Additional Configuration for the IIS Management Pack
Modifying Settings for Collecting Service Discovery Data
Service discovery is the process of discovering roles, components, and relationships for managed computers. Each Management Pack collects service discovery data that is specific to the technology that the Management Pack supports.
Service discovery frequency
Many features of a Management Pack are not available until after service discovery data is collected for the first time. For example, features that require identifying roles, computer groups, and even target computers for specific tasks require service discovery data.
The default service discovery frequency for IIS is every seven days, starting with the day the Management Pack is imported. Therefore, service discovery data might not appear in the Microsoft Operations Manager (MOM) Operator console until up to seven days after the Management Pack is deployed. Additionally, the reporting component of MOM relies on a nightly Data Transformation Services (DTS) job to transfer data from the MOM database. Therefore, service discovery data will not be available for IIS reports until after the IIS Service Discovery script runs and the nightly DTS job runs.
The following reports depend on service discovery data:
All IIS Servers
All IIS Server Application Pools
Application Pool Status
Internet Information Server Details
The IIS Service Discovery script is run from the following event rule: Microsoft Windows Internet Information Services\Internet Information Services <version>\State Monitoring and Service Discovery\Event Rules\IIS Service Discovery
Collecting service discovery data on demand
You can manually initiate service discovery by running the Run IIS Service Discovery task from the MOM Operator console.
Collecting additional service discovery data
By default, the IIS Management Pack collects the following types of attributes:
IIS Web service extensions
IIS Web site attributes
IIS server bindings
IIS Secure bindings
IIS FTP site attributes
IIS SMTP virtual server attributes
IIS NNTP virtual server attributes
In addition to these attributes, you can configure the IIS Management Pack to also collect IIS script maps, including the following:
Extensions
Application
Extended Information
Verbs
However, collecting script maps can dramatically increase the volume of data that is collected and increase the performance load on the server while the IIS Service Discovery script runs.
Do not collect script maps on computers under the following conditions:
IIS servers host more than 75 Web sites.
CPU usage is within unhealthy ranges when the IIS Service Discovery script runs.
The IIS Service Discovery script does not complete within a reasonable amount of time. Typically the script completes in less than five minutes.
Your organization relies on reports that require the more verbose attribute collection setting to be enabled. For information about report dependencies, see “Setting Up Reporting” later in this guide.
If needed, you can configure overrides to change the attributes that are collected for specific computers or computer groups.
To configure the IIS Service Discovery script to collect IIS script maps
In the MOM Administrator console, navigate to the following rule group: Microsoft Windows Internet Information Services\Internet Information Services <version>\State Monitoring and Service Discovery\Event Rules. Be sure to change this setting for both IIS 5.0 and IIS 6.0.
Right-click the IIS Service Discovery rule, and click Properties.
On the Responses tab, select the IIS Service Discovery script, and click Edit.
In the Launch a Script dialog box, click Edit.
In the Script Properties dialog box, click the Parameters tab.
Select the CollectScriptMaps parameter, and click Edit.
Changed the value, as desired:
False — collects limited service discovery data.
True — collects verbose service discovery data.
Click OK.
Committing configuration changes
After making configuration changes to the Management Pack, you can deploy the changes to managed computers immediately by committing the configuration changes manually. Otherwise, changes are deployed to managed computers after the rule change polling interval (five minutes by default) and the agent configuration interval (one minute by default).
To commit configuration changes
In the MOM Administrator console, navigate to the Management Packs.
Right-click Management Packs, and click Commit Configuration Change.
Adjusting IIS Log File Sizes to Optimize Service Discovery
If IIS logs increase in size to 2 GB, the IIS Management Pack might fail. By default, IIS logging is configured to start a new log once a day. If IIS logs reach 2 GB or more within a day, configure each of the IIS logs to start a new log based on size, instead of frequency.
To configure IIS to start new logs based on size
In IIS Manager, double-click the local computer.
Double-click the Web Sites or FTP Sites folder, right-click the Web site or FTP site for which you want to enable logging, and then click Properties. Or, right-click the name of the SMTP site or the NNTP site, and click Properties.
On the Web Site, FTP Site or General tab (depending on which type of site you are configuring), select the Enable logging check box.
In the Active log format box, select W3C Extended Log File Format, and click Properties.
Click the General tab.
In the New log schedule box, select When file size reaches, and change the value to approximately 2,000 MB or less.
Click Apply.
Excluding Web pages with "Access Denied" errors from the IP Deny list
To exclude Web pages that experience high volumes of 401 “Access Denied” errors from the IP Deny list
In the MOM Administrator console, navigate to the following rule group: Microsoft Windows Internet Information Services\Internet Information Services <version>\Core Services \World Wide Web Publishing Service\Event Rules.
In the Details pane, right-click Security: Error 401: “Access Denied” Error — Alert, and click Properties.
On the Criteria tab, click Advanced.
Under Define more criteria, set the following criteria and then click Add to List:
Field = Parameter 21
Condition = doesn’t match regular expression
Value = .*(/ReportService.asmx| yourURL ).*, where yourURL is the URL for the Web page that you want to exclude. Use the pipe character to separate Web pages. Enclose the list of Web pages in parentheses. Insert a period and asterisk (.*) both before the parenthesis and after the parenthesis.
Click Close, Apply, and then OK.
Note
By default, this feature excludes the Web page that is used by the MOM 2005 Reporting Server. When you exclude additional Web pages, you must delete the existing exclusion string and then create a new exclusion string. This procedure includes re-creating the exclusion for the Web page that is used by the MOM 2005 Reporting Server.
Customizing Rules that Generate Events Based on Repeat Counts
Several rules in the IIS Management Pack generate alerts only when IIS generates a single type of event repeatedly, according to the repeat count that is specified in the rule. You can adjust the repeat count of these rules for your business requirements. These rules are also associated with a Consolidation rule of a similar name that defines the time threshold that the repeated events must occur within. The time threshold can also be modified.
The following two tables list the rules that generate alerts based on repeat counts. These tables lists the default repeat counts and consolidation time-thresholds, if applicable. Each table lists rules within a different rule group:
World Wide Web Publishing Service
FTP Publishing Service — The rules listed in the table are disabled, by default.
Table SEQ Table \* ARABIC 1 Repeat Count Rules within the World Wide Web Publishing Service Rule Group
Rule |
Repeat count |
Consolidation rule time-threshold |
|---|---|---|
Security: Error 401: “Access Denied” Error — Alert |
More than 100 |
Within 120 seconds |
Security: Error 403: “Forbidden” Error — Alert |
More than 100 |
Within 120 seconds |
Error 404: A client received a “Page Not Found” error |
More than 200 |
Within 120 seconds |
Error 405: A client received a “Method Not Allowed” error |
More than 50 |
Within 120 seconds |
Security: 414 — A client received a “Request-URL Too Long” error |
More than 20 |
Within 120 seconds |
Error 500: “Internal Server Error” — Alert |
More than 50 |
Within 120 seconds |
Table SEQ Table \* ARABIC 2 Repeat Count Rules within the FTP Publishing Service Rule Group
Rule |
Repeat count |
Consolidation rule time-threshold |
|---|---|---|
A client requested a file which cannot be found on the FTP site |
More than 50 |
Within 120 seconds |
Security: A client is attempting to access your FTP site with a disabled account — Alert |
At least 20 |
Within 120 seconds |
Security: A client is attempting to access your FTP site with an account that is locked out — Alert |
At least 20 |
Within 120 seconds |
Security: A client is attempting to access your FTP site with an expired account — Alert |
At least 20 |
Within 120 seconds |
Security: A client is attempting to access your FTP site with an expired password — Alert |
At least 20 |
Within 120 seconds |
Security: A client is attempting to access your FTP site with an unknown user name or password — Alert |
At least 20 |
Within 120 seconds |
To modify the repeat count and time threshold values:
In the MOM Administrator console, navigate to the desired rule group.
To modify the repeat count, select the applicable rule and then click Properties.
On the Criteria tab, click Advanced.
Select the Repeat Count field and click Remove.
Under Define more criteria, set the following criteria and then click Add to List:
Field = Repeat Count
Condition = is more than (or is at least, depending on the rule)
Value = enter the custom value
Click Close, Apply, and then OK.
To modify the time threshold, select the corresponding consolidation rule and then click Properties.
On the Consolidation tab, change the value in the Events must occur within box.
Click Apply and then click OK.