Monitoring Non Logging Assets/Servers-Part 2
In Part-1 we discussed the use of System State Monitor .Now we will look at another Option which will provide you a quick feedback whenever one of your Critical Server stops sending Logs . For this article ,we will take example of Active Directory .In order to track all of your Windows 2008 Servers and esp. the Domain Controllers , here is what you do .
From System | Product Configuration ,go to Microsoft Windows Vista (R) Event Collector and create a new Configuration .(This article assumes that you know how to configure sensor settings for a Windows 2008 Server .If not ,you need to look up some other relevant forum posts )
Add the Windows Servers one by one .It is preferrable to use one SSIM Agent and collect events remotely from all of your Servers .If you have a large number of Serves than you can divide the load between SSIM Agents .
The Sensor Name on the right side shows under SSIM field Collector Sensor .DC stands for Domain Controller and FS stands for file Server .
Now we need to make a query .
Go to Events | My Queries | Run Query Wizard
Click Next .
Pick a number based on how many Servers you are covering .If you have a large number of Servers say 100 plus than it is better to create this rule for Critical Servers only Or Top 20 Servers .
Click Next and click on Preview .Also give it a Proper name .If you use the option of Show legend ,it will provide you the Server name and Count of events sent by it in last 30 minutes .
Click on next to finish this . Now open this Query on your Dashboard and configure the Dashboard to Auto refresh after every 30 minutes .Every 30 minutes ,this chart will be refreshed and you will immediately know if one of your Critical Servers disappears from the list .
Based on personal experience ,file Servers and Domain controllers are very noisy and send a large number of events so if any of them stops sending the logs ,you can easily find out by looking at the chart .