adOpenStatic Logo
Ken's Blog
Contact Ken
Copyright 2000 -

Monitoring IIS 6.0 Metabase Changes with MOM 2005
If you’d like to track configuration changes to IIS through Microsoft Operations Manager (MOM) 2005, then the steps in this FAQ will enable you to do so.

This FAQ relies on enabling IIS Metabase Auditing first, so that changes to IIS metabase are logged to the Windows Event Log, where they can be picked up by a MOM rule. To enable IIS metabase auditing, follow the steps in this FAQ first. After enabling metabase auditing open the MOM 2005 Administrator Console to configure an alerting rule. You’ll need to decide whether to add the rule to your own management pack, or an existing rule group.

Begin by creating a new Event Rule that will "Alert on or Respond to Event (Event)" and click "Next"

Create an Event Alert Rule

Then select the "Security" provider (this allows you to monitor events in the Windows Security Event Log), and click "Next"

Select the Security Provider

Then enter details to match the relevant event you wish to alert on. For a successful change to the IIS metabase, you want to enter the following as criteria:

  • Source: IIS-Metabase
  • Event ID: 4505
  • Type: Success Audit
  • Additional Criteria: Description doesn’t contain substring "Property Name: -"

To add the Additional criteria above click the "Advanced" button and enter in the additional criteria. Click "Next"

Note: Event 4505 indicates updates to existing keys in the Metabase. If you wish to audit other events, a table at the of this FAQ lists other Event IDs raised by the metabase.

Enter your rule criteria

Then decide at what times you wish to process data. For most situations you'll want to leave the default, and have the event processed at all times. Click "Next"

Decide what level of alert you wish to generate when the metabase is updated. This will vary on your situation. For example, for production servers, you may wish to raise a higher severity alert if a change is made to IIS, than for non-critical or non-production servers. Click "Next"

Select alert severity level

The next three dialogues allow you to choose whether to suppress duplicate events, whether to have MOM automatically run a predetermined command in response to the alert and whether to present the MOM operator with predefined information when this alert is raised (e.g. troubleshooting information). You will need to fill this information out according to your organisation's needs.

On the final dialogue, give the new rule a name such as "IIS Metabase Successful Update" and click "Finish". Lastly commit the updated rules, but right-clicking on the Management Pack node in the Administrator console and choosing to commit changes.

When changes are made to IIS metabase, your MOM Event Rule will now pick the relevant data up from the Windows Event Log, and raise an alert in the MOM Operator Console (click image for full sized view):

MOM Operator Console

The Properties of the alert contains lots of useful information including:

  • What metabase node was changed
  • What the old and new values where
  • Which user account was used to make the changes
  • What application/process made the change

The next three dialogues allow you to suppress duplicate alerts,

For a full list of events that are raised by the metabase (Events 4500 through 4512) the following table can be helpful:

Event ID Event Name Description
4500 IISADMIN_AUDIT_ADD_KEY Shows information about a change to add a metabase key
4501 IISADMIN_AUDIT_DELETE_KEY Shows information about a change to delete a metabase key
4502 IISADMIN_AUDIT_DELETE_CHILD_KEYS Shows information about a change to delete child keys from a metabase property
4503 IISADMIN_AUDIT_COPY_KEY Shows information about a change to copy a metabase key
4504 IISADMIN_AUDIT_RENAME_KEY Shows information about a change to rename a metabase key
4505 IISADMIN_AUDIT_SET_DATA Shows information about a change to add or change data in a metabase property
4506 IISADMIN_AUDIT_DELETE_DATA Shows information about a change to delete data from a metabase property
4507 IISADMIN_AUDIT_DELETE_ALL_DATA Shows information about a change to delete all data from the metabase properties
4508 IISADMIN_AUDIT_COPY_DATA Shows information about a change to copy data from the metabase properties
4509 IISADMIN_AUDIT_SET_LAST_CHANGETIME Shows the last time a change was made to the metabase
4510 IISADMIN_AUDIT_RESTORE Shows information about a change to restore the metabase
4511 IIADMIN_AUDIT_DELETE_BACKUP Shows information about a change to delete the metabase backup
4512 IISADMIN_AUDIT_IMPORT Shows information about a change to import data into the metabase

Back to FAQ Listing