Working with monitors
Monitors are used to determine the health state of an application feature and are an integral part of the health model. Generally speaking, monitors are the "intelligence" of Microsoft System Center Operations Manager 2007 (Operations Manager 2007), determining whether your application is healthy.
Monitors are state machines that show a state of healthy (green), warning (yellow), or unhealthy (red). The monitor's state changes in response to the information that it receives.
In the Microsoft Forefront Server Protection Management Pack for Operations Manager 2007, monitors examine the Forefront Protection 2010 for Exchange Server (FPE) product, engine updates, scan jobs, and services. They examine events generated by those processes to determine if alerts should be generated or if the health state should be changed. Some monitors (called performance monitors) retrieve statistics for scan jobs. There are several different kinds of monitors included with the Microsoft Forefront Server Protection Management Pack.
Viewing the Knowledge Base for monitors
All monitors contained in Operations Manager 2007 have a Knowledge Base entry containing a summary or description of the event. This entry explains the event's significance, possible causes, and possible resolutions. For a list of all event codes, see Event ID codes in the Forefront Protection 2010 for Exchange Server Technical Reference.
Knowledge Base entries can be viewed through the Operations Manager 2007 Operations Console.
To view a Knowledge Base entry for a monitor
In the Monitoring space, in the Microsoft Forefront Server Protection 2010 \ Forefront Protection for SharePoint \ State node, double-click in the State column for any server.
In the Health Explorer dialog box, click any health monitor on the left to display its Knowledge Base entry on the right.
Monitor reference
There are several categories of monitors for Forefront Protection 2010 for Exchange Server
Antimalware engine monitors
These are the monitors that keep track of potential problems with antimalware engines.
Display name |
Antimalware Engines Update Enabled Monitor |
Description |
Checks if updating for the antimalware engines is enabled. |
Alert message |
The antimalware engines selected for scanning are disabled for updating. |
Causes |
There are antimalware engines selected for scanning that are not enabled for updating. |
Resolution |
Change the engines selected for updating to match the ones selected for scanning. |
Display name |
Antimalware Engines Update Success Rate |
Description |
Checks the percentage of antimalware engines successfully updated in the last attempt |
Alert message |
Some antimalware engines enabled for updates were not successfully updated at the last attempt |
Causes |
● Network throughput issues. ● Low bandwidth. ● Issues with the server providing definition updates. |
Resolution |
● Ensure that the HTTP proxy server is configured properly. ● Ensure that there are no network issues. ● Ensure that the Universal Naming Convention (UNC) configuration settings are appropriate. |
Display name |
Antimalware Engines Last Update Time Monitor |
Description |
Checks if the antimalware engines enabled for updates have been updated in the last five days. |
Alert message |
Some antimalware engines enabled for updates have not been updated successfully in the last five days. |
Causes |
● Network throughput issues. ● Low bandwidth. ● Issues with Rapid Update Server. ● The antivirus vendor has not provided updates in a week (very unlikely). |
Resolution |
● Ensure that the HTTP proxy server is configured properly. ● Ensure that there are no network issues. ● Ensure that the UNC configuration settings are appropriate. |
Antispam engine monitors
These are the monitors that keep track of potential problems with the antispam engine.
Display name |
Antispam Engines Last Update Time Monitor |
Description |
Checks the last update time of the antispam engines |
Alert message |
The antispam engine has not been updated recently. |
Causes |
|
Resolution |
|
License monitors
These are the monitors that keep track of potential problems with licenses.
Display name |
License State Monitor |
Description |
Checks if the Forefront Server Protection license is about to expire or has expired |
Alert message |
The Forefront Server Protection license is about to expire or has expired. |
Causes |
● A product key has not been entered. ● Your license has expired and a new product key has not been purchased. |
Resolution |
● Enter the product key from the Forefront Server Protection Administrator console or Forefront Management Shell. ● If you do not have a product key, contact your Microsoft sales representative or visit the Pricing and Licensing site. |
Services monitors
These are the monitors that keep track of potential problems with services.
Display name |
FSCController Service State Monitor |
Description |
Checks if the FSCController service is running. |
Alert message |
Microsoft Forefront Server Protection Controller Service is not running. |
Causes |
Not applicable |
Resolution |
Recycle the Exchange services: 1. Stop all Exchange services. Make sure all of the Forefront services are offline. 2. Start Exchange services. Make sure all Forefront services are completely started. |
Display name |
Eventing Service State Monitor |
Description |
Checks if the FSCEventing service is running. |
Alert message |
Microsoft Forefront Server Protection Eventing Service is not running. |
Causes |
Not applicable |
Resolution |
Start the Microsoft Forefront Server Protection Eventing Service. |
Display name |
FSEMailPickup Service State Monitor |
Description |
Checks if the FSEMailPickup service is running. |
Alert message |
Forefront Server Protection Mail Pickup Service is not running. |
Causes |
The cause of this event is uncertain. |
Resolution |
Start the Microsoft Forefront Server Protection Mail Pickup Service. |
Display name |
FSCMonitor Service State Monitor |
Description |
Checks if the FSCMonitor service is running. |
Alert message |
Forefront Server Protection Monitor Service is not running. |
Causes |
Not applicable. |
Resolution |
Start the Microsoft Forefront Server Protection Monitor Service. |
Workload integration monitors
These are the monitors that keep track of potential problems with hooking into Microsoft Exchange.
Display name |
Forefront Agent State Monitor |
Description |
Checks if the Forefront Transport agent is successfully registered and scanning. |
Alert message |
The Forefront Transport agent failed to register completely. |
Causes |
The Forefront agent is not registered with Exchange correctly.
|
Resolution |
|
Display name |
Exchange Transport Hook State Monitor |
Description |
Checks if the Forefront agent was able to register with the MS Exchange Transport service when it started. |
Alert message |
The Microsoft Exchange Transport service is running, but the Forefront agent could not register with it. |
Causes |
The Forefront agent is not registered with Exchange correctly.
|
Resolution |
|
Display name |
VSAPI Registration Monitor |
Description |
Checks if MS Exchange Information Store is running and the Forefront VSAPI library is registered. |
Alert message |
The Microsoft Exchange Information Store is running but the Forefront VSAPI library Mailbox Agent is not registered. |
Causes |
The Forefront VSAPI library is not registered with Exchange correctly. |
Resolution |
Analyze the Event Log for details regarding the error. |
Cluster monitors
These are the monitors that keep track of potential problems with clusters.
Display name |
Cluster State Monitor |
Description |
Checks the CCR cluster state. |
Alert message |
An error occurred when trying to contact the CCR cluster. |
Causes |
|
Resolution |
|
Display name |
Engine Replication Monitor |
Description |
Checks the CCR engine replication state |
Alert message |
An error occurred in the CCR engine replication. |
Causes |
An unexpected error has occurred. |
Resolution |
Analyze the Event Log for details regarding the error. Restart the Microsoft Forefront Server Protection CCR Replication Service if the error continues. |
Display name |
File Synchronization Monitor |
Description |
Checks the CCR file synchronization state |
Alert message |
An error occurred in the CCR file synchronization. |
Causes |
An error occurred while the file was being replicated. |
Resolution |
Examine the Event Log for details about the error. Contact support if the rollback failed or if the problem continues. |
Display name |
Active Node Lookup Monitor |
Description |
Checks the CCR active node lookup monitor state |
Alert message |
An error occurred while looking up the active node of the CCR cluster. |
Causes |
Error in the Microsoft Forefront Server Protection CCR Replication Service |
Resolution |
Analyze the Event Log for details. Verify the Microsoft Forefront Server Protection CCR Replication Service is running. |
Display name |
Passive State Transition Monitor |
Description |
Checks the CCR passive state transition state |
Alert message |
An error occurred while the Microsoft Forefront Server Protection CCR Replication Service transitioned to the passive state. |
Causes |
|
Resolution |
|
Display name |
Microsoft Forefront Server Protection CCR Replication Service State Monitor |
Description |
Checks the Microsoft Forefront Server Protection CCR Replication Service state |
Alert message |
An error occurred in the Microsoft Forefront Server Protection CCR Replication Service. |
Causes |
A problem in the Microsoft Forefront Server Protection CCR Replication Service was not explicitly handled or reported. |
Resolution |
Analyze the Event Log for details regarding the error. Restart the service. |
Transport scan monitors
These are the monitors that keep track of potential problems with the transport scan.
Display name |
Transport Scanning Processes State Monitor |
Description |
Checks if the Transport scanning processes are running normally. |
Alert message |
There are Transport scanning processes that did not restart properly. |
Causes |
A possible cause for this alert could be that the server was overloaded and could not start a new process in a timely fashion. |
Resolution |
Recycle Exchange services. |
Display name |
Transport Scan Engines Initialization Monitor |
Description |
Checks if the antimalware engines selected for the Transport scan job have been initialized successfully. |
Alert message |
No antimalware scan engines have initialized successfully for the Transport scan job. |
Causes |
A possible cause for this error event could be that the engine subfolder has been deleted. |
Resolution |
To ensure that the most recent engines are available:
|
Display name |
Transport Scan Filter Engine Loading Monitor |
Description |
Checks if the filter engine is loaded correctly by the Transport scan job. |
Alert message |
The filter engine is not loaded correctly for the Transport scan job. |
Causes |
Damaged or inaccessible Forefront Server Protection filter engine. |
Resolution |
Reinstall Forefront Protection 2010 for Exchange Server. |
Display name |
Transport Scan Enabled State Monitor |
Description |
Checks if the Transport scan job has been enabled. |
Alert message |
The Transport scan job is not enabled. |
Causes |
The Transport scan job is not enabled. |
Resolution |
Enable the Transport scan job through the Forefront Protection for Exchange Server Administrator Console or through the Forefront Management Shell. |
Display name |
Transport Scanning Undeliverable Message State Monitor |
Description |
Checks if there are any messages in the undeliverable archive. |
Alert message |
Forefront Protection 2010 for Exchange Server could not complete the scan of a message and it has been put in the undeliverable archive. |
Causes |
Forefront Protection 2010 for Exchange Server could not complete the scan of a message. |
Resolution |
|
Realtime scan monitors
These are the monitors that keep track of potential problems with the realtime scan.
Display name |
Realtime Scan Enabled State Monitor |
Description |
Checks if the Realtime scan job is enabled. |
Alert message |
The Realtime scan job is not enabled properly. |
Causes |
The Realtime scan job is not enabled, is bypassed, or is not hooked. |
Resolution |
Enable the Realtime scan job through the Forefront Protection 2010 for Exchange Server Administrator Console or through Forefront Management Shell. |
Display name |
Realtime Scan Filter Engine Loading Monitor |
Description |
Checks if the filter engine is loaded correctly by the Realtime scan job. |
Alert message |
The filter engine is not loaded successfully for the Realtime scan job. |
Causes |
Damaged or inaccessible Forefront Server Protection filter engine. |
Resolution |
Reinstall Forefront Server Protection. |
Display name |
Realtime Scan Engines Initialization Monitor |
Description |
Checks if the antimalware engines selected for the Realtime scan job have been initialized successfully. |
Alert message |
Some antimalware scan engines have not initialized successfully for the Realtime scan job. |
Causes |
A possible cause for this error could be that the engine subfolder has been deleted. |
Resolution |
To ensure that the most recent engines are available:
|
Display name |
Realtime Scanning Processes State Monitor |
Description |
Checks if the Realtime scanning processes are running normally |
Alert message |
There are Realtime scanning processes that did not restart properly. |
Causes |
A possible cause for this alert could be that the server was overloaded and could not start a new process in a timely fashion. |
Resolution |
Recycle Exchange services. |
Scheduled scan monitors
These are the monitors that keep track of potential problems with the scheduled scan.
Display name |
Scheduled Scan Filter Engine Loading Monitor |
Description |
Checks if the filter engine is loaded correctly by the Scheduled scan job. |
Alert message |
The filter engine is not loaded correctly for the Scheduled scan job. |
Causes |
Damaged or inaccessible Forefront Server Protection filter engine. |
Resolution |
Reinstall Forefront Protection 2010 for Exchange Server. |
Display name |
Scheduled Scan Engines Initialization Monitor |
Description |
Checks if the engines selected for the scheduled scan have been initialized successfully. |
Alert message |
No antimalware scan engines have initialized successfully for the Scheduled scan job. |
Causes |
A possible cause for this error event could be that the engine subfolder has been deleted. |
Resolution |
To ensure that the most recent engines are available:
|
Display name |
Scheduled Scan Termination Monitor |
Description |
Checks if the scheduled scan exceeded the allowed scan time limit |
Alert message |
The Scheduled scan exceeded the configured scan time limit. |
Causes |
The scheduled scan exceeded the configured scanning timeout. |
Resolution |
Recovery after a scheduled scan aborts is normally automatic, but we recommend you check that the system is functioning correctly and resolve the alert manually. |