: Re: Generic Log .txt Monitor HELP!

Fri, 03 Sep 2010 14:38:16 GMT

No, I mean it only seems to find the text string once and create an alert. All appearances of the text string after the initial alert seem to be ignored. As if it stops looking for it all together. Even inserting the text manually into the log file doesnt seem to affect the alert.

Forums: Alerting when Task Scheduelr service is not running

Thu, 26 Aug 2010 16:44:48 GMT

Hello everyone!

This is my first post here and I'm seeking your collective SCOM know-how. I am a newbie with the software so Im sure what I am asking is easy to configure and probably somewhere within these forums so I apologize in advance.

I have been tasked with creating a notification via email (already figured out subscriptions and notification channels etc and am being alerted for other things) when a particular service is NOT running on our windows servers. I may apply this to other services in the future, but for right now, the service I am trying to monitor its runnign state is the Task Scheduler service.

Can anyone PLEASE guide me as to how to achieve this goal? Any help and advice is most definitely appreciated!

Thanks

David

Forums: Re: Alerting when Task Scheduelr service is not running

Fri, 03 Sep 2010 14:28:18 GMT

You should get an Alert when it's down, then you right-click the Alert and create a new Notification subscription.

But since you didn't get the Alert yet, this won't work. You have to go to the Administration Tab, right-click Subscriptions, "New subscription...", insert a name, then tick "created by specific rules or monitors" and in the Criteria description box you see "specific", click it, search for the Monitor, add it. Next, next...

Forums: Re: Alerting when Task Scheduelr service is not running

Fri, 03 Sep 2010 14:04:15 GMT

Anyone? Please? Thanks! :)

Forums: RE: CU2 installation: Agents never show up in Pending

Fri, 03 Sep 2010 08:59:07 GMT

Bob, what sort of error messages are you seeing on the RMS or clients that are not updated? Any warning messages of any sort? Not sure if you've seen Kevin's CU2 rundown, which may have a nugget that helps.

OpsMgr 2007 R2 CU2 rollup hotfix ships – and my experience ...

Forums: RE: Servers with Multiple NIC's and agent health

Fri, 03 Sep 2010 08:54:33 GMT

You'll find the cause in the error events. Find the error events in the 20,000 - 21,000 range in the OpsMgr Event Log on the agent computer, then on the mgmt server. Check them against the authentication event reference on the WIKI that I posted - http://www.systemcentercentral.com/BlogDetails/tabid/143/IndexID/32926/Default.aspx

Forums: scom snmp monitoring

Thu, 02 Sep 2010 14:20:08 GMT

Hello Guru's,

I have a request to monitor a few devices - datapower x150, apache httpd and IBM webshpere.

The application owners have sent us the MIB's. And we want to configure these into scom for alerting.

Any idea how we can get this done?

Thanks

Forums: Any good .net MPs out there?

Wed, 01 Sep 2010 21:28:15 GMT

I ran across this one. Do you have any other suggestions or feedback?

http://www.avicode.com/AVIcodeOpsMgr2007/3/opsmgr2007features.htm

Forums: Event Based Rule needed with Repeated Event abilities

Thu, 02 Sep 2010 22:56:08 GMT

Hi,

I've set up rules that monitor the application log for specific Events and this works fine. When an event is dropped in the Event Log, an Error is generated in SCOM. These events sometimes happen frequently and I've specified a Repeat Count to prevent the Alert Console from being flooded.

Now I have a customer request to only alert if the problem happens twice within a 5 minute time frame and I can't figure out how to do this (Monitors have a repeat setting with a counting mode, but lack the Repeat Count that prevents flooding).

How can I edit the rule or management pack to only alert if the problem occurs twice?

Thx

Forums: RE: Event Based Rule needed with Repeated Event abilities

Fri, 03 Sep 2010 05:09:28 GMT

I believe what you're looking for can be accomplished with a "Repeated Event Detection Monitor" instead of a rule. Go to Authoring, add a new Monitor, look under Windows Events, and choose "Repeated Event Detection". In there you can do Manual resets (operator has to close the alert manually), Timed resets (after a certain period the alert clears itself), or Windows Event Reset (alert clears when a separate event is detected in the event logs).