Windows Event Collector Discovery Management Pack

This is a management pack I wrote for the SCOM security MP.  If you have Windows Event Collector’s setup in your network, this will discover them and populate a class for you to monitor them.  It is worth noting that it discovers the running service.  That service is disabled by default, so I’m assuming if it is enabled that you are using it.  It does not submit blank discovery data if the service were to be stopped.  The main reason for that is that whether by accident or intentionally, someone could stop that service and you would lose visibility into it.  There are no health monitors targeted to it in this MP (that will be in the security MP).

I would note that any monitor or rule targeted towards this class will likely need to see some manual XML editing.  I have details of the specific issue at this blog article.

There isn’t much to the discovery, it’s a PowerShell script set to run once a day that looks at the wecsvc service and verifies if it is started. If started, it will populate the class.

You can find a downloadable copy of the sealed version, here.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s