Server Management Suite

 View Only
Back to Library

Altiris Monitor Solution – Monitoring and Auditing Systems, Part 2 

May 12, 2009 12:44 PM

Monitoring System Crashes

1001 Event ID with event source "save dump" is generated.

How you would perform System Crash Monitoring with Altiris Monitor Solution

  • You can either use one of the predefined monitor pack rules or create your own if predefined is not available

    imagebrowser image

  • Select the plus sign to create a new rule
  • Give the rule a name "System Crash Monitoring"
  • Type: "Based on NT Event" from the drop down.
  • Select "New" to create the conditions of the rule.
  • Property: "Log File"
  • Condition: "Is"
  • Value: "System"
    • o The value is based on the "System" as we are getting the information from the System log file.

    imagebrowser image

  • Select "New" again to add another condition to the rule.
  • Operator: "And" allows the previous condition to run with this condition.
  • Property: "Event ID"
  • Condition: "Matches Regular Expression"
  • Value: "Event ID" in form of (1001) etc.
  • Select "OK" to apply changes.

    imagebrowser image

  • Rule Configuration is now set and will now monitor System Related events according to the Event ID specified.
  • You can also specify "Rule Repetition", where the you specify how many times the rule has to occur within a specified time frame before an event is logged and notification is sent.
  • Select "Action" to specify an event after the event has been detected.

    imagebrowser image

  • There are various action options to select
    • Create incident
    • Create an NT Event
    • Send E-Mail
    • Many more
  • In this case we chose to send an e-mail notification to the administrator of the Altiris system, every time this event has been detected and poses a potential risk to business.
  • Select "OK" to confirm settings and then select "OK" again to save all changes to the rule

    imagebrowser image

Monitoring Processes

Windows NT and Windows 2000 include the ability to log the creation and destruction of each process on the system. To enable this feature, set the system's Audit policy to audit success and failure events in the "Detailed Tracking" category.

592 A new process has been created
593 A process has exited
594 A handle to an object has been duplicated
595 Indirect access to an object has been obtained

How you would perform Process Monitoring with Altiris Monitor Solution

  • You can either use one of the predefined monitor pack rules or create your own if predefined is not available

    imagebrowser image

  • Select the plus sign to create a new rule
  • Give the rule a name "Process Monitoring"
  • Type: "Based on NT Event" from the drop down.
  • Select "New" to create the conditions of the rule.
  • Property: "Log File"
  • Condition: "Is"
  • Value: "System"
    • The value is based on the "System" as we are getting the information from the System log file.

    imagebrowser image

  • Select "New" again to add another condition to the rule.
  • Operator: "And" allows the previous condition to run with this condition.
  • Property: "Event ID"
  • Condition: "Matches Regular Expression"
  • Value: "Event ID" in form of (592|593|594|595) etc.
  • Select "OK" to apply changes.

    imagebrowser image

  • Rule Configuration is now set and will now monitor System Related events according to the Event ID specified.
  • You can also specify "Rule Repetition", where the you specify how many times the rule has to occur within a specified time frame before an event is logged and notification is sent.
  • Select "Action" to specify an event after the event has been detected.

    imagebrowser image

  • There are various action options to select
    • Create incident
    • Create an NT Event
    • Send E-Mail
    • Many more
  • In this case we chose to send an e-mail notification to the administrator of the Altiris system, every time this event has been detected and poses a potential risk to business.
  • Select "OK" to confirm settings and then select "OK" again to save all changes to the rule

    imagebrowser image

Object Monitoring

Windows NT and Windows 2000 enable you to monitor accesses to specific objects: files and directories, registry keys, directory service objects, and kernel objects.

Monitorable Objects

Several kinds of objects can be audited. Each type of object has unique access types; that is, each kind of object is accessed in a way appropriate only to that kind of object. For example, while the "start" and "stop" accesses are appropriate to services, they don't make much sense when talking about files and directories.

Here are the most common auditable objects:

  • Files and directories. The most commonly audited objects are file and directory objects.
  • Registry keys. These are the second most commonly audited objects.
  • Services. Services in Windows NT and Windows 2000 are objects that can be secured and audited just like other objects.
  • Kernel objects. Kernel objects like mutexes and semaphores can be audited. The audits generated generally are of use to no one other than developers.
  • Directory service objects.
  • Printers.

Monitoring User Activity
Monitoring Logons

You can monitor logon activity in Windows NT and Windows 2000 in a very detailed way by enabling success and failure auditing of the "Logon" category activity in the system's Audit policy.

528 Successful Logon
529 Logon Failure: Reason: Unknown user name or bad password
530 Logon Failure: Reason: Account logon time restriction violation
531 Logon Failure: Reason: Account currently disabled
532 Logon Failure: Reason: The specified user account has expired
533 Logon Failure: Reason: User not allowed to logon at this computer
534 Logon Failure: Reason: The user has not been granted the requested logon type at this machine
535 Logon Failure: Reason: The specified account's password has expired
536 Logon Failure: Reason: The NetLogon component is not active
537 Logon Failure: Reason: An unexpected error occurred during logon
538 User Logoff:
539 Logon Failure: Reason: Account locked out
540 Successful Network Logon

One of the most useful reasons to monitor logons is to capture account lockout events. Any reasonably secure site will have an account lockout policy, and every account lockout event will be useful either to the help desk for gathering statistics on how often users lock themselves out, or to your security team for watching for possible password-guessing attacks.

How you would perform User Activity Monitoring with Altiris Monitor Solution

  • You can either use one of the predefined monitor pack rules or create your own if predefined is not available

    imagebrowser image

  • Select the plus sign to create a new rule
  • Give the rule a name "User Activity Monitoring"
  • Type: "Based on NT Event" from the drop down.
  • Select "New" to create the conditions of the rule.
  • Property: "Log File"
  • Condition: "Is"
  • Value: "Security"
    • o The value is based on the "Security" as we are getting the information from the Security log file.

    imagebrowser image

  • Select "New" again to add another condition to the rule.
  • Operator: "And" allows the previous condition to run with this condition.
  • Property: "Event ID"
  • Condition: "Matches Regular Expression"
  • Value: "Event ID" in form of (528|529|530|531) etc.
  • Select "OK" to apply changes.

    imagebrowser image

    imagebrowser image

  • Rule Configuration is now set and will now monitor System Related events according to the Event ID specified.
  • You can also specify "Rule Repetition", where the you specify how many times the rule has to occur within a specified time frame before an event is logged and notification is sent.
  • Select "Action" to specify an event after the event has been detected.

    imagebrowser image

  • There are various action options to select
    • Create incident
    • Create an NT Event
    • Send E-Mail
    • Many more
  • In this case we chose to send an e-mail notification to the administrator of the Altiris system, every time this event has been detected and poses a potential risk to business.
  • Select "OK" to confirm settings and then select "OK" again to save all changes to the rule

    imagebrowser image

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.