I am trying to create a rule that generates an alert and send a notification when an event occurs in the active directory; i.e i want to have a notification when an AD user is created...
i have tried to do it many times with no luck
What i noticed is that when i go to configure the rule to select the computer name and the type of event source which is security in my case and i select the event ID and applies the changes.
I chose my primary domain controller hostname as computer name and i checked names and everything is okay
but what is weird for me that the computer name is always taking the scom server hostname as computer name .
Does scom by default collects security events from a remote computer differen from the management server??
If yes what am i missing??
if no do i have to edit the xml configuration of the default management pack that i am using in my rule??
does allow agent proxy has to do with this??
simply i want a rule that gathers events from a remote machine
Please i need support because i am stuck here and i am out of ideas how to do it .
10x in advance
By default an event id rule run locally for agent managed computers, you can target rule for "Windows Domain controller" class and apply filter on event id, source, log file, event level and event description
refer below link how to create an event id rule :
Pls refer to the following blog
To monitor Active Directory Changes and include the attribute that changed
Monitor changes in AD users and groups
Collecting Security Events Using Audit Collection Services in Operations Manager
Regarding targeting of a rule or monitor, please refer to:
Selecting a target
System Center Operations Manager (SCOM) Best Practices Poster Rule and Monitor Targeting
In addition, please refer to the following:
You cannot configure a rule or a monitor to target a computer group in the Operations console in System Center Operations ManagerThanks.
TechNet Community Support