MOM 2005 event rules that use the Security event provider trigger messages when the event criteria are not met (883339)


The information in this article applies to:

  • Microsoft Operations Manager 2005

SYMPTOMS

You create a new event processing rule in Microsoft Operations Manager (MOM) 2005. When you use the Security event provider to search the description field of the Security event log for specific event IDs, the new rule may trigger messages, even if the rule criteria have not been met.

CAUSE

This behavior occurs when the MOM 2005 event processing rule contains regular or Boolean expressions. In this case, the regular or Boolean expressions may not correctly parse the event description field in the Security event log. This behavior causes the event processing rule to trigger a message.

WORKAROUND

To work around this problem, modify your existing event rule, or create a new event rule to collect the specified event IDs in the Security event log. You can then specify additional parameters to trigger the message. For example, if you want to receive messages for user logon failure events, such as event ID 529, for a specific user account, follow these steps:

Note These steps assume that you want to create a new event rule. To modify your existing event rule, double-click the event rule that you want to modify, and then use only step 7 and step 8. The collection rule that is referenced in these steps is part of the steps in the wizard. You do not have to create a new collection rule for the specific parameter matching to work.
  1. Click Start, point to Programs, point to Microsoft Operations Manager 2005, and then click Administrator Console.
  2. In the MOM 2005 Administrator Console, expand Microsoft Operations Manager (ServerName), where ServerName is the name of the computer that is running MOM 2005.
  3. Expand Management Packs, expand Rule Groups, and then expand the rule group to which you want to add an event rule.
  4. Right-click Event Rules, and then click Create Event Rule.
  5. In the Select Event Rule Type dialog box, click Collect Specific Events (Collection), and then click Next.
  6. Click the list under Provider name, click Security, and then click Next.
  7. On the Collection Rule Properties - Criteria screen, click the Event ID check box, type 529, and then click Advanced.
  8. In the Advanced Criteria dialog box, click the list under Field, select the parameter that you want to use, and then type the value for the expression. In this example, the following values are used:
    • Parameter 1 equals UserName, where UserName is the name of the user account.
    • Parameter 2 equals DomainName, where DomainName is the name of the domain.
    • Parameter 3 equals Log on ID, where Log on ID is the ID of the currently logged on user.
    • Parameter 4 equals Log on Type, where Log on Type is the type of account running the service or task. For example, Interactive or Service.
    Set each parameter, click Add to list, click Close, and then click Next.
  9. On the Collection Rule Properties - Parameter Storage page, click Store all event parameters, and then click Next.
  10. On the Collection Rule Properties - schedule page, you can set a schedule or select Always process data, and then click Next.
  11. On the Collection Rule Properties - Company Knowledge Base page, you may enter any knowledge that you have gathered or leave the page blank, and then click Next.
  12. On the Collection Rule Properties - General page, type a name for the new rule in the Rule name: field. Click to select the This rule is enabled check box to turn on the rule, and then click Next.

MORE INFORMATION

For additional information about Windows 2000 Security event IDs, click the following article numbers to view the articles in the Microsoft Knowledge Base:

299475 Windows 2000 Security event descriptions (Part 1 of 2)

301677 Windows 2000 Security event descriptions (Part 2 of 2)

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Modification Type:MinorLast Reviewed:6/13/2005
Keywords:kbtshoot kbprb KB883339 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.