Configuring Event ID monitoring  to monitor folder changes
All, Here is my requirement. I have enabled auditing on folder and i am getting the event id whenever there is changes on this folder. Here is my config. Alert name :- Alert for DTCS Folder Modification here is the setting Log name Security Event Level Equal Success audit Event Source Equal Security Event ID matches regular Expression ^(560|562|567)$ EventDescription Contains E:\apps\DTCS NOw my question 1. Is it possible to have dynamic alert name such as (Alert for DTCS Folder Modification on folder XXXX) 2. Is it possible to exclude this folder e:\apps\DTCS\LOGS,E:\apps\DTCS\TEMPLATE Regards Siva Siva
July 17th, 2012 10:48pm

All, Any solution ? Please advice. Regards siva Siva
Free Windows Admin Tool Kit Click here and download it now
July 18th, 2012 9:34pm

Probably, you need to create Script based Monitor, While returning Health State, Create one more propertyBag for the Message. And in Alerting pane, Use $Data\... variables to access the Message sent from Script.
July 19th, 2012 1:48am

Hi I have reservations about using SCOM for file and folder auditing. Windows tends to be very noisy and generates a lot of events for just one file or folder access. It also won't tell you if the file or folder has changed - only that it was "open for change". If care isn't taken then it is all too easy to swamp SCOM with a lot of alerts. For compliance purposes, I ususually use Tripwire when it comes to file and folder monitoring. If you do want to go down this route then I'd suggest setting up a Test Management Group and multi-homing a couple of servers between the Production and Test Management Group so that you can deploy your Management Pack in Test and see how much noise it will generate and how much data it will store in the database. For generating the alert, you could use an alert rule based on the windows event log (security) as Kevin Holman discusses here: http://blogs.technet.com/b/kevinholman/archive/2010/04/12/using-opsmgr-for-intrusion-detection-and-security-hardening.aspx 1) Dynamic Alert Names - no, this is not possible. 2) Exclusions - if the folder is a specific parameter then as part of the rule criteria you could look to exclude a specific folder. Cheers GrahamRegards Graham New System Center 2012 Blog! - http://www.systemcentersolutions.co.uk View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
Free Windows Admin Tool Kit Click here and download it now
July 19th, 2012 3:31am

Hi I have reservations about using SCOM for file and folder auditing. Windows tends to be very noisy and generates a lot of events for just one file or folder access. It also won't tell you if the file or folder has changed - only that it was "open for change". If care isn't taken then it is all too easy to swamp SCOM with a lot of alerts. For compliance purposes, I ususually use Tripwire when it comes to file and folder monitoring. If you do want to go down this route then I'd suggest setting up a Test Management Group and multi-homing a couple of servers between the Production and Test Management Group so that you can deploy your Management Pack in Test and see how much noise it will generate and how much data it will store in the database. For generating the alert, you could use an alert rule based on the windows event log (security) as Kevin Holman discusses here: http://blogs.technet.com/b/kevinholman/archive/2010/04/12/using-opsmgr-for-intrusion-detection-and-security-hardening.aspx 1) Dynamic Alert Names - no, this is not possible. 2) Exclusions - if the folder is a specific parameter then as part of the rule criteria you could look to exclude a specific folder. Cheers GrahamRegards Graham New System Center 2012 Blog! - http://www.systemcentersolutions.co.uk View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
July 19th, 2012 3:37am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics