Huntland Services Ltd

Tel: +44 (0)1392-490518
Fax: +44 (0)1392-428003
Enquiries@huntland.co.uk

Advanced Enterprise Wide Consolidation

 

Back

Download This Article

 

This article seeks to clarify  information from a variety of previously published public sources which only partially or misleadingly described the correct process.


Supposing the fact that an event or alert occurred at a managed server is not in itself that interesting.  Suppose that even if you consolidated them at the server and the count exceeded a threshold value for a given period of time -  that was only marginally more interesting.!!  But suppose, the consolidation and the threshold excess was taking place on all your servers at approximately the same time - that might be very interesting.  For example, 20 failed logon attempts at a server inside 120 seconds may raise a few eyebrows.  20 failed logon attempts inside 120 seconds occurring on 5 of your servers in the same five minute period should be ringing the alarm bells.

How does MOM consolidate the consolidations?  Here's how to configure it:

1.      Create a Consolidate Similar Events rule called Rule_1.  Configure this rule to use the security log provider to consolidate all occurrences of Windows 2000 event ID 529 (for example) over a 120 second period by Event Number and Source Name only.  This rule will run on the managed servers.  At the end of 120 seconds MOM will create its own event representing the fact that a consolidation has taken place and reports this and the number of event # 529's it managed to trap.  It stores this number in a State Variable (see 'How to set and use State Variables') called $RepeatCount$.

2.      Create an Alert on or Respond to Event rule called Rule_2.  This rule will fire if it detects an event created by Rule_1 where the number of 529 events consolidated exceeds 20 (for example).   To do this configure the rule to use the same data provider and criteria as Rule_1 but add an additional criteria that tests if the $RepeatCount$ State Variable is equal or greater than 20.   To do this click the Advanced button in the Criteria dialog and chose RepeatCount from the drop down list in the Field box.  So far so good?  What you've done so far will be run at the managed server.
Next you need to configure this rule to increment  a user state variable named TotalAttempts (for example). To do this you will select Update State Variable from the Response dialog and add a new operation to increment your variable named TotalAttempts (just type it in).  IMPORTANT:  In the State Variable Update dialog configure 'Centrally  on the Consolidator'.  That's one of the oddities of configuring MOM rules.  Half of this rule applies to the managed server and half to the MOM DCAM!!

3.      Create an Alert on or Respond to Event rule called Rule_3.  Configure this rule to use the timed event provider that runs every 5 minutes and to have a response that runs a script called "SecurityAlert"  on the Consolidator. This script will check the value of the TotalAttempts variable. If the value is greater than or equal to five (for example), it will send an alert and reset the variable to zero. If the variable is less than 5 the script would just reset it to zero again.


The script shown below does just this:


'--------------------- Copy and paste this into a new script in MOM called 'SecurityAlert' ---------------------------------
vCount = State.get("TotalAttempts")
If vCount >= 5 Then
Set MyAlert = ScriptContext.CreateAlert
MyAlert.description = "There is a security attack in progress"
MyAlert.alertLevel = 60
ScriptContext.submit(MyAlert)
End If
vCount = 0
State.put "TotalAttempts", vCount
'-------------------------------------------------- end copy and paste -----------------------------------------------------------

 

So to summarise: