locked
monitor event 1149 RRS feed

  • Question

  • Hi all

    i'm new to SCOM and we need to monitor event ID 1149 for all server to track who login to our server .

    after create unit monitor ->windows event ->simple event detection if you login to server (for example domain controller) its create alert for first time and if you login again to domain controller for second time and more ... SCOM never create alert .

    so how can i create monitor or rule if i login to one server, then  SCOM create alert each time ?

    Thank you in advance



    • Edited by raminsr Thursday, June 13, 2019 8:04 AM
    Thursday, June 13, 2019 8:03 AM

Answers

  • That should be a pretty straightforward rule.

    Can you show us how you configured the criteria?

    Thursday, June 13, 2019 8:09 AM
  • Hello,

    You should create a Rule, because if you create a Monitor it will alert for the first time a login happens, and if the Monitor is not reset, it will not alert again of consequent events.

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Thursday, June 13, 2019 8:10 AM
  • Hi,

    If we want to track who login to all the servers, the overall steps are:
    1, enable logon audit via group policy, which will generate Event ID 4624 and others.
    2, create a rule based on Event ID 4624 and its parameter, to exclude SYSTEM logon (only normal interactive user)

    For enabling logon audit, we may refer to:
    Enable Active Directory Logon/Logoff Audit events
    https://www.morgantechspace.com/2013/10/enable-active-directory-logonlogoff.html

    Event ID 4624 format is as below
    4624, An account was successfully logged on. Subject:  Security ID:  %1  Account Name:  %2  Account Domain:  %3  Logon ID:  %4  Logon Type:   %9  New Logon:  Security ID:  %5  Account Name:  %6  Account Domain:  %7  Logon ID:  %8  Logon GUID:  %13  Process Information:  Process ID:  %17  Process Name:  %18  Network Information:  Workstation Name: %12  Source Network Address: %19  Source Port:  %20  Detailed Authentication Information:  Logon Process:  %10  Authentication Package: %11  Transited Services: %14  Package Name (NTLM only): %15  Key Length:  %16  This event is generated when a logon session is created. It is generated on the computer that was accessed.

    Detailed information for Logon Type, we may refer to this article:
    https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624

    Secondly, we may need to create a rule based Event ID 4624 and Logon Type (Parameter 9) should be equal to 2

    select NT Event Log (Alert)



    Rule target is Windows Computer



    Category, choose Security



    Configure the criteria for the alert rule




    For Event ID 1149, it seems it is something related to Microsoft-Windows-FailoverClustering and the Description is as below:
    The DNS Host (A) and Pointer (PTR) records associated with Cluster resource '%1' were not removed from the resource's associated DNS server. If necessary, they can be deleted manually. Contact your DNS administrator to assist with this effort.

    Hope the above information helps.

    Regards,

    Alex Zhu
    -----------------------------------------------
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Monday, June 17, 2019 2:12 AM

All replies

  • That should be a pretty straightforward rule.

    Can you show us how you configured the criteria?

    Thursday, June 13, 2019 8:09 AM
  • Hello,

    You should create a Rule, because if you create a Monitor it will alert for the first time a login happens, and if the Monitor is not reset, it will not alert again of consequent events.

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Thursday, June 13, 2019 8:10 AM
  • for criteria just set "Event ID Equals 1149"

    and path for event id-> windows -microsoft-terminalservices-remoteconnectionmanager/operational

    can you please show me in detail ?



    • Edited by raminsr Thursday, June 13, 2019 8:38 AM
    Thursday, June 13, 2019 8:35 AM
  • i'm also created rule ->NT event log (alert)

    and for criteria->

      just set "Event ID Equals 1149"

    and path for event id-> windows -microsoft-terminalservices-remoteconnectionmanager/operational

    but nothing change and just create alert just for first time not more


    • Edited by raminsr Thursday, June 13, 2019 8:41 AM
    Thursday, June 13, 2019 8:40 AM
  • A rule will be suppressed, just the alert count will grow.  You will have to close the alert in the console after every login.  This behaviour is by design.  A monitor will alert every time it goes unhealthy from a healthy state.  Of course, for that to happen it needs to be in a healthy state so you will need to figure out a way to set the monitor healthy as automatically as possible. In SCOM, it is always best to think in terms of health instead of old school "alerts".  Alerts are an afterthought not on the forefront.

    In your case, I don't think SCOM is the best tool for this particular requirement and would point you to some kind of security tool instead, unless your true objective is different.  What exactly is the goal here?

    Thursday, June 13, 2019 1:22 PM
  • Exactly, alerts that are generated by rules will be suppressed by default, if the rule definition in the management pack contains an empty Suppression Value tag.

    However nothing in the alert properties as viewed in a console will indicate that suppression is enabled. You will only be aware of the suppression if you view the Repeat Count column for the alert


    Blog: https://thesystemcenterblog.com LinkedIn:

    Thursday, June 13, 2019 1:26 PM
  • Thank you for your description . Our goul is simple . Every time someone login to server its create event id 1149 and we need to have all of this event in scom console . By your description What is best solution to have all of this event log without manually close alert or change health state ? What about ACS ?
    Thursday, June 13, 2019 1:51 PM
  • ACS is a reporting tool, it will not generate alerts.

    Is your goal to monitor user logons to every server? Or just specific servers?

    Keep in mind that there might be a lot of events.. Here's an old thread talking about this:
    SCOM Logon monitor


    Blog: https://thesystemcenterblog.com LinkedIn:

    Thursday, June 13, 2019 1:56 PM
  • Also you may want to create an event collection rule instead of an alert rule if you don't need alerting, that would be simpler and lighter than deploying ACS
    Thursday, June 13, 2019 2:09 PM
  • i think I would use a simple event detection timer reset monitor for this, when the event is detected it will generate an alert and close itself 'x' (5 maybe)  minutes later. 

    or have I missed a requirement here 

    you could then run a quick powershell query to gather number of alerts if a need for reporting 


    Richard Scott

    Thursday, June 13, 2019 4:03 PM
  • We need track all user login for all server
    Thursday, June 13, 2019 5:36 PM
  • What is different between event collection rule and alert rule ?
    Thursday, June 13, 2019 5:38 PM
  • An event collection rule will collect events and keep them in scom database (yup, for real) and you will have to create an event view to see them.

    An alert rule will trigger an alert from events, from which you can trigger a notification, add custom fields, change resolution state etc.

    And I personally would absolutely not create a simple event detection with reset monitor for your requirement!

    Thursday, June 13, 2019 6:52 PM
  • Hi,

    To achieve our goal, we may need to create a rule based on the specific Event ID and/or its parameter. Here's the step-by-step guide:

    https://blogs.technet.microsoft.com/antoni/2018/02/03/operations-manager-101-how-do-i-create-a-rule-to-be-alerted-on-a-scenario-such-as-a-user-been-added-to-domain-admins/


    Hope the above information helps.

    Regards,

    Alex Zhu
    -----------------------------------------------
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Friday, June 14, 2019 2:56 AM
  • How can i set "logged " in even criteria ??? In the event id logged =time
    Friday, June 14, 2019 9:14 AM
  • Hi,

    If we want to track who login to all the servers, the overall steps are:
    1, enable logon audit via group policy, which will generate Event ID 4624 and others.
    2, create a rule based on Event ID 4624 and its parameter, to exclude SYSTEM logon (only normal interactive user)

    For enabling logon audit, we may refer to:
    Enable Active Directory Logon/Logoff Audit events
    https://www.morgantechspace.com/2013/10/enable-active-directory-logonlogoff.html

    Event ID 4624 format is as below
    4624, An account was successfully logged on. Subject:  Security ID:  %1  Account Name:  %2  Account Domain:  %3  Logon ID:  %4  Logon Type:   %9  New Logon:  Security ID:  %5  Account Name:  %6  Account Domain:  %7  Logon ID:  %8  Logon GUID:  %13  Process Information:  Process ID:  %17  Process Name:  %18  Network Information:  Workstation Name: %12  Source Network Address: %19  Source Port:  %20  Detailed Authentication Information:  Logon Process:  %10  Authentication Package: %11  Transited Services: %14  Package Name (NTLM only): %15  Key Length:  %16  This event is generated when a logon session is created. It is generated on the computer that was accessed.

    Detailed information for Logon Type, we may refer to this article:
    https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624

    Secondly, we may need to create a rule based Event ID 4624 and Logon Type (Parameter 9) should be equal to 2

    select NT Event Log (Alert)



    Rule target is Windows Computer



    Category, choose Security



    Configure the criteria for the alert rule




    For Event ID 1149, it seems it is something related to Microsoft-Windows-FailoverClustering and the Description is as below:
    The DNS Host (A) and Pointer (PTR) records associated with Cluster resource '%1' were not removed from the resource's associated DNS server. If necessary, they can be deleted manually. Contact your DNS administrator to assist with this effort.

    Hope the above information helps.

    Regards,

    Alex Zhu
    -----------------------------------------------
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Monday, June 17, 2019 2:12 AM
  • dear mate by enabling audit its create lot off event id just for one login and also event 4624 work for windows 2012 r2.
    Monday, June 17, 2019 4:26 AM
  • Hi,

    Please kindly understand that in operations manager forum, we will mainly focus on how to generate the alerts based on a specific Event ID (and/or its parameter). As how to trigger/filter the events, it is suggested to post in the OS forum and maybe they will be more familiar on this situation. However, in this operations manager forum, we will try the best to provide as much information as we can.

    Thank again you for your kind understanding and have a nice day.

    Regards,

    Alex Zhu
    -----------------------------------------------
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Monday, June 17, 2019 7:21 AM
  • Thank you

    all the best to you for your help

    Tuesday, June 18, 2019 4:53 AM
  • Hi,

    Thank you for your kind understanding. I consult this question with AD guys and get information that it seems we cannot only keep Event ID 4624, just for your reference.

    If you have any operations manager related problem in future, please feel free to post in this forum.

    Regards,

    Alex Zhu
    -----------------------------------------------
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Wednesday, June 19, 2019 2:24 AM