Additional Configuration for the IIS Management Pack

Modifying Settings for Collecting Service Discovery Data

Service discovery is the process of discovering roles, components, and relationships for managed computers. Each Management Pack collects service discovery data that is specific to the technology that the Management Pack supports.

Service discovery frequency

Many features of a Management Pack are not available until after service discovery data is collected for the first time. For example, features that require identifying roles, computer groups, and even target computers for specific tasks require service discovery data.

The default service discovery frequency for IIS is every seven days, starting with the day the Management Pack is imported. Therefore, service discovery data might not appear in the Microsoft Operations Manager (MOM) Operator console until up to seven days after the Management Pack is deployed. Additionally, the reporting component of MOM relies on a nightly Data Transformation Services (DTS) job to transfer data from the MOM database. Therefore, service discovery data will not be available for IIS reports until after the IIS Service Discovery script runs and the nightly DTS job runs.

The following reports depend on service discovery data:

  • All IIS Servers

  • All IIS Server Application Pools

  • Application Pool Status

  • Internet Information Server Details

The IIS Service Discovery script is run from the following event rule: Microsoft Windows Internet Information Services\Internet Information Services <version>\State Monitoring and Service Discovery\Event Rules\IIS Service Discovery

Collecting service discovery data on demand

You can manually initiate service discovery by running the Run IIS Service Discovery task from the MOM Operator console.

Collecting additional service discovery data

By default, the IIS Management Pack collects the following types of attributes:

  • IIS Web service extensions

  • IIS Web site attributes

  • IIS server bindings

  • IIS Secure bindings

  • IIS FTP site attributes

  • IIS SMTP virtual server attributes

  • IIS NNTP virtual server attributes

In addition to these attributes, you can configure the IIS Management Pack to also collect IIS script maps, including the following:

  • Extensions

  • Application

  • Extended Information

  • Verbs

However, collecting script maps can dramatically increase the volume of data that is collected and increase the performance load on the server while the IIS Service Discovery script runs.

Do not collect script maps on computers under the following conditions:

  • IIS servers host more than 75 Web sites.

  • CPU usage is within unhealthy ranges when the IIS Service Discovery script runs.

  • The IIS Service Discovery script does not complete within a reasonable amount of time. Typically the script completes in less than five minutes.

  • Your organization relies on reports that require the more verbose attribute collection setting to be enabled. For information about report dependencies, see “Setting Up Reporting” later in this guide.

If needed, you can configure overrides to change the attributes that are collected for specific computers or computer groups.

To configure the IIS Service Discovery script to collect IIS script maps
  1. In the MOM Administrator console, navigate to the following rule group: Microsoft Windows Internet Information Services\Internet Information Services <version>\State Monitoring and Service Discovery\Event Rules. Be sure to change this setting for both IIS 5.0 and IIS 6.0.

  2. Right-click the IIS Service Discovery rule, and click Properties.

  3. On the Responses tab, select the IIS Service Discovery script, and click Edit.

  4. In the Launch a Script dialog box, click Edit.

  5. In the Script Properties dialog box, click the Parameters tab.

  6. Select the CollectScriptMaps parameter, and click Edit.

  7. Changed the value, as desired:

    • False — collects limited service discovery data.

    • True — collects verbose service discovery data.

  8. Click OK.

Committing configuration changes

After making configuration changes to the Management Pack, you can deploy the changes to managed computers immediately by committing the configuration changes manually. Otherwise, changes are deployed to managed computers after the rule change polling interval (five minutes by default) and the agent configuration interval (one minute by default).

To commit configuration changes
  1. In the MOM Administrator console, navigate to the Management Packs.

  2. Right-click Management Packs, and click Commit Configuration Change.

Adjusting IIS Log File Sizes to Optimize Service Discovery

If IIS logs increase in size to 2 GB, the IIS Management Pack might fail. By default, IIS logging is configured to start a new log once a day. If IIS logs reach 2 GB or more within a day, configure each of the IIS logs to start a new log based on size, instead of frequency.

To configure IIS to start new logs based on size

  1. In IIS Manager, double-click the local computer.

  2. Double-click the Web Sites or FTP Sites folder, right-click the Web site or FTP site for which you want to enable logging, and then click Properties. Or, right-click the name of the SMTP site or the NNTP site, and click Properties.

  3. On the Web Site, FTP Site or General tab (depending on which type of site you are configuring), select the Enable logging check box.

  4. In the Active log format box, select W3C Extended Log File Format, and click Properties.

  5. Click the General tab.

  6. In the New log schedule box, select When file size reaches, and change the value to approximately 2,000 MB or less.

  7. Click Apply.

Excluding Web pages with "Access Denied" errors from the IP Deny list

To exclude Web pages that experience high volumes of 401 “Access Denied” errors from the IP Deny list

  1. In the MOM Administrator console, navigate to the following rule group: Microsoft Windows Internet Information Services\Internet Information Services <version>\Core Services \World Wide Web Publishing Service\Event Rules.

  2. In the Details pane, right-click Security: Error 401: “Access Denied” Error — Alert, and click Properties.

  3. On the Criteria tab, click Advanced.

  4. Under Define more criteria, set the following criteria and then click Add to List:

    Field = Parameter 21

    Condition = doesn’t match regular expression

    Value = .*(/ReportService.asmx| yourURL ).*, where yourURL is the URL for the Web page that you want to exclude. Use the pipe character to separate Web pages. Enclose the list of Web pages in parentheses. Insert a period and asterisk (.*) both before the parenthesis and after the parenthesis.

  5. Click Close, Apply, and then OK.

Note

By default, this feature excludes the Web page that is used by the MOM 2005 Reporting Server. When you exclude additional Web pages, you must delete the existing exclusion string and then create a new exclusion string. This procedure includes re-creating the exclusion for the Web page that is used by the MOM 2005 Reporting Server.

Customizing Rules that Generate Events Based on Repeat Counts

Several rules in the IIS Management Pack generate alerts only when IIS generates a single type of event repeatedly, according to the repeat count that is specified in the rule. You can adjust the repeat count of these rules for your business requirements. These rules are also associated with a Consolidation rule of a similar name that defines the time threshold that the repeated events must occur within. The time threshold can also be modified.

The following two tables list the rules that generate alerts based on repeat counts. These tables lists the default repeat counts and consolidation time-thresholds, if applicable. Each table lists rules within a different rule group:

  • World Wide Web Publishing Service

  • FTP Publishing Service — The rules listed in the table are disabled, by default.

Table  SEQ Table \* ARABIC 1   Repeat Count Rules within the World Wide Web Publishing Service Rule Group

Rule

Repeat count

Consolidation rule time-threshold

Security: Error 401: “Access Denied” Error — Alert

More than 100

Within 120 seconds

Security: Error 403: “Forbidden” Error — Alert

More than 100

Within 120 seconds

Error 404: A client received a “Page Not Found” error

More than 200

Within 120 seconds

Error 405: A client received a “Method Not Allowed” error

More than 50

Within 120 seconds

Security: 414 — A client received a “Request-URL Too Long” error

More than 20

Within 120 seconds

Error 500: “Internal Server Error” — Alert

More than 50

Within 120 seconds

Table  SEQ Table \* ARABIC 2   Repeat Count Rules within the FTP Publishing Service Rule Group

Rule

Repeat count

Consolidation rule time-threshold

A client requested a file which cannot be found on the FTP site

More than 50

Within 120 seconds

Security: A client is attempting to access your FTP site with a disabled account — Alert

At least 20

Within 120 seconds

Security: A client is attempting to access your FTP site with an account that is locked out — Alert

At least 20

Within 120 seconds

Security: A client is attempting to access your FTP site with an expired account — Alert

At least 20

Within 120 seconds

Security: A client is attempting to access your FTP site with an expired password — Alert

At least 20

Within 120 seconds

Security: A client is attempting to access your FTP site with an unknown user name or password — Alert

At least 20

Within 120 seconds

To modify the repeat count and time threshold values:

  1. In the MOM Administrator console, navigate to the desired rule group.

  2. To modify the repeat count, select the applicable rule and then click Properties.

  3. On the Criteria tab, click Advanced.

  4. Select the Repeat Count field and click Remove.

  5. Under Define more criteria, set the following criteria and then click Add to List:

    Field = Repeat Count

    Condition = is more than (or is at least, depending on the rule)

    Value = enter the custom value

  6. Click Close, Apply, and then OK.

  7. To modify the time threshold, select the corresponding consolidation rule and then click Properties.

  8. On the Consolidation tab, change the value in the Events must occur within box.

  9. Click Apply and then click OK.

Show: