Monitoring and Auditing Windows Server 2012
- 5/15/2013
- Before you begin
- Lesson 1: Monitor servers
- Lesson 2: Advanced audit policies
- Practice exercises
- Suggested practice exercises
- Answers
Lesson 1: Monitor servers
Unwatched servers, like unwatched children, invariably end up in a chaotic state. Monitoring a server using data collector sets, alerts, and events enables you to keep an eye on the server’s performance and configuration. Although effective monitoring is unlikely to stop a server from ever experiencing problems, it often provides warning signs about developing problems, giving you a chance to resolve them before they cause a service disruption. In this lesson, you will learn how to configure data collector sets, manage alerts, monitor events, and perform network monitoring.
Data collector sets
Data collector sets enable you to collect performance data, system configuration information, and statistics into a single file. You can use Performance Monitor or other third-party tools to analyze this information to make a determination about how well a server is functioning against an assigned workload.
You can configure data collector sets to include the following:
- Performance counter data The data collector set not only includes specific performance counters but also the data generated by those counters.
- Event trace data Enables you to track events and system activities. Event trace data can be useful when troubleshooting misbehaving applications or services.
- System configuration information Enables you to track the state of registry keys and record any modifications made to those keys.
Windows Server 2012 includes the following built-in data collector sets, as shown in Figure 10-1.
Figure 10-1 Built-in data collector sets
- Active Directory Diagnostics Available if you have installed the computer as a domain controller; it provides data on Active Directory health and reliability.
- System Diagnostics Enables you to troubleshoot problems with hardware, drivers, and STOP errors.
- System Performance Enables you to diagnose problems with sluggish system performance. You can determine which processes, services, or hardware may be causing performance bottlenecks.
To create a data collector set, perform the following steps:
Open Performance Monitor from the Tools menu of the Server Manager console.
Expand Data Collector Sets.
Click User Defined. On the Action menu, click New and click Data Collector Set.
You are given the option of creating the data collector set from a template, which enables you to select from an existing data collector set, or to create a data collector set manually. If you choose to create a data collector set manually, you have the option of creating a data log, which can include a performance counter, event trace data, and system configuration information; or a performance counter alert. This choice is shown in Figure 10-2.
Figure 10-2 Creating a new data collector set
If you select Performance Counter, you then choose which performance counters to add to the data collector set. You also specify how often Windows should collect data from the performance counters. Figure 10-3 shows data being collected once every 15 seconds.
Figure 10-3 Setting an interval for the data collector set
If you choose to include event trace data, you need to enable event trace providers. As Figure 10-4, shows, a large number of event trace providers are available with Windows Server 2012. You use event trace providers when troubleshooting a specific problem. For example, the Microsoft Windows-AppLocker event trace provider helps you diagnose and troubleshoot issues related to AppLocker.
Figure 10-4 Event trace providers
If you choose to monitor system configuration information, you can select registry keys to monitor, as shown in Figure 10-5. Selecting a parent key enables you to monitor all registry changes that occur under that key while the data collector set is running.
Figure 10-5 Setting registry keys to record
You then specify where you want data collected by the data collector set to be stored. The default location is the %systemdrive%\PerfLogs\Admin folder. If you intend to run the data collector set for an extended period of time, you should store the data on a volume separate from the one that hosts the operating system.
The final step in setting up a data collector set is to specify the account under which the data collector set runs. The default is Local System, but you can configure the data collector set to use any account for which you have the credentials.
Alerts
Performance counter alerts enable you to configure a task to run when a performance counter, such as available disk space or memory, falls under or exceeds a specific value. To configure a performance counter alert, you create a new data collector set, choose the Create Manually option, and select the Performance Counter Alert option, as shown in Figure 10-6.
Figure 10-6 Configuring the performance counter alert
You add the performance counter, threshold value, and whether the alert should be triggered if the value exceeds or falls below this value. Figure 10-7 shows an alert that is triggered when the amount of available memory falls below 512 megabytes.
Figure 10-7 Setting an alert threshold
When you create an alert, all it does when triggered is to add an event to the event log. You can also configure an alert to run a scheduled task when triggered. You do this by editing the properties of the alert and specifying the name of the scheduled task on the Task tab, as shown in Figure 10-8.
Figure 10-8 Running a scheduled task
Event Viewer
Event Viewer, shown in Figure 10-9, enables you to access recorded event information. The Windows Server 2012 Event Viewer differs from the Event Viewer in earlier versions of the Windows Server operating system, such as Windows Server 2003, in that it not only offers the application, security, setup and system logs but it also contains separate application and service Logs. These logs are designed to provide information on a per-role or per-application basis, rather than having all application and role service-related events funneled into the application log. When searching for events related to a specific role service, feature, or application, check to see whether that role service, feature, or application has its own application log.
Figure 10-9 Event Viewer
Event log filters
Filters and event logs enable you to view only those events that have specific characteristics. Filters apply only to the current Event Viewer session. If you constantly use a specific filter or set of filters to manage event logs, you should instead create a custom view. Filters apply only to a single event log. You can create filters on a log based on the following properties:
- Logged Enables you to specify the time range for the filter.
- Event Level Enables you to specify event levels. You can choose the following options: Critical, Warning, Verbose, Error, and Information.
- Event Sources Enables you to choose the source of the event.
- Event IDs Enables you to filter based on event ID. You can also exclude specific event IDs.
- Keywords Enables you to specify keywords based on the contents of events.
- User Enables you to limit events based on user.
- Computer Enables you to limit events based on the computer.
To create a filter, perform the following steps:
Open Event Viewer and select the log that you want to filter.
Determine the properties of the event that you want to filter.
On the Actions pane, click Filter Current Log.
In the Filter Current Log dialog box, shown in Figure 10-10, specify the filter properties.
Figure 10-10 Specifying filter properties
Event log views
Event log views enable you to create customized views of events across any event log stored on a server, including events in the forwarded event log. Rather than looking through each event log for specific items of interest, you can create event log views that target only those specific items. Event Viewer includes a custom view named Administrative Events. This view displays critical, warning, and error events from a variety of important event logs such as the application, security and system logs.
Views differ from filters in the following ways:
- Persistent You can use a view across multiple Event Viewer sessions. If you configure a filter on a log, it is not available the next time you open the Event Viewer.
- Include multiple logs A custom view can display events from separate logs. Filters are limited to displaying events from one log.
- Exportable You can import and export event log views between computers.
Creating an event log view is a similar process to creating a filter. The primary difference is that you can select events from multiple logs and you give the event log view a name and choose a place to save it. To create an event log view, perform the following steps:
Open Event Viewer.
Click the Custom Views node and then click Create Custom View from the Actions menu.
In the Create Custom View dialog box, shown in Figure 10-11, select the properties of the view, including:
When the events are logged
The event level
Which event log to draw events from
Event source
Task category
Keywords
User
Computer
Figure 10-11 Creating a custom view
In the Save Filter To Custom View dialog box, enter a name for the custom view and a location in which to save the view (see Figure 10-12). Click OK.
Figure 10-12 Entering the custom view name
Verify that the new view is listed as its own separate node in the Event Viewer.
You can export a custom event log view by selecting the event log view and clicking Export Custom View. Exported views can be imported on other computers running Windows Server 2012.
Event subscriptions
Event log forwarding enables you to centralize the collection and management of events from multiple computers. Rather than having to examine the event log of each computer by making a remote connection to that computer, event log forwarding enables you to do one of the following:
- Configure a central computer to collect specific events from source computers. Use this option in environments in which you need to consolidate events from only a small number of computers.
- Configure source computers to forward specific events to a collector computer. Use this option when you have a large number of computers from which you want to consolidate events. You configure this method using Group Policy.
Event log forwarding enables you to configure the specific events that are forwarded to the central computer. This enables the computer to forward important events. It isn’t necessary to forward all events from the source computer. If you discover something that warrants further investigation from the forwarded traffic, you can log on to the original source computer and view all the events from that computer in a normal manner.
Event log forwarding uses Windows Remote Management (WinRM) and the Windows Event Collector (wecsvc). You need to enable these services on computers that function as event forwarders and event collectors. You configure WinRM using the winrm quickconfig command. You configure wecsvc using the wecutil qc command. If you want to configure subscriptions from the security event log, you need to add the computer account of the collector computer to the local Administrators group on the source computer.
To configure a collector-initiated event subscription, configure WinRM and Windows Event Collector on the source and collector computers. In the Event Viewer, configure the Subscription Properties dialog box, shown in Figure 10-13, with the following information:
- Subscription Name The name of the subscription.
- Destination Log The log where collected events will be stored.
- Subscription Type And Source Computers: Collector Initiated Use the Select Computers dialog box to add the computers that the collector will retrieve events from. The collector must be a member of the local Administrators group or the Event Log Readers group on each source computer, depending on whether access to the security log is required.
Events To Collect Create a custom view to specify which events are retrieved from each of the source computers.
Figure 10-13 Configuring a collector-initiated event subscription
If you want to instead configure a source computer-initiated subscription, you need to configure the following group policies on the computers that will act as the event forwarders:
- Configure Forwarder Resource Usage This policy determines the maximum event forwarding rate in events per second. If this policy is not configured, events will be transmitted as soon as they are recorded.
- Configure Target Subscription Manager This policy enables you to set the location of the collector computer.
Both these policies are located in the Computer Configuration\Policies\Administrative Templates\Windows Components\Event Forwarding node. When configuring the subscription, you must also specify the computer groups that hold the computer accounts of the computers that will be forwarding events to the collector. You do this in the Computer Groups dialog box, as shown in Figure 10-14.
Figure 10-14 Configuring subscription computer groups for the subscription
Event-driven tasks
Event Viewer enables you to attach tasks to specific events. A drawback to the process of creating event-driven tasks is that you need to have an example of the event that triggers the task already present in the event log. Events are triggered based on an event having the same log, source, and event ID.
To attach a task to a specific event, perform the following steps:
Open Event Viewer. Locate and select the event upon which you want to base the new task.
On the Event Viewer Actions pane, click Attach Task To This Event. The Create Basic Task Wizard displays.
On the Create A Basic Task page, review the name of the task that you want to create. By default, the task is named after the event. Click Next.
On the When An Event is Logged page, review the information about the event. This will list the log from which the event originates, the source of the event, and the event ID. Click Next.
On the Action page, shown in Figure 10-15, you can choose the task to perform. The Send An E-Mail and Display A Message tasks are deprecated, and you get an error if you try to create a task using these actions. Click Next.
Figure 10-15 Attaching a task to a specific event
-
On the Start A Program page, shown in Figure 10-16, specify the program or script that should be automatically triggered as well as additional arguments.
Figure 10-16 Specifying a triggered script
After you complete task creation, you can modify the task to specify the security context under which the task executes. By default, event tasks run only when the user is signed on. You can configure the task to run whether the user is signed on or not, as shown in Figure 10-17.
Figure 10-17 Run your task if the user is logged on or off
Network monitoring
Network monitoring enables you to track how a computer interacts with the network. Through network monitoring, you can determine which services and applications are using specific network interfaces, which services are listening on specific ports, and the volume of traffic that exists. There are two primary tools through which you can perform network monitoring on computers running Windows Server 2012:
- Resource Monitor
- Message Analyzer
Resource Monitor
Resource Monitor enables you to monitor how a computer running the Windows Server 2012 operating system uses CPU, memory, disk, and network resources. Resource Monitor provides real time information. You can’t use Resource Monitor to perform a traffic capture and review activity that occurred in the past. You can use Resource Monitor to view activity that is currently occurring. The Network tab of Resource Monitor is shown in Figure 10-18.
Figure 10-18 Resource Monitor Network tab
Resource Monitor provides the following information that is relevant to network monitoring:
- Processes With Network Activity This view lists processes by name and ID; and provides information on bits sent per second, bits received per second, and total bits per second.
- Network Activity Lists network activity on a per-process basis, but also lists the destination address, sent bits per second, received bits per second, and total bits per second.
- TCP Connections Provides information on connections on the basis of local address, port, and remote address and port.
- Listening Ports Lists the ports and addresses that services and applications are listening on. Also provides information about the firewall status for these roles and services.
Message Analyzer
Microsoft Message Analyzer is the successor to Network Monitor. You can use Message Analyzer to perform network traffic capture and analysis. Message Analyzer also functions as a replacement for LogParser, which enables you to manage system messages, events, and log files. When performing a capture, you select the scenario that best represents the type of event about which you are interested in capturing traffic. For example, the LAN scenario, shown in Figure 10-19, enables you to capture traffic on local area network (LAN) interfaces.
Figure 10-19 LAN scenario
When performing certain types of network traffic capture, you need to run Message Analyzer using an account that is a member of the local Administrators group. After the capture has been performed, you can analyze the content of each message, as shown in Figure 10-20. By applying appropriate filters, you can locate network traffic that has specific characteristics, such as using a particular TCP port, source, or destination address.
Figure 10-20 Message Analyzer
Lesson summary
- Data collector sets enable you to collect performance counter data, event trace data, and system configuration information.
- Performance counter alerts enable an event to be written to the event log and a command to be run when a specified performance counter exceeds or falls below a configured value.
- Event log filters apply to a single event log and are not persistent.
- Event log views are persistent, can include items from multiple event logs, and can be imported and exported.
- Event subscriptions enable you to configure one computer to consolidate the event logs of multiple computers.
- Event-driven tasks enable you to configure a program or script to be run when a specific event is written to the event log.
- Message Analyzer, which is the successor to Network Monitor, enables you to capture and analyze network traffic.
Lesson review
Answer the following questions to test your knowledge of the information in this lesson. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.
You want to collect processor, memory, and network interface utilization data over the course of several hours. You need to be able to review the data at a later period in time. Which of the following tools should you use to accomplish this goal?
Resource Monitor
Task Manager
Data collector set
Message Analyzer
A particular network service on a computer running Windows Server 2012 that you are responsible for managing is not functioning correctly. You suspect that the service is listening on a TCP port that Windows Firewall is configured to block, but you don’t know which TCP port the service uses. Which of the following tools should you use to determine this information?
Task Manager
Resource Monitor
Message Analyzer
Data collector set
Which of the following tools can you use to capture and analyze network traffic?
Data collector set
Message Analyzer
Resource Monitor
Task Manager
You are configuring event log subscriptions. Computer SYD-A will function as the event log collector, and computers MEL-A, MEL-B, and MEL-C will function as the event log sources. You want SYD-A to collect events from the security logs on computers MEL-A, MEL-B, and MEL-C. To which of the following security groups on MEL-A, MEL-B, and MEL-C should you add the computer account of SYD-A?
Backup operators
Power users
Event log readers
Administrators