Need help with an alert.
I am trying to configure an alert to fire when ever the NIC Windows Service stops and does not restart on some of our collectors. I was able to set one up for the NIC Scheduler service but I can't find a way to do it for the windows service.
NIC Event ID is 503005 with the filter windows in it. Set up the alert based on this for the NIC System device.
503006 is the start action...
1 - Under enVision services (from the GUI), stop windows service
2 - open normal event viewer for windows and under system you should see event ID 7035 & 7036 telling it issued a stop and stopped
3 - Then go to envision event viewer, filter on ip address of yuor envision appliance, then add windows as a filter and it should bring up the message...
Use this information to create your alert.
Hope this helps..let me know either way.
Hi Ken. Ibrmo01 is correct. Specifically, the event pattern you would be looking for would be a Windows event ID 7031 from the System log of the envision appliance followed by an absense of windows event ID 7036 from the system log of the same appliance within the next 65 seconds or so. I only say that because, the default recovery response for failure of the NIC Windows Service on my environments has it set to "restart the service after" [ 1 ] minutes.
If I'm understanding you correctly you arent even seeing these 7031/7036 event ID's for the NIC services starting and stoping. One thing to check... are you seeing any events for any services starting and stoping at all on the appliance? If this is the case, you're probably not alone. In fact I suspect that 80% of enVision users can't see them either.
It's a known windows issue, well, that and the enVision product doesn't appear to accomodate for the known issue after initial typing and enVision application setup. Basically it's caused by the fact that a windows 2003 server was sysprep'ed and in doing so that sysprep process stripped all registered users from the WMI repository. Coincidentally, all services on windows systems (like the NIC services) are controlled by the Windows Service Control Manager (SCM) and in order for SCM to log it's event output correctly to the windows event logs it requires users be registered in the WMI repository. As you can imagine, the enVision product is basically a pre-configured windows install that gets sysprepped down before distribution. So... in short, your WMI repository is probably still empty and requires a mod.
To fix your WMI repository follow these instructions on all of your appliances.
you will immediately start seeing Service Control Manager events being generated in the system log of your appliances for all service control events. Doesn't even require a reboot of the appliance.
Now that you have that fixed, and you've built an alert for the Unexpected NIC Windows Service failures, you'll be free to do the same for almost all the other services on your appliances for that matter.
A closing thought... I'm surprised there aren't more users that run into this same problem, but then I remind myself that we all use the tool to different degrees of intensity. In fact
"More than 80% of current SIEM deployment projects are to close a compliance gap"
-2008 Gartner MQ for SIEM
Wow. I'm sorry to hear that. What was it that crashed hard, the envision application or the OS? Any specifics of the crash that you can share? I have never experienced any problems with it, so I'm curious as to what caused it on your system.
Also, did you schedule the command to run via AT command under the system account credentials as the instructions indicated or did you just run it from command line?
sorry to hear about the crash
KeN Greene wrote:
Attached is how we ended up getting this to work the way we wanted it.
What you might want to do is the following:
If MessageID 606001 is NOT FOLLOWED by MessageID 606000 within say 60 seconds then fire the alert. Just multi-thread it on fld or source so that you know it is the same collector that you are looking for this stop followed by start.
This should tell you that the Windows Service did not restart. This is something that I generally see when trying to restart the NIC Service Manager. The NIC Windows Service is still trying to clean up and stop when the Service Manager has already sent the restart to all of the services. It takes about a minute for my service to finish stopping and then I have to start it manually.
When the appliance reboots, there is never this issue...only when doing the NIC Service Manager.