Log Monitoring Using Microsoft Operations Manager 2005 and Log Parser 2.2

1. Log Monitoring UsingMicrosoft Operations Manager 2005and Log Parser 2.2 David Sweetman Windows Enterprise Systems Admin Administrative Information Services University of Michigan dsweetma@umich.edu

2. Spring, 2005 Windows Virtualization Technologies 2 About the University of Michigan Three campuses � Ann Arbor � 19 schools & colleges, University Hospitals & Health Centers Dearborn � 4 schools & colleges Flint � 4 schools & colleges Research & Educational Units 35 Centers 18 Institutes Decentralized IT

3. Spring, 2005 Windows Virtualization Technologies 3 About MAIS Administrative Information Services Central HR, Financials, Student Admin, Research, and supporting systems Primarily PeopleSoft (AIX/Oracle) ~60 Windows Servers Win2003 AD Environment Citrix (15 servers, ~700 cc, 3000 daily) IIS 5 & 6 SQL Server 2000 Many 3rd party apps No desktop management

4. Spring, 2005 Windows Virtualization Technologies 4 MOM Overview Comprehensive framework for consolidated monitoring and reporting Consolidates event viewer and perfmon data Group-based monitoring & alerting rules Agent-based Will queue if no central server Agentless also available, more bandwidth Scalable Operator Console MOM Reporting Server

5. Spring, 2005 Windows Virtualization Technologies 5 MOM Management Packs Thorough monitoring of applications AD, Exchange, IIS, SQL, Terminal Services, SMS, more� LOTS of data, grooming, not consolidate Customizable Disable some alerting Disable reboot window monitoring Increase frequency of perfmon (15min to 1)

6. Spring, 2005 Windows Virtualization Technologies 6 Screenshot

7. Spring, 2005 Windows Virtualization Technologies 7 Custom Monitoring Rules 3rd party app process monitoring Business Objects (DW) queries Scripted processes write to event log Check for presence of event Check for absence of event Backup, mirroring, data import/export Threshold monitoring Free disk space below x%, CPU above y%

8. Spring, 2005 Windows Virtualization Technologies 8 OnePoint SQL Views Customized, ad-hoc processing, export to Excel PivotTables sampledNumericDataCapacityReportView Time, value, Server, ObjectName, CounterName Capacity Planning & troubleshooting EventView Evtime, ProviderInstance, Type, Server, Source, Category, Euser, Eventno, evtText

9. Spring, 2005 Windows Virtualization Technologies 9 LogParser Overview Use SQL to query logs Local or remote logs Variety of input and output Command line and scriptable COM Efficient engine Newest version (2.2) includes charting

10. Spring, 2005 Windows Virtualization Technologies 10 LogParser Formats Input: W3C (IIS logs), URLScan, Event Viewer, File System, Text Files, registry, CSV, XML, ADS (Properties and objects), and more (including custom)� Output: StdOut, CSV, ODBC, Syslog, XML, DataGrid, Chart

11. Spring, 2005 Windows Virtualization Technologies 11 URL Scan Notifications URLScan logs: vital info, timely need VBScript Runs every 5 minutes Identifies all IIS servers in domain Identifies if URLScan is installed Queries for activity in past 5 minutes Send e-mail alert if suspicious activity

12. Spring, 2005 Windows Virtualization Technologies 12 Daily Status Reports VBScript Daily Health Status of domain Complete server list and description Usage counts Business Objects peak, Citrix farm IIS URLScan and 404 summary Helpful to developers Identifies IIS installs, checks security config � file locations, URLScan, etc

13. Spring, 2005 Windows Virtualization Technologies 13 Monthly Usage Stats VBScript Queries IIS logs to generate usage info by application and app instance Unique users per day and per month Validate instance �needs� Long term capacity trending and planning

14. Spring, 2005 Windows Virtualization Technologies 14 More Information MS LogParser online Help Log Parser Toolkit Gabriele Giuseppini, Mark Buirnett Syngress Press, ISBN#1-932266-52-6 MOM: www.microsoft.com/mom Lots of distributed info

15. Spring, 2005 Windows Virtualization Technologies 15 Questions?