Hello, I will need an alert on: "Login coming from Subnet not in Site & Services" I will check Kevin Blog .. Google... but does anybody did this type of alert/subscriptions? I found some powershell to get the sites and subnets: $myForest.Sites | Where-Object { $_.Name -eq 'myCity' } | Select-Object -ExpandProperty Subnets or http://meanderingmarcus.wordpress.com/2011/08/23/read-ad-site-and-subnet-information-save-to-xml/ http://www.systemcentercentral.com/BlogDetails/tabid/143/indexid/13097/Default.aspx review how to use it... Thanks, Dom System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

Hi Dom, isn't very clear what are you triyng to achive. If you want to be alerted when a remote (across a site boundaries) login occurs then you may want to check the %systemroot%\debug\netlogon.log (you can create a logfile monitor) on a domain controller. Also you may want to check the Event Type: Warning Event Source: NETLOGON Event ID: 5807 HTH http://OpsMgr.ru/

Thanks Alexey, Let me check this one I will see if it fits our needs. I need to see any connection from unknown subnets from our AD sites record. Thanks, Dom System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

Hello Alexey, This is the type of logon I would like to capture and identify: Event Type: Warning Event Source: NETLOGON Event Category: None Event ID: 5807 Date: 6/15/2012 Time: 4:14:28 PM User: N/A Computer: ADDCMCO1 Description: During the past 4.25 hours there have been 10555 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to any Domain Controller including those that are in far distant locations from the clients. A client's site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet object(s) covering the above IP addresses with mapping to one of the existing sites. The names and IP addresses of the clients in question have been logged on this computer in the following log file '%SystemRoot%\debug\netlogon.log' and, potentially, in the log file '%SystemRoot%\debug\netlogon.bak' created if the former log becomes full. The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text 'NO_CLIENT_SITE:'. The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize'; the default is 20000000 bytes. The current maximum size is 104857600 bytes. To set a different maximum size, create the above registry value and set the desired maximum size in bytes. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Thanks, DomSystem Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

Hi Dom, isn't very clear what are you triyng to achive. If you want to be alerted when a remote (across a site boundaries) login occurs then you may want to check the %systemroot%\debug\netlogon.log (you can create a logfile monitor) on a domain controller. Also you may want to check the Event Type: Warning Event Source: NETLOGON Event ID: 5807 HTH http://OpsMgr.ru/ Will it be easier to use the Event ID instead of reading the log file? http://blogs.technet.com/b/kevinholman/archive/2010/04/12/using-opsmgr-for-intrusion-detection-and-security-hardening.aspx Rule or Monitor? Thanks, Dom System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

No, it won't be easier. Microsoft-Windows-Security-Auditing will show you a failed logon attempts, or succeded attempts. But will not differentiate it by sites. All cross-site logons are valid from the server's 'point of view'. Definitely a rule. First, you do not want to affect a health state with this logon events. Second, monitor will change it's state and will ignore all other events until its state will be changed back to healthy (which is a bit challenge with a security events because you have not a 'healthy event', timer reset will cause a constant flip-flop and will loose an events during it's waiting for a timer). You may want to create an alerting rule for a Event with ID 5807 AND a collecting rule for a netlogon.log (http://contoso.se/blog/?p=306).http://OpsMgr.ru/

let me try a rule as I started with a monitor which works but http://social.technet.microsoft.com/Forums/en-US/operationsmanagergeneral/thread/4afc7bf8-2dcd-4e86-bcc2-73404068aa0e so fare I am getting a description incomplete like Event Description: The session setup from the computer XX2-RO-B265D failed to authenticate. The following error occurred: %%5 I need to find out how to populate the %%5 and also I need to understand why I am picking only one and not all of the 5805 Events... happening last night... I had more than 50 since I did the monitor... and only 1 is showing !!!! it seems per DC I am getting one only !!! Thanks, Dom System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

Hello, what is the %%5 is supposed to be filled with? I need more info in the alert??? How to display the description of the Event ID: " The session setup from the computer ORPODS01 failed to authenticate. The following error occurred: Access is denied. " will need to create a report, I saw the Event ID 11 and 5805 are already picked so I will need to 5807 and 5723 at least ... I tried '5805 5807' or '5805,5807' or '5805;5087' it fails what is the syntax for multiple events??? Thanks, Dom System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

?bump?System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

If you want to collect more than one event with one rule you can use a regexp like EventID matches regexp "^(5805|5087)$" http://OpsMgr.ru/

the rule is working fine, it is the report with the Event ID field I need with several Event IDs. Is it the same format? on the right upper side of the Custom Event report already delivered with the MP Thankls, DomSystem Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

I beieve it's better to create your own report: http://thoughtsonopsmgr.blogspot.com/2011/08/my-first-little-report-part-i-lets-make.htmlhttp://OpsMgr.ru/

Hello, Using http://thoughtsonopsmgr.blogspot.com/2011/08/my-first-little-report-part-i-lets-make.html I got an error: Semantic query execution failed. A severe error occurred on the current command. The results, if any, should be discarded. Operation cancelled by user. ---------------------------- Cannot read the next data row for the dataset dataSet. ---------------------------- An error has occurred during report processing. What exactly this mean? Thanks, Dom System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

You may want to create an alerting rule for a Event with ID 5807 AND a collecting rule for a netlogon.log (http://contoso.se/blog/?p=306). Hello, Does the Netlogon.log exist on the DCs or should I create it? It seems to be created only when a specific service is running, isn't it? (may be a debug???). On the Domain COntrollers C:\WINDOWS\system32\config there is no Netlogon.log file, only dnd, dns, ftl files for Netwlofgon... ( on top of AD, MOM, System, Security...) If I don't need the netlogon.log file which event log file should I use for the Collection Rule? System ? Security ? Is it possible to get the IP of the machine in the Alert? I am getting the name for now... Thanks, Dom System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

>Does the Netlogon.log exist on the DCs or should I create it? On every DC in the %SystemRoot%\debug\netlogon.loghttp://OpsMgr.ru/

Thanks Alexey, Yes the file is on the Domain Controllers... but as I am not a domain admin and SCOM account either which account should have permissions to this file? svcMOMACtion? Which rights are required? Read & Execute List folder contents Read For now only the Domain Admins have access to this folder... Thanks, Dom System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

If your agents are using a default (local system) service account it has enough permissions to read the file.http://OpsMgr.ru/

I am opening a new thread to work on the reports http://social.technet.microsoft.com/Forums/en-US/operationsmanagergeneral/thread/5ff8a090-f1c0-491f-8ae1-83c887bb445e as the alerts looks okay except the "%%5" in the alert for 5805 instead of having "Access denied" http://social.technet.microsoft.com/Forums/en-US/operationsmanagergeneral/thread/26d02b28-71cb-4092-aabe-fc77c92156d7 Thanks a lot Dom System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

Hello, I need to add the IP, Subnet... apparently I don't have it on the Event... but only in the Netlogon.log file... 07/06 10:21:39 AD: NO_CLIENT_SITE: ServerName 10.61.101.25 Thanks, DomSystem Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager