Discussion:
SCOM event descriptions with OR
(too old to reply)
v***@gmail.com
17 years ago
Permalink
Hi all,
im using scom 2007 to detect when people have been added to
specified groups, such as domain admins, account operators etc.

I have create an alert rule and specified event ID 632 and would like
to have the alert triggered when the event ID is 632 AND one of the
following is in the event description, domain admins, account
operators etc

When trying to enter this rule, scom removes all my subsequent OR's
that i put in.

The forula window seems to show AND's no matter what i do.... and, to
my dismay, you cannot edit the formula in there.

any ideas on how to do this, much appreciated.
Alexandre Coelho [MSFT]
17 years ago
Permalink
I'm assuming you are tryign this on the Expression Filter formula editor on
the UI. I would need to fully understand the steps you are taking while
trying this. I believe your expression should look like this:

AND
EventId Equals 632
OR
EventDescription ContainsSubstring "domain admin"
EventDescription ContainsSubstring "account operator"
EventDescription ContainsSubstring "any other account"

When you mentioned that your OR's are being removed, you mean the one OR
row? Or the contained rows for event description?
--
Alexandre Coelho
------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
...
v***@gmail.com
17 years ago
Permalink
Hi Alexandre,
yes, what yiou have put in your reply is what im trying to
achieve.

With the OR's being removed, the OR row is being removed when clicking
on OK.(ie it is not there when i re-open that screen) (therefore when
looking in the formula area, there is only AND's between all
expressions, which doesnt get the desired result)

More than happy to provide a screenshot(s) if that would help. (but
would need to email them)
Alexandre Coelho [MSFT]
17 years ago
Permalink
What version of SCOM2007 are you using?

I've just tried this on our latest SP1 and it seems to work for me (I was
able to save, than edit and see the changes are there).
--
Alexandre Coelho
------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
Post by v***@gmail.com
Hi Alexandre,
yes, what yiou have put in your reply is what im trying to
achieve.
With the OR's being removed, the OR row is being removed when clicking
on OK.(ie it is not there when i re-open that screen) (therefore when
looking in the formula area, there is only AND's between all
expressions, which doesnt get the desired result)
More than happy to provide a screenshot(s) if that would help. (but
would need to email them)
v***@gmail.com
17 years ago
Permalink
Im running RTM, i didnt think SP1 was RTM as yet for SCOM ?

my OCS is federated with MS - so if yu dont mind mailing your alias -
perhaps we could have a quick chat via communicator?
@discussions.microsoft.com>
17 years ago
Permalink
I would like to seek help with a very similer issue. I am Running 2007 SP1. i
am trying to alert when the password does not expire flag is set in AD. This
is Event ID 642 and looks like this in the event log

Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 642
Date: 4/8/2008
Time: 7:34:35 AM
User: domain\user
Computer: DC
Description:
User Account Changed:
Target Account Name: user
Target Domain: domain
Target Account ID: domain\user
Caller User Name: user
Caller Domain: domain
Caller Logon ID: (0x6,0xDB79E959)
Privileges: -
Changed Attributes:
Sam Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: -
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: 0x10
New UAC Value: 0x210
User Account Control: %%2057
'Don't Expire Password' - Enabled
User Parameters: -
Sid History: -
Logon Hours:

i am trying in the UI to set parameter name to description > contains >
'Don't Expire Password' - Enabled

However i cannot get it to work. It works on our 2005 MOM server but not the
2007. I cannot get anythign to work using a description. Can anyone help? i
also dont have "containssubstring" as an option for operator to use.
Mike Eisenstein
17 years ago
Permalink
Not sure this will solve your problem, but I don't trust single-quotes in a
string compare.

You could use
EventDescription MatchesRegularExpression ^.*Don.t Expire
Password. - Enabled.*$
...
awcorri@gmail.com
17 years ago
Permalink
Thanks for the help Mike but no dice. I also tried creating it as a monitor
and still nothing. I really need to get this working. I even found an
document on how to do this, followed it verbatim and still nothing. Nothing
in the active alerts and no notifications.
Post by Mike Eisenstein
Not sure this will solve your problem, but I don't trust single-quotes in a
string compare.
You could use
EventDescription MatchesRegularExpression ^.*Don.t Expire
Password. - Enabled.*$
awcorri@gmail.com
17 years ago
Permalink
I figuered it out. I took away the description and jst alerted on event id
642. I found that the only thing coming into mom was %%2057 and %%2089.
%%2089 is the parameter for the attribute being turned on. So i scoped the
description down to contain 2089 and its now working. Thanks for the help. I
also didnt realize it had to be EventDescription all one word. That helped
also.
Post by ***@gmail.com
Thanks for the help Mike but no dice. I also tried creating it as a monitor
and still nothing. I really need to get this working. I even found an
document on how to do this, followed it verbatim and still nothing. Nothing
in the active alerts and no notifications.
Post by Mike Eisenstein
Not sure this will solve your problem, but I don't trust single-quotes in a
string compare.
You could use
EventDescription MatchesRegularExpression ^.*Don.t Expire
Password. - Enabled.*$
Loading...