Rules - FFSMP for SCOM 2007
Rules monitor the Forefront Security products, engine updating, scan jobs, and Forefront Security services. They examine events generated by those processes to determine if alerts should be generated. Rules also retrieve statistics for scan jobs. There are several different kinds of rules included with FFSMP.
Rules for Forefront Security for Exchange Server
All rules are stored in the Management Packs Objects node in the Authoring space of the Administrator Console. They monitor events specific to the particular type of server. There are several categories of rules for Forefront Security for Exchange Server. Rules can be viewed in the Operator Console and modified in the Authoring space.
Note that rules ending in "W" are for warnings; those ending in "E" are for errors.
Forefront Security for Exchange Server – All Servers Installation. Rules that monitor clusters, engines, licenses, rollbacks, state and updates.
Forefront Security for Exchange Server – Edge Transport Installation. Rules for scan jobs and performance counter events that collect data about scan rates, detection statistics, and services for agent-managed systems that are Edge Transport servers.
Forefront Security for Exchange Server – Hub Transport: Mailbox and Public Folder Installation. Rules for scan jobs and performance counter events that collect data about scan rates and detection statistics for agent-managed systems that are mailbox servers and public folder servers. It also contains additional rules for monitoring services and Transport, Realtime, and Manual scan jobs on hub transport/mailbox servers.
Forefront Security for Exchange Server – Hub Transport Installation. Rules that collect statistics on agent-managed Hut Transport servers. They also monitor scanning and services.
Forefront Security for Exchange Server – Mailbox and Public Folder Installation. Rules that collect statistics on agent-managed servers that have a Mailbox or Public Folder role. They also monitor Realtime and Manual scanning activities and services.
These are the types of rules.
Collection Event Rules. Examine events that occur on agent-managed systems and determine if an alert should be prepared. These can be events written to Windows event logs by the Windows components being monitored or they can be events that are generated by Operations Manager 2007 itself. The events and any alerts generated from them are stored in the Operations Manager 2007 database. For more information see Event Rules.
Alert Generating Rules. Examine generated alerts and determine if a notification should be prepared. For more information, see Alert Rules.
Collection Performance-Based Rules. Retrieve performance data from agent-managed systems. Operations Manager 2007 stores performance data in the Operations Manager 2007 database. For more information see Performance Rules.
Event rules examine events that have occurred on managed servers. The agents retrieve the events and store them in the database. The event rules then examine them and display logged information about errors and significant events from the agent systems.
Event rules can be classified by data source: Provider-based event rules, Collection event rules, and Alert event rules.
Provider-based event rules
Provider-based event rules use four provider types as data sources:
The Windows Event Log
The Windows System Event Log
The Forefront Security ProgramLog.txt file
With the exception of the Timed Event provider, the event rules are configured based on certain criteria, including Event Source, Event ID Number, and Description Text.
Collection event rules
Collection event rules are typically used for non-critical informational events that may be of interest to operators, such as services starting and stopping, scan tasks being enabled and disabled, and engine update events. They only generate event entries in the Event Views of the Operations Manager 2007 Operator Console and store the event parameters in the Operations Manager 2007 database.
Alert event rules
The creation of an alert record (see Alert Rules) itself causes the generation of an event entry in the Event Views of the Operations Manager 2007 Operator Console.
Alert rules examine the alerts generated by alert event rules to determine if a notification needs to be prepared. They are configured to trigger a notification when an alert with a severity level of “Critical Error” is generated.
When an alert event rule generates an alert, it passes certain properties to it:
Alert Severity. Possible values include “Critical Error”, “Error”, “Warning”, or “Information”. The value depends upon the perceived severity of the event that caused the alert to be generated. A “Critical Error” indicates a potentially dangerous loss of service.
CustomField1. All event rules that generate an alert insert Microsoft Forefront Security Server in this field.
CustomField2. Event rules in the Forefront Security for Exchange Server rule group insert a value of Microsoft Forefront Security for Exchange Server in this field. Event rules in the Engine Update Monitoring “common” rule group leave this field blank.
CustomField3. Specifies the rule group origin of the Event Rule that created the alert record. For example, an event rule that generates an alert from the Engine Update Monitoring rule group inserts a value of "EngineUpdateFailure" in this field.
These custom field values are used as criteria when building alert views in the Operations Manager 2007 Operator Console. This is explained in more detail in Views - FFSMP for SCOM 2007.
Notification methods and notification group membership need to be configured and implemented by the managers of the Operations Manager 2007 environment.
Performance rules retrieve statistics for all scan jobs, in the following categories:
Total number of attachments scanned
Total number of attachments cleaned
Total number of attachments removed
Total number of attachments detected
Total number of messages detected
Total number of messages purged
Total number of messages scanned
Total number of messages tagged in the Subject line
Rate of scanning (number of attachments scanned per second)
These performance rules are located in Hub Transport Installation (Transport statistics), Edge Transport Installation (Transport statistics), Hub Transport: Mailbox/Public Folders (Transport, Realtime, and Manual statistics), and Mailbox/Public Folder Installation (Realtime and Manual statistics).
Performance counter providers
Performance rules in Operations Manager 2007 require Windows Performance Counter providers to supply the sampled data. The providers included with the Microsoft Forefront Server Security Management Pack for Operations Manager 2007 are configured to a sample rate of 1800 seconds (30 minutes), with the exception of the providers used to determine scanning rates and processor times for the scan jobs, which are configured to a sample rate of 300 seconds (5 minutes).
Rules Knowledge Base
All rules contained in the Microsoft Forefront Server Security Management Pack for Operations Manager 2007 have a Knowledge Base entry containing a summary or description of the event. This entry explains the event’s significance, possible causes, and possible resolutions.
Knowledge Base entries can be viewed through Operations Manager 2007 Operator Console.
To view a Knowledge Base entry
Select a rule in the Rules section of the Authoring space.
Right-click the rule. A shortcut menu appears.
Choose Properties from the shortcut menu.
Click the Product Knowledge tab.