mom: monitoring organizationalUnit changes...
i've lost a lot of hair today. why? mom is finicky and aggravating. i'll get to that later. here's how to setup rules to pickup event id 566. it's comprised of two rules: collection and event.
first of all, why create a collection event? it's simple. if you only create an event to pick up the alert, you don't necessarily hold all the parameters that you want. if you want to go look for this later, it may be challenging if you're scavenging alerts faster than events. set it up like this:
that means making this registry change on all of them.
this thing took about 4 hours to figure out. many thanks to those i frequently communicate with on msmom@lists.listleague.com. anyway, here's the thing... even though you're picking up the parameters, for some reason, mom will not filter the parameter field (in this case, i was filtering for parameter 3 contains substring organizationalUnit). i don't know why this is. another one of those irritating quirks... anyway, description finally picked it up as it was supposed to happen.
- source: security
- event id: 566
- type: success audit
- description: contains substring organizationalUnit
- parameters: 3,4,9,12
- parameter 3: object type
- parameter 4: object name
- parameter 9: user name
- parameter 12: access
- source: security
- event id: 566
- type: success audit
- description: contains substring organizationalUnit
Directory Service change occurred for: Object: $Parameter 3$ User : $Parameter 9$ Action: $Parameter 12$ Change: $Parameter 4$why? if you let the description field come in to the alert, it's just ugly. no one wants to read it like that. by the way, the parameters won't mean much to you without making this modification to configure the mom agent to resolve the guids it collects in events to friendly names. obviously, you're picking up these events on your domain controllers. yes...
Comments
Post a Comment