Altiris Monitor Solution – Monitoring and Auditing Systems Part 3

Monitoring the Use of User Rights

Windows NT and Windows 2000 include the ability to audit the use of user rights (also known as privileges).

Enabling success and failure auditing for the "Use of User Rights" category will enable the following events:

How you would perform User Rights Monitoring with Altiris Monitor Solution

• You can either use one of the predefined monitor pack rules or create your own if predefined is not available

  

• Select the plus sign to create a new rule
• Give the rule a name "User Rights Monitoring"
• Type: "Based on NT Event" from the drop down.
• Select "New" to create the conditions of the rule.
• Property: "Log File"
• Condition: "Is"
• Value: "Security"
  • The value is based on the "Security" as we are getting the information from the Security log file.

  

• Select "New" again to add another condition to the rule.
• Operator: "And" allows the previous condition to run with this condition.
• Property: "Event ID"
• Condition: "Matches Regular Expression"
• Value: "Event ID" in form of (576|577|578) etc.
• Select "OK" to apply changes.

  

• Rule Configuration is now set and will now monitor System Related events according to the Event ID specified.
• You can also specify "Rule Repetition", where the you specify how many times the rule has to occur within a specified time frame before an event is logged and notification is sent.
• Select "Action" to specify an event after the event has been detected.

  

• There are various action options to select
  • Create incident
  • Create an NT Event
  • Send E-Mail
  • Many more
• In this case we chose to send an e-mail notification to the administrator of the Altiris system, every time this event has been detected and poses a potential risk to business.
• Select "OK" to confirm settings and then select "OK" again to save all changes to the rule

  

Monitoring the Administrative Authority

Monitoring Account Management

The "Account Management" Audit policy is very detailed in Windows 2000 and in later service packs of Windows NT 4.0. By enabling success and failure auditing for this event category, you enable the following events:

How you would perform Account Management Monitoring with Altiris Monitor Solution

• You can either use one of the predefined monitor pack rules or create your own if predefined is not available

  

• Select the plus sign to create a new rule
• Give the rule a name "Account Management Monitoring"
• Type: "Based on NT Event" from the drop down.
• Select "New" to create the conditions of the rule.
• Property: "Log File"
• Condition: "Is"
• Value: "Security"
  • The value is based on the "Security" as we are getting the information from the Security log file.

  

• Select "New" again to add another condition to the rule.
• Operator: "And" allows the previous condition to run with this condition.
• Property: "Event ID"
• Condition: "Matches Regular Expression"
• Value: "Event ID" in form of (624|625|626|627) etc.
• Select "OK" to apply changes.

  

• Rule Configuration is now set and will now monitor System Related events according to the Event ID specified.
• You can also specify "Rule Repetition", where the you specify how many times the rule has to occur within a specified time frame before an event is logged and notification is sent.
• Select "Action" to specify an event after the event has been detected.

  

• There are various action options to select
  • Create incident
  • Create an NT Event
  • Send E-Mail
  • Many more
• In this case we chose to send an e-mail notification to the administrator of the Altiris system, every time this event has been detected and poses a potential risk to business.
• Select "OK" to confirm settings and then select "OK" again to save all changes to the rule

  

Performance Monitoring:

Performance data is stored in the registry; however, it is usually accessed by using APIs such as the Performance Data Helper API or by using WMI.

Understanding how to monitor the performance of your computers gives you several advantages:

• Capacity planning. Deciding how much hardware you need to buy for current and future needs.
• Identifying bottlenecks. When a server becomes unable to provide a service, it is often because it has run out of some resource.
• Identifying the target of a denial-of-service attack. These attacks typically cause a shortage in some system resource, which is identified in the same way as any other performance bottleneck.

The four major bottlenecks on a system are:

• CPU load
• Available memory
• Disk system performance
• Network bandwidth

When you are first trying to zero in on a performance issue, you might want to take a look at the following counters for a quick overview of how the computer is doing:

• Memory\Available Bytes. If this counter stays low (below 4 megabytes), you might have a memory bottleneck.
• Memory\Pages/sec. If this counter averages over 10 on a given interval, you might have a memory bottleneck.
• Memory\% Committed Bytes In Use. If this counter is constantly near 100 percent, you might have a memory bottleneck.
• Processor\% Processor Time. If this counter is constantly near 100 percent, you might have a CPU bottleneck.
• Physical Disk\% Disk Time. If this counter is constantly over 67 percent, you might have a disk bottleneck.
• Physical Disk\Avg. Disk Queue Length. If this counter averages over 2, you might have a disk bottleneck.
• Network Segment\% Network Utilization. If this counter approaches the typical limit for your kind of network, you might have a network bottleneck (Ethernet = 35%, switched Ethernet = 85%, token ring = 75%).

How you would perform System Performance Monitoring with Altiris Monitor Solution

• You can either use one of the predefined monitor pack rules or create your own if predefined is not available

  

• Select "Manage Metric" from the left hand pane as above and select the metric you need or select the plus sign to create a new metric for you performance counter.

  

• Metric Type: Would always be "Performance Counter", when monitoring performance
• Name: Specify name of the metric "Memory – Available Bytes"
• Polling Interval: Specify time between polling data.
• Timeout: Leave as default
• Select "Performance Counter Builder" to build your performance counter if creating a new performance counter.

  

• Performance Objects from computer: Select your source computer to get objects from \\sourcename
• Select a Performance Object: Use drop down list to select your Performance Object. "Memory"
• Performance Object Type: Short Description of Object.
• Select a counter from the list: All available performance counters to select.
• Select "OK" to save changes, and select "OK" again to save all changes to the Performance Counter Metric.

  

• Select the plus sign to create a new rule
• Give the rule a name "System Performance Monitoring"
• Type: "Based on Metric" from the drop down.
• Select "New" to create the conditions of the rule.
• Metric Type: "Performance Counter"
• Metric: Previously created metric "Memory – Available Bytes"
• Condition: "Less than or equal to"
• Value Type: "Constant"
• Value: "Any Number"
• Select "OK" to save the changes.

  

• Rule Configuration is now set and will now monitor System Related events according to the Performance Metric specified.
• You can also specify "Rule Repetition", where the you specify how many times the rule has to occur within a specified time frame before an event is logged and notification is sent.
• Select "Action" to specify an event after the event has been detected.

  

• There are various action options to select
  • Create incident
  • Create an NT Event
  • Send E-Mail
  • Many more
• In this case we chose to send an e-mail notification to the administrator of the Altiris system, every time this event has been detected and poses a potential risk to business.
• Select "OK" to confirm settings and then select "OK" again to save all changes to the rule

  

• The same procedures can be followed when creating Performance Counters or Metrics for processor performance, disk utilization or performance and network utilization and performance.