Discussion:
Generate Event when AD Group membership changes
(too old to reply)
Carol Deavy
2007-11-27 17:24:01 UTC
Permalink
I am unable to get alerts or events to be generated so I hope someone can
spot what I might be missing in my configuration...

My domain controller' local policy is configured with Audit Policy
Audit account logon events - failure
Audit account management - success
Audit object access - failure
Audit policy change - success

Mom Administrator Console configuration:

Event Rule enabled
Type = Event
Provider Name = Security
Provider Type = Windows NT Event log
ID = 636
Response = notification (email sent to me)

Alert tab
Generate alert with alert severity of Security Issue

I can see the events in the security log when I add an account to a group,
but this information is not emailed to me nor can I see anything in the Mom
Operator Console...

What am I missing?
Anders Bengtsson
2007-11-27 18:58:29 UTC
Permalink
Hi Carol,

Please take a look at this post, http://contoso.se/blog/?p=109 there is a
step by step guide


-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se


CD> I am unable to get alerts or events to be generated so I hope
CD> someone can spot what I might be missing in my configuration...
CD>
CD> My domain controller' local policy is configured with Audit Policy
CD> Audit account logon events - failure
CD> Audit account management - success
CD> Audit object access - failure
CD> Audit policy change - success
CD> Mom Administrator Console configuration:
CD>
CD> Event Rule enabled
CD> Type = Event
CD> Provider Name = Security
CD> Provider Type = Windows NT Event log
CD> ID = 636
CD> Response = notification (email sent to me)
CD> Alert tab
CD> Generate alert with alert severity of Security Issue
CD> I can see the events in the security log when I add an account to a
CD> group, but this information is not emailed to me nor can I see
CD> anything in the Mom Operator Console...
CD>
CD> What am I missing?
CD>
Carol Deavy
2007-11-27 20:27:02 UTC
Permalink
Hello Anders,

Thank you for the link and information, however, although it seemed that the
steps in the link were similar to how I described I configured the rule, I
figured I would follow the steps outlined to monitor changes to the Domain
Admins as described in the article just to make sure and I am still not
getting alerted.

Any other ideas on what I'm missing or what may not be properly configured.
As explained earlier, the security log is capturing the information but MOM
doesn't seem to be collecting it ...
Post by Anders Bengtsson
Hi Carol,
Please take a look at this post, http://contoso.se/blog/?p=109 there is a
step by step guide
-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se
CD> I am unable to get alerts or events to be generated so I hope
CD> someone can spot what I might be missing in my configuration...
CD>
CD> My domain controller' local policy is configured with Audit Policy
CD> Audit account logon events - failure
CD> Audit account management - success
CD> Audit object access - failure
CD> Audit policy change - success
CD>
CD> Event Rule enabled
CD> Type = Event
CD> Provider Name = Security
CD> Provider Type = Windows NT Event log
CD> ID = 636
CD> Response = notification (email sent to me)
CD> Alert tab
CD> Generate alert with alert severity of Security Issue
CD> I can see the events in the security log when I add an account to a
CD> group, but this information is not emailed to me nor can I see
CD> anything in the Mom Operator Console...
CD>
CD> What am I missing?
CD>
Anders Bengtsson
2007-11-28 09:50:23 UTC
Permalink
Hi Carol,

If you have a lot of criterias on that collection rule, try to remove some
of the criterias. Sometimes the criterias is a little bit to hard.

-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se


CD> Hello Anders,
CD>
CD> Thank you for the link and information, however, although it seemed
CD> that the steps in the link were similar to how I described I
CD> configured the rule, I figured I would follow the steps outlined to
CD> monitor changes to the Domain Admins as described in the article
CD> just to make sure and I am still not getting alerted.
CD>
CD> Any other ideas on what I'm missing or what may not be properly
CD> configured. As explained earlier, the security log is capturing the
CD> information but MOM doesn't seem to be collecting it ...
CD>
CD> "Anders Bengtsson" wrote:
CD>
Post by Anders Bengtsson
Hi Carol,
Please take a look at this post, http://contoso.se/blog/?p=109 there
is a step by step guide
-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se
CD> I am unable to get alerts or events to be generated so I hope
CD> someone can spot what I might be missing in my configuration...
CD>
CD> My domain controller' local policy is configured with Audit Policy
CD> Audit account logon events - failure
CD> Audit account management - success
CD> Audit object access - failure
CD> Audit policy change - success
CD>
CD> Event Rule enabled
CD> Type = Event
CD> Provider Name = Security
CD> Provider Type = Windows NT Event log
CD> ID = 636
CD> Response = notification (email sent to me)
CD> Alert tab
CD> Generate alert with alert severity of Security Issue
CD> I can see the events in the security log when I add an account to a
CD> group, but this information is not emailed to me nor can I see
CD> anything in the Mom Operator Console...
CD>
CD> What am I missing?
CD>
Carol Deavy
2007-11-28 14:03:02 UTC
Permalink
Thanks for you suggestion. I had tried simply creating an event to notify
for ID 636 and I still don't get anything...I tried creating an event rule
for event id 633 and configuring th eparameter storage to "Store all event
parameters" so that I could see that the events were being captured by MOM
and put into the database but still nothing. It is like MOM is not capturing
events from the event logs of servers? what am I missing?
Post by Anders Bengtsson
Hi Carol,
If you have a lot of criterias on that collection rule, try to remove some
of the criterias. Sometimes the criterias is a little bit to hard.
-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se
CD> Hello Anders,
CD>
CD> Thank you for the link and information, however, although it seemed
CD> that the steps in the link were similar to how I described I
CD> configured the rule, I figured I would follow the steps outlined to
CD> monitor changes to the Domain Admins as described in the article
CD> just to make sure and I am still not getting alerted.
CD>
CD> Any other ideas on what I'm missing or what may not be properly
CD> configured. As explained earlier, the security log is capturing the
CD> information but MOM doesn't seem to be collecting it ...
CD>
CD>
Post by Anders Bengtsson
Hi Carol,
Please take a look at this post, http://contoso.se/blog/?p=109 there
is a step by step guide
-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se
CD> I am unable to get alerts or events to be generated so I hope
CD> someone can spot what I might be missing in my configuration...
CD>
CD> My domain controller' local policy is configured with Audit Policy
CD> Audit account logon events - failure
CD> Audit account management - success
CD> Audit object access - failure
CD> Audit policy change - success
CD>
CD> Event Rule enabled
CD> Type = Event
CD> Provider Name = Security
CD> Provider Type = Windows NT Event log
CD> ID = 636
CD> Response = notification (email sent to me)
CD> Alert tab
CD> Generate alert with alert severity of Security Issue
CD> I can see the events in the security log when I add an account to a
CD> group, but this information is not emailed to me nor can I see
CD> anything in the Mom Operator Console...
CD>
CD> What am I missing?
CD>
Anders Bengtsson
2007-11-28 19:44:11 UTC
Permalink
Hi Carol,

Do you get any alerts from this machine? Any from the same source log? Anything
in the console , or is it the notification part that dont work?

-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se


CD> Thanks for you suggestion. I had tried simply creating an event to
CD> notify for ID 636 and I still don't get anything...I tried creating
CD> an event rule for event id 633 and configuring th eparameter storage
CD> to "Store all event parameters" so that I could see that the events
CD> were being captured by MOM and put into the database but still
CD> nothing. It is like MOM is not capturing events from the event logs
CD> of servers? what am I missing?
CD>
CD> "Anders Bengtsson" wrote:
CD>
Post by Anders Bengtsson
Hi Carol,
If you have a lot of criterias on that collection rule, try to remove
some of the criterias. Sometimes the criterias is a little bit to
hard.
-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se
CD> Hello Anders,
CD>
CD> Thank you for the link and information, however, although it seemed
CD> that the steps in the link were similar to how I described I
CD> configured the rule, I figured I would follow the steps outlined to
CD> monitor changes to the Domain Admins as described in the article
CD> just to make sure and I am still not getting alerted.
CD>
CD> Any other ideas on what I'm missing or what may not be properly
CD> configured. As explained earlier, the security log is capturing the
CD> information but MOM doesn't seem to be collecting it ...
CD>
CD>
Post by Anders Bengtsson
Hi Carol,
Please take a look at this post, http://contoso.se/blog/?p=109
there is a step by step guide
-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se
CD> I am unable to get alerts or events to be generated so I hope
CD> someone can spot what I might be missing in my configuration...
CD>
CD> My domain controller' local policy is configured with Audit Policy
CD> Audit account logon events - failure
CD> Audit account management - success
CD> Audit object access - failure
CD> Audit policy change - success
CD>
CD> Event Rule enabled
CD> Type = Event
CD> Provider Name = Security
CD> Provider Type = Windows NT Event log
CD> ID = 636
CD> Response = notification (email sent to me)
CD> Alert tab
CD> Generate alert with alert severity of Security Issue
CD> I can see the events in the security log when I add an account
to
a
CD> group, but this information is not emailed to me nor can I see
CD> anything in the Mom Operator Console...
CD>
CD> What am I missing?
CD>
Carol Deavy
2007-11-28 22:24:01 UTC
Permalink
Hello Anders,

I'm not sure if I get any alerts from the security logs as I haven't tried
to capture other security events. All the clients are alerting MOM based on
other rules as I have been going through them and resolving alerts. I'm of
the belief that the client is not sending any information from the event logs
to MOM but I haven't figured out how to confirm that yet. Chow for now,
back in tomorrow.
Post by Anders Bengtsson
Hi Carol,
Do you get any alerts from this machine? Any from the same source log? Anything
in the console , or is it the notification part that dont work?
-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se
CD> Thanks for you suggestion. I had tried simply creating an event to
CD> notify for ID 636 and I still don't get anything...I tried creating
CD> an event rule for event id 633 and configuring th eparameter storage
CD> to "Store all event parameters" so that I could see that the events
CD> were being captured by MOM and put into the database but still
CD> nothing. It is like MOM is not capturing events from the event logs
CD> of servers? what am I missing?
CD>
CD>
Post by Anders Bengtsson
Hi Carol,
If you have a lot of criterias on that collection rule, try to remove
some of the criterias. Sometimes the criterias is a little bit to
hard.
-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se
CD> Hello Anders,
CD>
CD> Thank you for the link and information, however, although it seemed
CD> that the steps in the link were similar to how I described I
CD> configured the rule, I figured I would follow the steps outlined to
CD> monitor changes to the Domain Admins as described in the article
CD> just to make sure and I am still not getting alerted.
CD>
CD> Any other ideas on what I'm missing or what may not be properly
CD> configured. As explained earlier, the security log is capturing the
CD> information but MOM doesn't seem to be collecting it ...
CD>
CD>
Post by Anders Bengtsson
Hi Carol,
Please take a look at this post, http://contoso.se/blog/?p=109
there is a step by step guide
-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se
CD> I am unable to get alerts or events to be generated so I hope
CD> someone can spot what I might be missing in my configuration...
CD>
CD> My domain controller' local policy is configured with Audit Policy
CD> Audit account logon events - failure
CD> Audit account management - success
CD> Audit object access - failure
CD> Audit policy change - success
CD>
CD> Event Rule enabled
CD> Type = Event
CD> Provider Name = Security
CD> Provider Type = Windows NT Event log
CD> ID = 636
CD> Response = notification (email sent to me)
CD> Alert tab
CD> Generate alert with alert severity of Security Issue
CD> I can see the events in the security log when I add an account
to
a
CD> group, but this information is not emailed to me nor can I see
CD> anything in the Mom Operator Console...
CD>
CD> What am I missing?
CD>
Carol Deavy
2007-11-29 15:40:01 UTC
Permalink
I don't know what triggered my events and rules to start working, but they
are working...yeahhhh!

I didn't do anything this morning only logged into MOM and alerts started
happening.

Thanks for all your suggestions and help.
Post by Carol Deavy
Hello Anders,
I'm not sure if I get any alerts from the security logs as I haven't tried
to capture other security events. All the clients are alerting MOM based on
other rules as I have been going through them and resolving alerts. I'm of
the belief that the client is not sending any information from the event logs
to MOM but I haven't figured out how to confirm that yet. Chow for now,
back in tomorrow.
Post by Anders Bengtsson
Hi Carol,
Do you get any alerts from this machine? Any from the same source log? Anything
in the console , or is it the notification part that dont work?
-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se
CD> Thanks for you suggestion. I had tried simply creating an event to
CD> notify for ID 636 and I still don't get anything...I tried creating
CD> an event rule for event id 633 and configuring th eparameter storage
CD> to "Store all event parameters" so that I could see that the events
CD> were being captured by MOM and put into the database but still
CD> nothing. It is like MOM is not capturing events from the event logs
CD> of servers? what am I missing?
CD>
CD>
Post by Anders Bengtsson
Hi Carol,
If you have a lot of criterias on that collection rule, try to remove
some of the criterias. Sometimes the criterias is a little bit to
hard.
-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se
CD> Hello Anders,
CD>
CD> Thank you for the link and information, however, although it seemed
CD> that the steps in the link were similar to how I described I
CD> configured the rule, I figured I would follow the steps outlined to
CD> monitor changes to the Domain Admins as described in the article
CD> just to make sure and I am still not getting alerted.
CD>
CD> Any other ideas on what I'm missing or what may not be properly
CD> configured. As explained earlier, the security log is capturing the
CD> information but MOM doesn't seem to be collecting it ...
CD>
CD>
Post by Anders Bengtsson
Hi Carol,
Please take a look at this post, http://contoso.se/blog/?p=109
there is a step by step guide
-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se
CD> I am unable to get alerts or events to be generated so I hope
CD> someone can spot what I might be missing in my configuration...
CD>
CD> My domain controller' local policy is configured with Audit Policy
CD> Audit account logon events - failure
CD> Audit account management - success
CD> Audit object access - failure
CD> Audit policy change - success
CD>
CD> Event Rule enabled
CD> Type = Event
CD> Provider Name = Security
CD> Provider Type = Windows NT Event log
CD> ID = 636
CD> Response = notification (email sent to me)
CD> Alert tab
CD> Generate alert with alert severity of Security Issue
CD> I can see the events in the security log when I add an account
to
a
CD> group, but this information is not emailed to me nor can I see
CD> anything in the Mom Operator Console...
CD>
CD> What am I missing?
CD>
Loading...