question

DavidKim-4125 avatar image
0 Votes"
DavidKim-4125 asked Crystal-MSFT commented

How to enable SCOM to monitor for alerts like ? Subject: Alert: RegistryValue Check - Crash On Audit Fail Alert: RegistryValue Check - Crash On Audit Fail Alert

Subject: Alert: RegistryValue Check - Crash On Audit Fail

Alert: RegistryValue Check - Crash On Audit Fail

Alert description: The crashonauditfail registry key value is not set to the desired value of 1. Investigate this issue immediately as this has caused system outages in the past.
XXXXXXXXXXXXXXX
The above alert was from our SCOM 2012 and we need to make sure the new SCOM 2019 can also monitor for this type of alert.
What MP, run as profile, ... do I need to configure to to enable for this type of alert in SCOM 2019?

msc-operations-manager
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered Crystal-MSFT commented

@DavidKim-4125, Based on my research, The CrashOnAuditFail feature is a registry key that can be set to make sure that all auditable events are recorded in the security event log. When the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\CrashOnAuditFail is set to 1, anyone may log on if the system can audit the events and write the events to the security event log. If the security event log is full, the value for the CrashOnAuditFail key is changed to 2, and the server crashes. Here is a link with more detailed information for the reference:
https://docs.microsoft.com/en-us/troubleshoot/iis/users-cannot-access-web-sites-when-log-full

When the value is changed, event id 4906 is generated:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4906

Here, we can create an event monitor in SCOM 2019 to monitor event id 4906. We can see more details in the following link:
https://social.technet.microsoft.com/wiki/contents/articles/51547.scom-monitor-a-specific-windows-event.aspx

Hope it can help.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@DavidKim-4125, Hope things are going well/. I am writing to see if there's anything else we can help. If yes, feel free to let us know.

0 Votes 0 ·
RogerXue-3369 avatar image
0 Votes"
RogerXue-3369 answered

You may check the rule or monitor for generating this alert by view its details.

Roger

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CyrAz avatar image
0 Votes"
CyrAz answered Crystal-MSFT commented

If that used to work in SCOM 2012 and you still have that environment available, find the alert there, open its rule or monitor properties, check in what MP it's stored and import it in SCOM 2019.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Would I have to create a monitor after importing this custom MP? Or does SCOM automatically create this monitor? Guessing I would have to check that it is enbled.

0 Votes 0 ·

@DavidKim-4125, For the monitor in custom MP, if it is compatible with new version. it will be enabled when imported the MP. we can check the monitor under Authoring to double confirm.
,

0 Votes 0 ·