If you have been to one of the TS2 events this quarter, you experienced some of the power of System Center Essentials 2007. I want to expand that a bit and show how to configure the SCE2007 console so that when a client on the network logs a specific error in Event Viewer, it is then reported to the SCE2007 server as an alert. I cannot count the number of times that the SBS support team got/gets a call where something totally weird is/was happening. After digging around a bit, it is discovered that the problem (computer) has been logging Disk errors in Event Viewer for quite some time. How awesome would it be to be able to walk into a client's site proactively and replace a failing disk on a workstation prior to it causing a work stoppage (or revenue stoppage)? How about having SCE2007 report on specific events in Event Viewer's Security Log (failed logon attempts). What about the Event Viewer's System Log entry "The previous system shutdown was unexpected" on the workstation where files seem to be mysteriously corrupted (someone is hitting the power button on the front of the computer rather than shutting down gracefully!). In this example, we are going to have SCE2007 log an alert when the following event occurs on a managed "Windows Computer":
Event Type: Information
Event Source: SceCli
Event Category: None
Event ID: 1704
Date: 9/19/2007
Time: 4:56:41 PM
User: N/A
Computer: SERVER
Description:
Security policy in the Group policy objects has been applied successfully.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
The reason I chose this event is that I can replicate it with a "gpupdate /force" command.
Here's how (taken from this TechNet article):
- Launch the SCE2007 console
- Click on the Authoring button at the bottom left hand side of the screen
- After the Authoring screen comes up, expand Management Pack Objects and then click on Rules
- Right click on Rules and choose "Create a new rule...". This starts the "Create Rule Wizard"
- Expand Alert Generating Rules, then expand Event Based then click to highlight NT Event Log (Alert)
- Under Management Pack at the bottom of the screen, click New. This starts the "Create a Management Pack Wizard"
- Give it a name. In my example, I named it "Custom Event Capture Management Pack" and click Next
- Leave the Knowledge Article are blank and click Create
- Once the new Management Pack has been created, it should be selected in the dropdown "Select destination management pack". Make sure the newly created Management Pack is selected and click Next
- In the rule name, provide an intuitive name (so you can find it again if needed). In my example, I used "Group Policy Successfully Processed".
- On this same screen, click Select for Rule Target. Since we want this to apply to every Windows Computer in the domain, scroll down and highlight Windows Computer and click OK then click Next
- On the Event Log Name, the wizard wants the appropriate Event Log where the event will be logged (System, Application, Security, etc). I know the SceCli event we are looking for is in the Application Log. Select the appropriate log name for your alert and click Next.
- Here is where it can get really complicated. I like simple so I am going to keep it that way. All we have to provide here is the Event Source and Event ID. In my case, the Event ID is 1704 and the Event Source is SceCli. Type in the appropriate Event ID and Event Source and click Next
- On the Configure Alerts screen, it is asking you how should SCE2007 display these events. For my example, I left them default of Medium and Critical.
- Click Create
That's it! It may take a few minutes for the changes to replicate through SCE2007 and for the alerts to show up in the SCE2007 console. In my testing (3 client network), once the changes kicked in, there was less than a minute delay between the event being logged on the client and the alert showing up in the SCE2007 console.