Sunday, March 9, 2014

SCOM 2012 - Create alert / monitor based on Windows event ( Administrator login alert )

Today, our customer asks us how we can know when the Administrator has logon via terminal server on Windows Server on their Domain.
The answer is with SCOM, using the event alert feature.
When you do a login in Windows 2008 or higher and the audit is running an event with id 4624  is created in the security log of the machine.
So first step to create the alert / monitor is to enable the audit.
You have to add new group policy with the audit enabled in the OU of the computers that you want to monitor, in this image you can see highlighted what you need.

As always you can force the policy update with gpupdate /force.
If you have any doubt about what any of the options means, here is a good explanation about the differences between Audit Logon Events and  Audit Account Logon Events.

Now, when a user does a login in the system, the event 4624 is going to be written in the local machine event log, as you can see in the following image.

With this data, you can make the event monitor, as you know, you have to start at the Authoring screen in the main SCOM dashboard, Management Pack Objects, Monitors.

These attached images show you how to setup the monitor step by step.

The question here is, how can I know which is the number of the parameter?, it is easier than you can expect, just count line by line the text that appears in the details of the event 4624, for example:

SubjectUserSid S-1-5-18  <-- 1
SubjectUserName XXXXX <-- 2
SubjectDomainName XXXX <-- 3
SubjectLogonId 0x3e7  <-- 4
TargetUserSid S-1-5-21-XXXX <-- 5
TargetUserName XXXXX  <-- 6
TargetDomainName XXX <--
TargetLogonId XXXXX  <-- N+1
LogonType 10 
LogonProcessName User32  
AuthenticationPackageName Negotiate 
WorkstationName XXXXXX 
LogonGuid {XXXXXXXX} 
TransmittedServices - 
LmPackageName - 
KeyLength 0 
ProcessId 0x36f8 
ProcessName C:\Windows\System32\winlogon.exe 
IpAddress XXXXX

There are alternatives to do this, for example, you can use Logparser to count the parameters, doing something like this:

Logparser.exe "select top 1 Strings AS Parameters FROM security where EventID=4624"

Finally, you need to know what all fields on the event mean, you can check it here

No comments:

Post a Comment