O R G A N I C / F E R T I L I Z E R: mom: monitoring organizationalUnit changes...

Mar 23, 2006

mom: monitoring organizationalUnit changes...

i've lost a lot of hair today. why? mom is finicky and aggravating. i'll get to that later. here's how to setup rules to pickup event id 566. it's comprised of two rules: collection and event. first of all, why create a collection event? it's simple. if you only create an event to pick up the alert, you don't necessarily hold all the parameters that you want. if you want to go look for this later, it may be challenging if you're scavenging alerts faster than events. set it up like this:
  • source: security
  • event id: 566
  • type: success audit
  • description: contains substring organizationalUnit
  • parameters: 3,4,9,12
i'm not going to advocate collecting all the event parameters. it's probably safe with the description filter but saw some come in with some wild parameter counts (in the mid 100's). now, you will pick up events that you probably didn't mean to, like user accounts getting created/deleted under an OU. anyway, the parameters i chose, map to these fields:
  • parameter 3: object type
  • parameter 4: object name
  • parameter 9: user name
  • parameter 12: access
alright, now create an event rule with these criterion:
  • source: security
  • event id: 566
  • type: success audit
  • description: contains substring organizationalUnit
on the alert tab, modify the description to look like this:
Directory Service change occurred for: Object: $Parameter 3$ User : $Parameter 9$ Action: $Parameter 12$ Change: $Parameter 4$
why? if you let the description field come in to the alert, it's just ugly. no one wants to read it like that. by the way, the parameters won't mean much to you without making this modification to configure the mom agent to resolve the guids it collects in events to friendly names. obviously, you're picking up these events on your domain controllers. yes... that means making this registry change on all of them. this thing took about 4 hours to figure out. many thanks to those i frequently communicate with on msmom@lists.listleague.com. anyway, here's the thing... even though you're picking up the parameters, for some reason, mom will not filter the parameter field (in this case, i was filtering for parameter 3 contains substring organizationalUnit). i don't know why this is. another one of those irritating quirks... anyway, description finally picked it up as it was supposed to happen.