You might have heard of OMS already, Microsoft’s IT Management as a Service approach that delivers different capabilities from the cloud. Some days ago a new feature made it to the public preview status: Alerting! This means that OMS now allows to search for specific events and create alerts if needed. In this post I will quickly go through the new feature and show how it can be used.
First, create a search query to get specific events from the collected data. In this example I will search failed logon events and send out an email in case this happened. I use the following search query:
Type=SecurityEvent AND Activity=”4625 – An account failed to log on.”
|Type=SecurityEvent||Only Security Events should be displayed|
|AND||AND Operator to connect multiple filter options|
|Activity=”4625 – An account failed to log on.”||Only show events where an account could not be logged on successfully|
And this is how the result for the query looks like:
Now let’s create a new alert every time such an event happens in the future. For this click on the “Alerting” button at the bottom.
Give the new alert a name and select the option “Use current search query”. You can also use one of the saved queries from your favorites instead. The most important setting is the interval and the time window to search events.
|Check for this alert every||Enter an interval for the query to run.|
|Threshold||Set the threshold that should be compared to the number of returned events by the query.|
|Over this time window||This adds a time dimension to the query that only gets back events that were generated in the last x minutes. The number of returned events is then compared to the threshold value.|
|The search returned x results||OMS just fires the query and will check how many events were found in the configured time windows. This is just for your convenience to make a better decision when configuring the time window.|
Now lets configure what should happen if the alert will trigger in the future:
|Send an email notification||Enable this to send out an email to specific recipients.|
|Enable remediation||This allows to trigger a runbook to remediate the situation (remediation runbook) or also to collect more information (diagnostics runbook). For this to work you need to add the automation solution and add your azure automation account. You can then select from one runbook from your azure automation account.|
Once you save your new alert it will show up in the settings\alerts area. As you can see, the only thing you can do here is delete configured alerts. You cannot edit configured alerts yet.
Now lets force some logon failures and see how the sent mails looks like. It contains all information from the events found in the configured time window.
If you want to check if the alerting works as expected (e.g. if you are not the recipient yourself) you can use the following search query to find all thrown OMS alerts:
Nice huh? This allows us to be alerted when specific events occur. This does not make OMS the new SCOM yet, but it’s a good option to get pro-active notifications.
In the next part I will focus more on the runbook side of things. Stay tuned!