1
2
3	Agenda Introduction to MOM MOM Rules Processing rules Processing rule groups Notification groups Computer groups Computer attributes Rules Search Scripting
4	Operations Management Market
5	Introduction To MOM Microsoft Operations Manager 2000 is the new enterprise operations management product from Microsoft Rules based event management and applications management solution Out-of-the-box knowledge Immediate ROI Performs Event Management, Problem Management, Capacity Planning, Security Management and Performance Management To manage Windows^® OS, Networks, Hardware and Microsoft applications like - Exchange, Active Directory^™, SQL Server^™, IIS and many more
6	Processing Rule Group
7	Management Pack = Distribution Vehicle
8	Distributed Knowledge
9	Processing Rule Types Event Processing Rules Performance Processing Rules
10	Event Processing Rule Types Event processing rules Collection rules Filtering rules Event rules Missing event rules Consolidation rules
11	Collection Rules Determine which events and event parameters to store in the database Do not generate alerts or responses By default the following parameters are collected (Agent, Category, Computer, Description, Event Number, Event Type, First Time, Last Time, Logging Domain, Message DLL, Message DLL file version, Provider Name, Provider Type, Repeat Count, Source Domain, Source Name, Start Time, User time)
12	Filtering Rules Specify which events are blocked at source or not stored in the Database There are three types of filtering rules Pre-filter The event is filtered out and blocked from other processing rules Database Filter The event continues to be processed by other processing rules but not saved in the DB Conditional Filter The event continues to be processed by other processing rules but only saved in the DB if another processing rule match occurs
13	Event Rules Generate Alerts and/or Responses triggered by an event Event and Alert stored in DB Unless there is a filter for the event Special case of event rules: timed rules
14	Missing Event Rules Detect if an event does not happen Can respond as event rules
15	Consolidation Rules Group multiple events into a summary event Useful to prevent event storms Do not generate alerts or define responses It does generate a consolidated event which can be alerted on or responded to with another event rule
16	"Event processing rules" Event processing rules Filtering rules (pre-filter) Collection rules Missing event rules Consolidation rules Event rules Filtering rules (DB and Conditional)
17	Perf. Processing Rules Measuring rules Data collected from Perfmon Counters or WMI Stored in Database Used for graphs and reports Threshold rules Data evaluated via Perfmon Counters or WMI Trigger Alerts/Responses when: A sampled value exceeds a threshold The average of N samples exceeds a threshold The change over N samples exceeds a threshold Stores performance data in the database like sampled data
18	Alert Processing Rules Specify a response to alert(s) that match a defined criteria Associate one response with many Alerts
19	"Types of responses" Types of responses: Alerts Notification groups E-mail, page, command Command (batch file) Script SNMP trap Update state variable Run on agent or consolidator Multiple responses to the same event are allowed
20	New/Updated Rule Process
21	Processing Rule Groups Logical collection of processing rules Event processing rules Performance processing rules Alert processing rules Knowledge Base Provides info for each Processing Rule Group Purpose Features Configuration Associated with Computer Group(s)
22	Computer Groups Sets of computers logically grouped By domain and name matches By type of computer By attribute formula Can contain other computer groups Populated during Agent Manager scan Associated to Processing Rule Group(s)
23	Rules Search Rules are searchable: By Processing Rule Group By type By name By last modified date and user Depending on rule type also: By script launched By notification group By provider name and type Etc., etc.
24	Processing Rules
25	MOM Scripting
26	General Scripting Features Microsoft ActiveScript scripting engine (Visual Basic Scripting Edition, JScript) State variables Scripting on Agent or Consolidator MOM Automation COM objects Parameters passing
27	Script Types Response scripts Respond to an event, an alert or a performance threshold Synchronous Event correlation Timed Scripts Following a time event
28	State Variables Available on: One state machine on each agent One state machine on each consolidator State variables can be modified by processing rules (as a response)… …And scripts through the State varset MyStateVariable = State.Get(“NameOfVariable") Not available directly from batch files
29	Intrinsic MOM Objects ScriptContext Alert Event PerfData ScriptState State
30	The ScriptContext Object Allows to: Access parameters passed by the rule … Myparameters = ScriptContext.Parameters Myvariable = Myparameters.Get("Myvariable“) … Access the alert that triggered the script … If ScriptContext.IsAlert then Dim MYalert Set MYalert = ScriptContext.Alert End If … Access the event that triggered the script Access the perfdata that triggered the script
31	The ScriptContext Object Create alert … Dim MYalert Set MYalert = ScriptContext.CreateAlert MYalert.description = "This is a test alert description.“ Myalert.AlertLevel = 60 ScriptContext.Submit(MYalert) … Create event Create perfdata Access the ScriptState object … Dim Myscriptstate Set MYscriptstate = ScriptContext.GetScriptState …
32	MOM Helper Objects ActiveDirectory EventLog Inet MailboxAnalyzer MTALogAnalyzer PagerJobQueue
33	Script Parameters Contained in a varset object accessible through ScriptContext Add flexibility to scripts and reduce duplication Allow to trigger different functionality within the same script
34	Rules Versus Scripts Processing Rules Fast optimized code Can be limited No coding required Scripts Interpreted Require coding (VBScript, JScript) Allow for advanced troubleshooting and responses Fixed number can run synchronously
35	Scripting Challenges Tracing a script is difficult Scripts are put on hold if running more than five minutes Scripts can only do what the Agent’s credentials can do Response Handling (configurable) On Agent default is 5 simultaneous On Consolidator default is 20 Only one instance of one individual script can run at any one time
36
37	Demo Scenario A security administrator wants to monitor the number of servers in a domain where more than 3 unsuccessful logon attempts have been logged within a 30 second time span When the number of servers where such an occurrence is verified is greater than 10 in the space of an hour, the administrator wants to create a security breach alert
38	Computer Group Create a computer group containing all servers in the domain Associate the computer group with a new Processing Rule Group
39	Processing Rules
40	The “Engine”
41	Timer Rule Script Dim FailedLogons Dim SecurityAlert FailedLogons = State.Get("GlobalFailedLogons") if FailedLogons > 10 then ' Create an Alert Set SecurityAlert = ScriptContext.CreateAlert 'Set alert description and severity level SecurityAlert.description = "This is a possible distributed attempt to break into the network." SecurityAlert.AlertLevel = 60 ScriptContext.Submit(SecurityAlert) 'Reset state variable to zero State.Put "GlobalFailedLogons", 0 ScriptContext.GetScriptState.SaveSet "GlobalFailedLogons", State else 'Reset state variable to zero State.Put "GlobalFailedLogons", 0 ScriptContext.GetScriptState.SaveSet "GlobalFailedLogons", State end if
42	Questions
43