Operations Manager makes it easy to monitor Windows Events using a Simple Event Detection Unit Monitor. You can filter and alert on events based on ID, Source, Category, User and Computer or any combination of those fields.
But what if you want to parse the Description field? You may want debugging information or let’s say you only want to know if the Description field of Event 632 (User Added to Security Group) contained the words ‘Domain Admin’.
As in: “Someone added a user to the Domain Admin security group in Active Directory… better check that out.”
I researched this problem the best I could but I couldn’t find a good solution. So here’s the way I handled it:
First Create the Rule to Collect Event 632
Right-Click on Rules à Create New Rule
Select Collection Rule à Event Based à NT Event Log
Name the rule
Click the ellipse (…) next to the Log name field and choose ‘Security’ for the name:
In the expression with the Event ID, make ‘632’ the value. Right-click to the left of the other expression, delete it, then click Create:
Now Create the Monitor
Create a Windows Events \ Simple Event Detection \ Manual Reset Unit Monitor
Give it a name
Browse to any computer and select the Security Log
In the expression with the Event ID, make ‘632’ the value. Right-click to the left of the other expression and then delete it
Take the defaults on the Configure Health screen
Click on ‘Generate alerts for this monitor’ and then click ‘Create’
Adding the script
Go back into the properties of the monitor we just created and go to the ‘Diagnostic and Recovery’ tab:
Under ‘Configure diagnostic tasks’, click Add then Diagnostic for warning state:
Highlight ‘Run Script’ and click next. Give the diagnostic a name:
Name the script and paste the following code into the Script Field:
'*****************************************************************************
'Get_Event_Desc.vbs
'Created 8/13/2008
'by Mike Ory
'*****************************************************************************
Set objMessage = CreateObject("CDO.Message")
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'Security' AND EventCode = 632")
For Each objEvent in colLoggedEvents
If Instr(objEvent.Message, "Domain Admin") Then
strMsg = vbcrlf & objEvent.Message
strTime = objEvent.TimeGenerated
SendMessage strMsg, strTime
exit for
End If
Next
Sub SendMessage(Message, Time)
objMessage.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
'Name or IP of Remote SMTP Server
objMessage.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "YourMailServer"
'Server port (typically 25)
objMessage.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objMessage.Configuration.Fields.Update
objMessage.Subject = "User added to Security Group"
objMessage.From = " admins@foo.com "
objMessage.To = "admins@foo.com"
objMessage.TextBody = Time & vbcrlf & vbcrlf & Message
objMessage.Send
End Sub
‘End Script '*****************************************************************************
Click OK and you’re off.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment