SCOM 2012 collect Windows Audit logs and forward them to a Linux Syslog server

Similar Messages

• SCOM 2012 R2 # Windows Server agents remain in pending management

  Hi,
  First I installed one SCOM 2012 R2 Ops Manager. On same SCOM ops manager I added 3 windows server agents to monitor as below..
  one 2008 R2 AD server
  one Lync 2013 FE server
  one Exchange server 2013
  Now due to some technical issues later I had to completely remove/uninstall SCOM 2012 R2 setup. But I forgot to uninstall/remove 3 agents first before uninstalling SCOM 2012 R2 ops manager :( However I did manual uninstall of Microsoft monitoring agent setup
  from all 3 monitored agent servers.
  Now I setup new SCOM 2012 R2 ops manager once again. FQDN of new SCOM has been changed now, though server is in same domain as old one. Problem I am facing here is " I cannot able to add those 3 agents back into new SCOM ops manager. When I install
  agent back onto those 3 servers (by agent discovery or manual setup) , servers remains in pending management. I used power shell command to approve all 3 but even after approval servers are not being monitored. Health status always showing not monitored. A
  blank green circle.
  I think I didn't properly removed old agent setup, & somehow those 3 agents still bound to old SCOM ops manager.
  Could you please help me how I can remove remaining components of old agent setup from windows agent servers and monitor them with new SCOM?
  BR,
  Ajit

  Ensure that the following registry keys are deleted:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HealthService
  Reboot the agent machine (if possible)
  Delete the agent from Agent Managed in the OpsMgr console.
  Then try to discovery and push agent from console if failed. Try to install it manual and then from pending management click approved.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Mai Ali | My blog: Technical | Twitter:
  Mai Ali

• How do I get the pictures folders in photoshop 7 out of My window XP computer and put them into my new computer windows 8 photoshop12

  How do I get the pictures folders in photoshop 7 out of My window XP computer and put them into my new computer windows 8 photoshop12

  I am so sorry for you and your situation. Were you using iCloud photostream?
  Otherwise I do not see any chance for your precious photos.
  Congrats anyway on the little darling!

• If I were to purchase the Apple Remote Desktop with Unlimited licenses, would I be able to install the client software on each of there computers/laptops and have them remote desktop into the server?

  I have several friends and family who are looking for a central place to access information from ( Pictures, home movies etc ).  So I am considering setting up an OSX Lion Server.  There are some other things I can use it for as well.
  Here is my question:
  If I were to purchase the Apple Remote Desktop with Unlimited licenses, would I be able to install the client software on each of there computers/laptops and have them remote desktop into the server?  Or would I have to install the Admin software on each?  Do they intend it to be used strictly as one admin to access many clients? 
  I always could set up a network drive so they can log in and just see the folders they have created with space on the server I provide them.  But I want them to be able to log an and actually use it as a Remote Desktop.
  Thanks,
  Eric

  Dave,
  Thanks for the feedback.  I understand that ARD is meant for Remote Administration, but I was not sure if it could be used for my purpose as well.  The reason I was looking to do it this was was because I read several articles online about security and performance issues with setting up VNC and activating screen sharing.  Unless I am misunderstood. 
  As far as people's activities on the server, mostly it is going to be used as a place for them to store their media.  I will only allow own person ( Who I trust and I know wont botch the server ), to run applications.  Everyone else will be restricted to uploading and downloading content to their designated account on the server as well as a community share on the server.
  I appreciate your help.
  Thanks,
  Eric

• Operations Manager Failed to Access the Windows Event Log and management server is showing warning state

  Hi,
  I am monitoring AD server from SCOM 2012 R2. My management server goes into waning state. When i run Health explorer then it come back in the healthy state but after some time it again goes into warning state. After seeing alert i found that a alert is coming
  again and again i.e.  Operations Manager Failed to Access the Windows Event Log.The description of alert is mention below
  The Windows Event Log Provider is still unable to open the DhcpAdminEvents event log on computer 'nc2vws12ad5.corp.nathcorp.com'.
  The Provider has been unable to open the DhcpAdminEvents event log for 64080 seconds.
  Most recent error details: The RPC server is unavailable.
  Please suggest me how to resolve this so that my management server will again come back in healthy state.
  Thanks
  Abhishek

  Hi Abhishek,
  As i mentioned earlier the Alert resolution says the same points.
  Can you give details on the below ?
  Is there really a log named "Dhcpadminevents" in the MS's Event viewer ?
  Did you recently configure any new alert where you mentioned "Dhcpadminevents"
  as a event log location ?
  If yes then what is the target you selected for the rule / monitor there ?
  Can you post the results for analysis ?
  Gautam.75801

• Consistency Problem In Audit Logs and Datafile

  Hi,
  We have audit logs of a transaction in audit files, however we do not see any changes in the table that the transaction affects.
  We use point-in-time recovery and flashback feature to figure out the changes in the table . DML Audit Granularity is "ACCESS".
  The transaction is java application transaction and we use hibernate.
  How can this be possibble? Thank you.
  Edited by: 867331 on 14.Ara.2012 07:05
  Edited by: 867331 on 14.Ara.2012 07:07

  Thanks for the reply,
  jgarry wrote:
  You've flashed or recovered back to a transaction in progress and the transaction was rolled back as part of recovery.We have duplicated the database(2 months early version of the database) from backup. We use Flashback Version Query to figure out the changes in the audited table.
  Ex:
  SELECT STATE FROM X
  VERSIONS BETWEEN TIMESTAMP
  TO_TIMESTAMP ('07-09-12 05:15:30','dd-mm-yy hh24:mi:ss')
  AND TO_TIMESTAMP ('07-09-12 16:00:30','dd-mm-yy hh24:mi:ss')
  where ID=1
  We cannot find update transaction from this query. The "STATE" column is always null. However in audit xml file we see the "UPDATE" sql.
  jgarry wrote:
  Some code for a report or inquiry incorrectly does a select for update and doesn't actually update anything.There is no "select for update" statement.
  Thank you.

• SCOM 2012 R2 Gateway installation error and no System Center Management server after install

  Hi,
  I have installed SCOM 2012 R2 Gateway and I got an error 25372 error at the start of the install. It still installs though. However I have no system center management service running in services but I can see healthservice.exe is running.
  Why am I not seeing the system center management service?
  Thanks.

  Using gateways with certificates is always a bit complicated because there are several things that needs to be configured correctly.
  DNS: The MS and the GW server need to be able to resolve each others FQDN. you can adjust the hosts files if needed.
  Traffic is only TCP 5723 from the gateway to the MS. You can test this with the telnet client.
  Certificates:
  http://marthijnvanrheenen.wordpress.com/2012/03/28/scom-2012-connecting-a-gateway-server-using-certificates/
  The gateway server should NOT be in pending management. Remove it from here before running the approval.
  You should start by making sure DNS and the 5723 port are functioning because that is probably where the problem is.
  Please remember, if you see a post that helped you please click (Vote As Helpful" and if it answered your question, please click (Mark As Answer).

• Firefox version: 3.6.8 Operating system: Windows XP - back and forward buttons disappers. REsetting customize toolbar to default doen't solve the problem

  I've Firefox version: 3.6.8 , OS: Windows XP - The back and forward buttons disappears. Resetting customize toolbar to default doesn't solve the problem.
  == This happened ==
  Every time Firefox opened
  == Firefox was updated to ver 3.6.8

  In Firefox 3.6 and later on Windows you can hide the menu bar via "View > Toolbars" or via the right click context menu on a toolbar.
  Press F10 or press and hold the Alt key down to bring up the menu bar temporarily.
  Go to "View > Toolbars" or right-click the menu bar or press Alt+V T to select which toolbars to show or hide (click on an entry to toggle the state).
  See also [[Menu bar is missing]] and http://kb.mozillazine.org/Toolbar_customization

• SAP Security audit log and Profile Parameter rsau/enable

  Does the Profile Parameter rsau/enable have to ="1" for the audit log to be active or is this parameter set to purely allow the maintainance of static profiles. I have been reading into SAP's documentation and they only refer to this parameter in the "Maintaining Static Profiles" section. Therefore I would like to know if the audit log can record when the parameter rsau/enable = "0"?
  Many thanks

  Hi
  I have it running on my NW2004s sneak peak system, whit a dynamic filter and the rsau/enable = 0. So Yes - it's possible to record in the secure audit log with rsau/enable = "0", if your using the dynamic filters
  Regards
  Morten Nielsen

• How can I use my Mac G3 (OS 9.2.2) to make Windows disk images and compress them into Windows stuffed archives?

  I have a collection of old Windows diskettes, 800 K and 1.4 MB.  I want to make disk images (or whatever is the Windows equivalent) and compress them into Windows stuffed archives.  I want Windows users to be able to download them, expand the stuffed archives, extract the disk images, and use the softsare on old Windows computers.  I need to do the work on a Power Macintosh beige G3 Tower using OS 9.2.2.  What software can I get to do it?

  To Jan, Greetings
  Thank you for your message and for your suggestions.
  Is WinZip a Mac application that makes compressed files that can be opened on a Windows computer?  If so, then do you have any notion where I could find a version old enough to run on OS 9.2.2?
  I noticed that DropStuff 6.0, which I use on my G3 Tower, has an option to make compressed files that are self-extracting on Windows.  Do you know if that works?  I suppose that I could make such a file and then find somebody with a Windows computer to test if for me.
  Yes, I could (shudder) get an old Windows computer somewhere, learn to use it, and do the project that way.  Do you know if the old versions of Windows include disk image programs and file compression  programs?  Or, would I need to buy some old software?
  Thank you for the information about the size of the diskettes.  As you've probably noticed, I don't know very much about Windows things.
  Sincerely,
  Frontiersman

• How to recover bookmarks from a crashed windows xp computer and puting them on another xp computer?

  My desktop crashed and was not repairable. The hard drive was moved to an external enclosure and is now drive e: How do I recover the bookmarks from the e: drive and move them to my laptop? Both computers are running Windows XP.

  See:
  *https://support.mozilla.org/kb/Recovering+important+data+from+an+old+profile
  *http://kb.mozillazine.org/Transferring_data_to_a_new_profile_-_Firefox
  Note that the "AppData" folder in Windows Vista and later Window 7+ versions and the "Application Data" folder in XP/Win2K are hidden folders.
  *http://kb.mozillazine.org/Show_hidden_files_and_folders
  *http://kb.mozillazine.org/Profile_folder_-_Firefox

• Forwarding Events to a central syslog server.

  I need to find an easier way to forward all IDS events to a central Syslog server. I am doing it a cheesy way now by running a macro against the IEV database and extracting the results from the exported file. I used to be able to do this with the Unix Director. Is there an easy way to do this? Is there a raw event file that I could directly transfer from the IDS Sensor?

  The following document should give you a better idea,
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap4.htm#wp860304

• SCOM 2012 R2 - Tasks not running and Discovery never finishes

  Hi all,
  I'm having some really weird issues with a new SCOM 2012R2 install. The issue I first noticed was none of the tasks on the right hand side of the SCOM console that run on a monitored server will complete. The window opens and will just have the spinning
  green "I'm doing something" circle.
  Example: If I run the task list processors on the management server it just sits there like it is running but never returning the result.
  Frustrated, I rebuilt the management server and deleted the DB's.  And same issue.
  Since these tasks are added with the MP's I tired an older Windows Server Operating System MP just to see if the latest one had issues. Unfortunately I still have the same issue and its driving me crazy
  Second issue is the Discovery Wizard is also just sitting there when using the advance option to specify the server I want to push the agent too.
  I have tried specifying a domain admin account for both the task and the discovery
  Checked the SPN's for the management server and SDK account have been registered.
  I have checked the SQL broker is enabled and SQL services are using domain accounts
  This is the setup:
  SCOM 2012R2 running on VMware Virtual Machine with Server 2012R2
  SQL Server 2012 SP1 with the Ops DB on one server and the DW on another
  Accounts:
  OM_MSAA - Domain Admin... Hopefully gets resolved in the future
  OM_DAS - Local Admin on the MS
  OM_DRA - Local Admin on the SQL Servers
  OM_DWWA - Local Admin on MS and SQL Servers
  This is an SOS as I have been given a very short deadline and these are the last issues I needed.
  I did install a DEV environment running SCOM 2012R2 but on Server 2012 NON R2 and it works with any of the issues mentioned above.
  Thanks Mike

  Thanks for the reply Stefan.
  The issue was with all Tasks. It was running against the Server 2012R2 management server so i guess it was the Windows Server 2012R2 Monitoring MP. 
  I have found the issue. The OM_DAS "SDK Account" needed the SQL service account to have read permissions.
  On the Opsman DB server i was getting these errors:
  An exception occurred while enqueueing a message in the target queue. Error: 15404, State: 19. Could not obtain information about Windows NT group/user 'domain\OmSDK', error code 0x5.
  This article explains the fix: http://blogs.technet.com/b/lukaszr/archive/2012/10/24/discovery-never-stops-but-tried-everything.aspx
  Thanks again for replying
  Mike 

• MDT 2012 U1 - Windows 8 Pro and LTISuspend

  Hi guys,
  Part way through testing our deployment for Windows 8 and I'm looking at automating the image creation with MDT (as is the best practice).  I'm trying to use LITSuspend in the task sequence to install a couple of apps that need special attention while
  we test.
  I was under the impression that you LTISuspend will pause the task sequence indefinitely until the script is run again from the desktop,  I am starting to find that this is not the case.  What I need to do is paus, install an application,
  do several restarts and then continue with the task sequence.  At the moment it will pause no problem, but when I restart, it continues with the 'Applying WinPE' and sysprep stages.
  Is this the expected behaviour or is something going wrong? 

  I happened upon this thread when looking for a similar answer. I am getting underway with MDT 2013 to create a reference image and despite using LTISuspend.wsf, the suspend was not surviving reboots. My intention is to fully automate the process
  but in the short term I have some testing and manual tweaks to make. Pausing a task sequence like this to make changes is acceptable (sometimes you have some interface tweaks to make that are hard to script) but probably not ideal; but taking a snapshot
  of a VM right after the suspend is a great way to come back without re-running the entire sequence so that you can dig in to poke around for learning purposes or make some of your changes. I've seen Johan Arwidmark and Mykael Nystrom talk about this very
  concept and its usefulness in MMS 2013 session DC-B306 'Building the Perfect Windows 8 Image' available online.
  Regardless, I wanted to share - as of MDT 2013 (I realize this thread started with 2012 U1) - that once I was paused I found there is a critical RunOnce registry value that must be removed if you want any hope of surviving reboots before you resume
  the sequence. The exact value is here:
  hklm\software\microsoft\windows\currentversion\runonce\LiteTouch
  String data with value = wscript.exe "C:\MININT\Scripts\LiteTouch.wsf"
  Test for yourself and don't take my word conclusively that this is the only hook of concern, I am just reporting that it seems to help in my testing. You can write a couple simple scripts to take this out and then put it back like so:
  To disable (remove key to prevent reboot interference):
  $regPath = "hklm:\software\microsoft\windows\currentversion\runonce"
  Remove-ItemProperty -path $regPath -name "LiteTouch" -force
  To enable (get ready to resume task sequence):
  $regPath = "hklm:\software\microsoft\windows\currentversion\runonce"
  New-ItemProperty -path $regPath -PropertyType string -name "LiteTouch" `
  -value 'wscript.exe "C:\MININT\Scripts\LiteTouch.wsf"' -force

• SCOM 2012 SP1 - Windows operating system is not monitored in a SCOM agent

  Hi All,
  I have an agent with windows 2012 operating system that i am trying to monitor.
  At the "Windows computers" view the "Windows operating system" column is empty ("Agent" column is Healthy).
  Why SCOM doesn't recognized that the agent have operating system?
  Please help.
  Thanks.
  TechNet

  Hi,
  On workgroup servers, you have to make sure you've used the momcertimport tool to import the certificate into the SCOM service.
  In addition, I would like to suggest you go through the below article to monitor non-domain servers with SCOM:
  Monitoring non-domain members with OM 2012
  http://blogs.technet.com/b/stefan_stranger/archive/2012/04/17/monitoring-non-domain-members-with-om-2012.aspx
  Hope this helps.
  Regards,
  Yan Li
  Regards, Yan Li