In an OpsMgr Audit Collection Services implementation the local security logs on the forwarders are the queue when the collector is not available. So the retention time of the Security Log is a very important, but out-of-the-box not monitored by OpsMgr. Today I decided to create a PowerShell monitor which monitors the retention time of the security event log. This PowerShell monitor uses the following script to define the retention of the Security event log of an ACS forwarder.
— Updated version of the Management Pack can be found here —-
This PowerShell monitor uses the following script to define the retention of the Security event log of an ACS forwarder.
#Get last eventlog entry of the security eventlog $LastLogEntry = Get-Eventlog security | Select-Object -last 1 #Define Dates $StartDate = [datetime]$LastLogEntry.TimeGenerated $EndDate = (Get-Date) $Result = New-TimeSpan –Start $StartDate –End $EndDate $ResultDay = $Result.Days
Based on the above script I created a Probe and Date source module and finally the Monitor type. In the current version the threshold values can be overridden. The current value for a Healthy state is 5 or higher and for an error state is 3 or lower. Those values are based on days. The interval of the monitor is one day.
The monitor will generate an alert when the monitor is in a warning or critical state. The description will show the Principal name of the forwarder and the actual number of retention (days). The monitor is targeted against the ACS Forwarder instances (Microsoft.SystemCenter.ACS.Forwarder).
The management pack containing this monitor can be downloaded here.
This monitor is tested on the following operation systems:
- Windows 2003
- Windows 2008 (R2)
- Windows 2012 (R2)
During the execution of the PowerShell script itself, the process can spike to 100% for a short amount of time. This is also the reason why I set the interval of this monitor to 1 day.
— Updated version of the Management Pack can be found here —-