Wednesday, October 19, 2005

SBS Healthmon: Filtering events for notification

To follow-up on yesterday’s post, I wanted to add some details on using healthmon.

To begin with, let’s just start by opening healthmon on your SBS2003 machine (start>programs>administrative tools>Health Monitor). Expand the “Small Business Server Alerts” object. Here you’ll find all of the current alerts that come pre-configured on your SBS machine.

This is where data collection for alert notifications is setup. So if you’re already receiving the occasional “Extended Server Usage Report for…”, message, then you’re good to go. If not, then you need to go back and configure “Monitoring and Reporting” under the SBS 2003 “Server Management” snap-in.

Next, let’s go ahead and create alerts to monitor the creation and deletion of computer accounts.

While in healthmon, right-click “Core Server Alerts”, click New, data collector, windows event log monitor. Click the details tab. Put a check-box in “Success Audit”. For the log file, choose “Security”. Under event ID, type “645”. Click the Actions tab, and create a new email alert. Under execute condition, check the “Warning” and “Critical” checkboxes. Under schedule, make sure all days are selected, and all times are selected. For collection interval, collect every “1” second, and total samples for collection, set it to “1”. Under the “Message” tab, in the section that says “when status changes to Critical or Warning” type “Computer Account Created”.

Great, so now an alert will fire whenever a computer account gets created. But what about when one gets deleted? Follow the same process outlined above; expect you’ll be looking for event “647”.

Expect some more follow-up and healthmon-related posts, including events that we monitor for, and our monitoring-approach for the small-to-midsized market segment.

No comments: