Tuesday, March 18, 2014

SCOM 2012 SP1 client-side event 34215

This is a short tip to solve the error event 34215, this event appears when client-side is trying to write an extra configuration into a IIS shared configuration and you don´t have enough permissions.

First thing, is understand how client-side monitoring is deployed. By default, client-side monitoring, tries to create the CSMCollector virtual directory and the OperationsManagerCsmCollector v.4.0 application pool when you execute the client-side wizard in the SCOM console.
The solution is easy, just give the computer permissions (web server) over the shared directory of IIS config.

After that you will get an event 34243 that means "The new client-side monitoring configuration has been successfully applied. No conflicts were detected."

Tuesday, March 11, 2014

SCOM 2012 check root login into CentOS system

Continuing the previous post, here is a recipe to rise an alert when root or privileged account has login into CentOS box via SSHD.
Obviously, for this recipe you need the Unix/Linux Management Packs applied and properly configured, here is an old post concerning this topic. 

There are at least two ways, via ACS or via Unix/Linux Log file monitoring to rise this type of alerts. 
The quickest and easiest way is with Log file monitoring, but it is less accurate than ACS, for example ACS has a set of reports to get detailed login statistics, but in some scenarios, it could be noisy and complex to manage.

Sunday, March 9, 2014

SCOM 2012 - Create alert / monitor based on Windows event ( Administrator login alert )

Today, our customer asks us how we can know when the Administrator has logon via terminal server on Windows Server on their Domain.
The answer is with SCOM, using the event alert feature.
When you do a login in Windows 2008 or higher and the audit is running an event with id 4624  is created in the security log of the machine.
So first step to create the alert / monitor is to enable the audit.
You have to add new group policy with the audit enabled in the OU of the computers that you want to monitor, in this image you can see highlighted what you need.