Jaa


Using SCOM to Capture Events from the Forwarded Events Log

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks.

So I ran into an interesting problem the other day.  The premise was pretty simple. I have security events that are being forwarded from workstations via Windows Event Subscriptions.  The idea behind it is to avoid putting a SCOM agent on potentially thousands of workstations, but to instead look for key security events that will be found in the Forwarded Events log.

The premise was straight forward, I created a simple rule to look for a security event (in this case an 1102, which is generated when someone wipes the event logs).  I created a management pack that discovers Event Collectors and then created a rule to target the Forwarded Events log on the event collectors.  I cleared the log on a machine that was forwarding events and confirmed the 1102 was forwarded to the Event Collector, and then I checked SCOM.  To my surprise, I saw nothing, and after repeating it again, I got the same result. Other event log rules that I had created were working, so I needed to dig a bit.

It took a bit of digging, but this article by Kevin Holman.  It is an older article from SCOM 2007, but the premise applies here too.  Simply put, SCOM rules or monitors will not generate alerts when the logging computer name is different from the computer name of the local agent.  The application in his case was clusters, where this would be common given that the cluster node names that generate errors differ from the cluster name itself.  This will be the case with forwarded events given that logging computer will likely be a system that is not monitored in SCOM, so definitely be careful as to how much you target there.  You can generate lots of noise.

Now that said, Kevin pretty much described the solution using an authoring tool such as VSAE, MPAuthor, or the SCOM 2007 console. However, you don’t have the option via console authoring.  There is however, a fairly easy fix.  Export your custom MP, find your monitor/rule, and simple add the following tag: <AllowProxying>true</AllowProxying>.  You can insert it right after the <LogName>ForwardedEvents</LogName> tag.

After importing the updated MP, Forwarded Events alerts generate just fine.

Technorati Tags: SCOM,Forwarded Events,Allow Proxy

Comments

  • Anonymous
    October 27, 2017
    Very helpful. Thank you for taking the time to post this.