Video Screencast Help

Monitoring Non Logging Assets/Servers-Part 2

Created: 26 Feb 2013 • Updated: 15 Mar 2013 | 1 comment
Language Translations
Subhani's picture
0 0 Votes
Login to vote

In Part-1 we discussed the use of System State Monitor .Now we will look at another Option which will provide you a quick feedback whenever one of your Critical Server stops sending Logs . For this article ,we will take example of Active Directory .In order to track all of your Windows 2008 Servers and esp. the Domain Controllers , here is what you do .

From System | Product Configuration ,go to Microsoft Windows Vista (R) Event Collector and create a new Configuration .(This article assumes that you know how to configure sensor settings for a Windows 2008 Server .If not ,you need to look up some other relevant forum posts )

Add the Windows Servers one by one .It is preferrable to use one SSIM Agent and collect events remotely from all of your Servers .If you have a large number of Serves than you can divide the load between SSIM Agents .

The Sensor Name on the right side shows under SSIM field Collector Sensor .DC stands for Domain Controller and FS stands for file Server .

Now we need to make a query .

Go to Events | My Queries | Run Query Wizard

Click Next .

Pick a number based on how many Servers you are covering .If you have a large number of Servers say 100 plus than it is better to create this rule for Critical Servers only  Or Top 20 Servers .

Click Next and click on Preview .Also give it a Proper name .If you use the option of Show legend ,it will provide you the Server name and Count of events sent by it in last 30 minutes .

Click on next to finish this . Now open this Query on your Dashboard and configure the Dashboard to  Auto refresh after every 30 minutes .Every 30 minutes ,this chart will be refreshed and you will immediately know if one of your Critical Servers disappears from the list .

Based on personal experience ,file Servers and Domain controllers are very noisy and send a large number of events so if any of them stops sending the logs ,you can easily find out by looking at the chart .

Comments 1 CommentJump to latest comment

Milan_T's picture

If you have offbox servers to capture windows logs you can check by scheduling report for no logs also.

Just create query and make unique by collection device ip, Select coloumn only collection device host.

Go to report tab and schedule report on daily basis with specific time and send notifications to email address.

That configuration will send you list of hostnames which has send logs.

Now compare if with your exsisting server hostnames with vllokup.

fx=IF(ISNA(VLOOKUP(C2,$D$2:$D$1131,1,FALSE)),"no Log","OK")

Login to vote