|
 |
 |
 |
|
Microsoft Knowledge Base Article
This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved. Terms
of Use |
Trademarks
Article ID: 883339 - Last Review: October 27, 2006 - Revision: 2.2 MOM 2005 event rules that use the Security event provider trigger messages when the event criteria are not metYou create a new event processing rule in Microsoft Operations Manager (MOM) 2005. When you use the Security event provider to search the description field of the Security event log for specific event IDs, the new rule may trigger messages, even if the rule criteria have not been met. This behavior occurs when the MOM 2005 event processing rule contains regular or Boolean expressions. In this case, the regular or Boolean expressions may not correctly parse the event description field in the Security event log. This behavior causes the event processing rule to trigger a message. To work around this problem, modify your existing event rule, or create a new event rule to collect the specified event IDs in the Security event log. You can then specify additional parameters to trigger the message. For example, if you want to receive messages for user logon failure events, such as event ID 529, for a specific user account, follow these steps: Note These steps assume that you want to create a new event rule. To modify your existing event rule, double-click the event rule that you want to modify, and then use only step 7 and step 8. The collection rule that is referenced in these steps is part of the steps in the wizard. You do not have to create a new collection rule for the specific parameter matching to work. - Click Start, point to Programs, point to Microsoft Operations Manager 2005, and then click Administrator Console.
- In the MOM 2005 Administrator Console, expand Microsoft Operations Manager (ServerName), where ServerName is the name of the computer that is running MOM 2005.
- Expand Management Packs, expand Rule Groups, and then expand the rule group to which you want to add an event rule.
- Right-click Event Rules, and then click Create Event Rule.
- In the Select Event Rule Type dialog box, click Collect Specific Events (Collection), and then click Next.
- Click the list under Provider name, click Security, and then click Next.
- On the Collection Rule Properties - Criteria screen, click the Event ID check box, type 529, and then click Advanced.
- In the Advanced Criteria dialog box, click the list under Field, select the parameter that you want to use, and then type the value for the expression. In this example, the following values are used:
- Parameter 1 equals UserName, where UserName is the name of the user account.
- Parameter 2 equals DomainName, where DomainName is the name of the domain.
- Parameter 3 equals Log on ID, where Log on ID is the ID of the currently logged on user.
- Parameter 4 equals Log on Type, where Log on Type is the type of account running the service or task. For example, Interactive or Service.
Set each parameter, click Add to list, click Close, and then click Next. - On the Collection Rule Properties - Parameter Storage page, click Store all event parameters, and then click Next.
- On the Collection Rule Properties - schedule page, you can set a schedule or select Always process data, and then click Next.
- On the Collection Rule Properties - Company Knowledge Base page, you may enter any knowledge that you have gathered or leave the page blank, and then click Next.
- On the Collection Rule Properties - General page, type a name for the new rule in the Rule name: field. Click to select the This rule is enabled check box to turn on the rule, and then click Next.
For additional information about Windows 2000 Security event IDs, click the following article numbers to view the articles in the Microsoft Knowledge Base:
299475Â
(http://kbalertz.com/Feedback.aspx?kbNumber=299475/
)
Windows 2000 Security event descriptions (Part 1 of 2)
301677Â
(http://kbalertz.com/Feedback.aspx?kbNumber=301677/
)
Windows 2000 Security event descriptions (Part 2 of 2)
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
APPLIES TO- Microsoft Operations Manager (MOM) 2005
Community Feedback System
Very often, it takes hours to solve a problem. Very often, you've looked high
and low, and have tried a lot of solutions. When you finally found it, chances
are, it was because someone else helped you. Here's your chance to give back.
Use our community feedback tool to let others know what worked for you and what
didn't.
Please also understand that the community feedback system is not warranted to be
correct, it's simply a system that we've built to let people try and help each
other. If something in a feedback response doesn't make sense to you, or you're
not comfortable making changes that the feedback talks about (like registry
edits), please consult a professional.
Thank you for using kbAlertz.com Feedback System.
-- Scott Cate
|
|
 |
|
 |
|
|
|
| |