Monitoring IIS 6.0 Metabase Changes with MOM 2005
If you’d like to track configuration changes to IIS through Microsoft Operations Manager (MOM) 2005, then the steps in this FAQ will enable you to do so.

This FAQ relies on enabling IIS Metabase Auditing first, so that changes to IIS metabase are logged to the Windows Event Log, where they can be picked up by a MOM rule. To enable IIS metabase auditing, follow the steps in this FAQ first. After enabling metabase auditing open the MOM 2005 Administrator Console to configure an alerting rule. You’ll need to decide whether to add the rule to your own management pack, or an existing rule group.

Begin by creating a new Event Rule that will "Alert on or Respond to Event (Event)" and click "Next"

Then select the "Security" provider (this allows you to monitor events in the Windows Security Event Log), and click "Next"

Then enter details to match the relevant event you wish to alert on. For a successful change to the IIS metabase, you want to enter the following as criteria:

• Source: IIS-Metabase
• Event ID: 4505
• Type: Success Audit
• Additional Criteria: Description doesn’t contain substring "Property Name: -"

To add the Additional criteria above click the "Advanced" button and enter in the additional criteria. Click "Next"

Note: Event 4505 indicates updates to existing keys in the Metabase. If you wish to audit other events, a table at the of this FAQ lists other Event IDs raised by the metabase.

Then decide at what times you wish to process data. For most situations you'll want to leave the default, and have the event processed at all times. Click "Next"

Decide what level of alert you wish to generate when the metabase is updated. This will vary on your situation. For example, for production servers, you may wish to raise a higher severity alert if a change is made to IIS, than for non-critical or non-production servers. Click "Next"

The next three dialogues allow you to choose whether to suppress duplicate events, whether to have MOM automatically run a predetermined command in response to the alert and whether to present the MOM operator with predefined information when this alert is raised (e.g. troubleshooting information). You will need to fill this information out according to your organisation's needs.

On the final dialogue, give the new rule a name such as "IIS Metabase Successful Update" and click "Finish". Lastly commit the updated rules, but right-clicking on the Management Pack node in the Administrator console and choosing to commit changes.

When changes are made to IIS metabase, your MOM Event Rule will now pick the relevant data up from the Windows Event Log, and raise an alert in the MOM Operator Console (click image for full sized view):

The Properties of the alert contains lots of useful information including:

• What metabase node was changed
• What the old and new values where
• Which user account was used to make the changes
• What application/process made the change

The next three dialogues allow you to suppress duplicate alerts,

For a full list of events that are raised by the metabase (Events 4500 through 4512) the following table can be helpful:

Back to FAQ Listing