Monitoring Windows Server Interactive Logins

I’m sure many of you realise that for systems with high value in terms of information held or impact to business due to outage or data breach, you would probably want to crank up the monitoring of such systems. Best practices say you should pretty much monitor all activity associated with local users and groups, but today I want to focus on interactive logins to servers.

This has mainly come about from my own need recently to provide the ability to notify on any interactive login to a particular server, be it using remote desktop or a console session.

My first thought was to create a SCOM Rule that would report on Security Log EventID 4624 and if the Logon Type was 3 (console logon) or 10 (RDP Logon), send an email. As it turned out, this was much harder than I expected, as I found that Logon Type was not getting consistently passed as a parameter, and doing a text search on the entire message is not good practice.

Continue reading

Advertisements

It’s Nice to be Appreciated

Quite out of the blue I had a parcel arrive on my doorstep while I was on leave. It was notable in that I had received all the parcels I thought I was expecting.

As it turns out the fine administration over at ITPA felt that I do quite a bit to help out this organisation and wanted to thank me with a signed copy of Tom Limoncelli’s tome of The Practice of System and Network Administration.

I feel suitably humble. It’s nice to be appreciated 🙂

Microsoft Ignite Australia 2017 – Final Day

img_0205

Well all good things must come to an end and so it passes that this is the last day MS Ignite for another year . Definitely a more subdued feeling amongst the attendees (maybe due to a big night last night!) and many delegates are already flying home, not choosing to be here for the last day of events.

Continue reading

Microsoft Ignite Australia 2017 – Day 3

After the excitement of the previous evening, the day kicked of a little later than the norm for me with the Elastic

img_0172

One of the things I wasn’t especially aware of was the X-Pack by Elastic and that there is a free, basic version available of that after a 30 day trial. Elastic Cloud may also be an option if we do not want to have to run the underlying infrastructure but just be a consumer of the platform. Shortly after that the session became more of a deep dive into Azure provisioning Elastic with the ARM config files, which was a bit out of my depth.

Continue reading

Microsoft Ignite Australia 2017 – Day 2

Waking up at 5am in the morning is a near impossible feat when at home, yet seems to be no problem here. Might have something to do with the sunrise 🙂

img_0155

Early start today with the 8.15am session on containers with Ben Armstrong. Containers captured my attention when announced in Server 2016 as a great way to virtualise applications.

Continue reading

Microsoft Ignite Australia 2017 – Day 1

img_0145

Today was the first day of Microsoft Ignite Australia 2017 and I am very lucky to have the opportunity to attend!

Microsoft Ignite is the successor of Microsoft TechEd, which had a 2 decade history after being first held in Australia in 1994.

I plan to post about my experiences over the next few days.

Continue reading

Resolving Unknown Data Sources in Dell OpenManage Essentials

ome-unknown-health

Have you ever looked in OpenManage Essentials and seen the above when looking at a device? I recently had this experience when checking on a number of older servers that we were not receiving alerts properly for.

Checking on the iDRAC and server it appeared that the management agents were running and correctly configured so that the OME server could contact the device, but attempts to discover and inventory were still failing. What was going on?

The Dell Troubleshooting Tool is an excellent  utility by Dell to interrogate devices using variety of protocols. Querying the iDRAC using WSMAN soon found the problem:

ome-unknown-health2

Many of thew older servers had internal SSL certificates installed on them, which had subsequently expired. As most of the servers had been decommissioned, renewing the certificates had been overlooked.

Getting rid of the expired certificate is not as straight forward as it should be, with no ability in the iDRAC6 web interface to delete the certificate. This was resolved by accessing the IDRAC via SSH and using the racadm command:

racadm sslresetcfg

After the iDRAC interface rebooted to apply changes, OME was then able to discover and inventory the iDRAC interface.

The Dell troubleshooting tool proved to be a very useful tool in the infrastructure admin’s toolbox for dealing with non-obvious management protocol issues.