I recently tried to convert one of our simple MOM 2005 rules over to SCOM 2007. It basically just notified us when a administrator account was locked out, a simple but easy way to detect brute force attacks in our environment.
I started with creating a collection rule to get certain events from the Security event logs of all Domain Controllers. I filtered by Event Source, Category and Level ("Success Audit") and targeted it to the AD Domain Controller Role.
I then created a view to check if my events are really recorded to the OpsMgr DB - and there was nothing. Also no errors anywhere. Although the targeting should not have been the problem I tried some options here just to make sure and as expected this didn't help.
It turns out the problem was the filter: I removed Event Category and my events started to come in. My filter was not wrong, it just doesn't seem to work when using the event category! In fact the events in the SCOM view do not show a category at all.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment