SCOM 2012: Create Alert / Monitor Based on Windows event (Administrator login alert)
Today, our customer asked us how we can know when the Administrator has a login via terminal server on Windows Server on their Domain. The answer is with SCOM, using the event alert feature.
When you do a login in Windows 2008 or higher and the audit is running an event with id 4624, it's created in the security log of the machine. So first step is to create the alert / monitor is to enable the audit.
You have to add a new group policy with the audit enabled in the OU of the computers that you want to monitor. In this image, you can see highlighted what you need.
https://images-blogger-opensocial.googleusercontent.com/gadgets/proxy?url=http%3A%2F%2F2.bp.blogspot.com%2F-ek8MBQhTsoY%2FUxn2-BcCicI%2FAAAAAAAAHNU%2FsnUHhFYRmfU%2Fs1600%2Faudit_policy.png&container=blogger&gadget=a&rewriteMime=image%2F*
As always you can force the policy update with gpupdate /force. If you have any doubt about what any of the options means, here is a good explanation about the differences between Audit Logon Events and Audit Account Logon Events.
Now, when a user does a login in the system, the event 4624 is going to be written in the local machine event log, as you can see in the following image.
https://images-blogger-opensocial.googleusercontent.com/gadgets/proxy?url=http%3A%2F%2F3.bp.blogspot.com%2F-UG_5nxWmxOk%2FUxn9xdoZD3I%2FAAAAAAAAHNk%2F000jFphgQpA%2Fs1600%2FEvent4624.png&container=blogger&gadget=a&rewriteMime=image%2F*
With this data, you can make the event monitor, as you know, you have to start at the Authoring screen in the main SCOM dashboard, Management Pack Objects, Monitors.
These inserted images show you how to set up the monitor step-by-step.
https://images-blogger-opensocial.googleusercontent.com/gadgets/proxy?url=http%3A%2F%2F3.bp.blogspot.com%2F-kCNe243vXR0%2FUxoAfEho6kI%2FAAAAAAAAHNw%2Folu9lrwCWTo%2Fs1600%2FMonitor1.png&container=blogger&gadget=a&rewriteMime=image%2F*
https://images-blogger-opensocial.googleusercontent.com/gadgets/proxy?url=http%3A%2F%2F4.bp.blogspot.com%2F-ayFoVJBCmOI%2FUxoAfOCrtrI%2FAAAAAAAAHN0%2FYYtKluNdwuM%2Fs1600%2FMonitor2.png&container=blogger&gadget=a&rewriteMime=image%2F*
https://images-blogger-opensocial.googleusercontent.com/gadgets/proxy?url=http%3A%2F%2F4.bp.blogspot.com%2F-YUzlemGwFIE%2FUxoAfc6cPoI%2FAAAAAAAAHN4%2FmmKrj56AgR4%2Fs1600%2FMonitor3.png&container=blogger&gadget=a&rewriteMime=image%2F*
https://images-blogger-opensocial.googleusercontent.com/gadgets/proxy?url=http%3A%2F%2F2.bp.blogspot.com%2F-iKkU1vV1aJM%2FUxoAf5trgpI%2FAAAAAAAAHOM%2FF3zdOaMm6iI%2Fs1600%2FMonitor4.png&container=blogger&gadget=a&rewriteMime=image%2F*
https://images-blogger-opensocial.googleusercontent.com/gadgets/proxy?url=http%3A%2F%2F3.bp.blogspot.com%2F--Iyf5HvsglM%2FUxoAf8Dki9I%2FAAAAAAAAHOI%2FgztQIRFRuWI%2Fs1600%2FMonitor5.png&container=blogger&gadget=a&rewriteMime=image%2F*
The question here is, which is the number of the parameter? It is easier than you can expect. Just count line by line the text that appears in the details of the event 4624. For example:
SubjectUserSid S-1-5-18 <-- 1
SubjectUserName XXXXX <-- 2
SubjectDomainName XXXX <-- 3
SubjectLogonId 0x3e7 <-- 4
TargetUserSid S-1-5-21-XXXX <-- 5
TargetUserName XXXXX <-- 6
*TargetDomainName XXX <-- **N ***
TargetLogonId XXXXX <--* N+1***
*LogonType 10 *
*LogonProcessName User32 *
*AuthenticationPackageName Negotiate *
*WorkstationName XXXXXX *
*LogonGuid {XXXXXXXX} *
*TransmittedServices - *
*LmPackageName - *
*KeyLength 0 *
*ProcessId 0x36f8 *
*ProcessName C:\Windows\System32\winlogon.exe *
IpAddress XXXXX
IpPort XXXXXX
There are alternatives to this. For example, you can use Logparser to count the parameters something like this:
Logparser.exe "select top 1 Strings AS Parameters FROM security where EventID=4624"
Finally, you need to know what all fields on the event mean. You can check it here.