Working with monitors

Article
07/23/2014

Monitors are used to determine the health state of an application feature and are an integral part of the health model. Generally speaking, monitors are the "intelligence" of Microsoft System Center Operations Manager 2007 (Operations Manager 2007), determining whether your application is healthy.

Monitors are state machines that show a state of healthy (green), warning (yellow), or unhealthy (red). The monitor's state changes in response to the information that it receives.

In the Microsoft Forefront Server Protection Management Pack for Operations Manager 2007, monitors examine the Forefront Protection 2010 for Exchange Server (FPE) product, engine updates, scan jobs, and services. They examine events generated by those processes to determine if alerts should be generated or if the health state should be changed. Some monitors (called performance monitors) retrieve statistics for scan jobs. There are several different kinds of monitors included with the Microsoft Forefront Server Protection Management Pack.

Viewing the Knowledge Base for monitors

All monitors contained in Operations Manager 2007 have a Knowledge Base entry containing a summary or description of the event. This entry explains the event's significance, possible causes, and possible resolutions. For a list of all event codes, see Event ID codes in the Forefront Protection 2010 for Exchange Server Technical Reference.

Knowledge Base entries can be viewed through the Operations Manager 2007 Operations Console.

To view a Knowledge Base entry for a monitor

In the Monitoring space, in the Microsoft Forefront Server Protection 2010 \ Forefront Protection for SharePoint \ State node, double-click in the State column for any server.
In the Health Explorer dialog box, click any health monitor on the left to display its Knowledge Base entry on the right.

Monitor reference

There are several categories of monitors for Forefront Protection 2010 for Exchange Server

Antimalware engine monitors

These are the monitors that keep track of potential problems with antimalware engines.

Display name	Antimalware Engines Update Enabled Monitor
Description	Checks if updating for the antimalware engines is enabled.
Alert message	The antimalware engines selected for scanning are disabled for updating.
Causes	There are antimalware engines selected for scanning that are not enabled for updating.
Resolution	Change the engines selected for updating to match the ones selected for scanning.

Display name	Antimalware Engines Update Success Rate
Description	Checks the percentage of antimalware engines successfully updated in the last attempt
Alert message	Some antimalware engines enabled for updates were not successfully updated at the last attempt
Causes	● Network throughput issues. ● Low bandwidth. ● Issues with the server providing definition updates.
Resolution	● Ensure that the HTTP proxy server is configured properly. ● Ensure that there are no network issues. ● Ensure that the Universal Naming Convention (UNC) configuration settings are appropriate.

Display name	Antimalware Engines Last Update Time Monitor
Description	Checks if the antimalware engines enabled for updates have been updated in the last five days.
Alert message	Some antimalware engines enabled for updates have not been updated successfully in the last five days.
Causes	● Network throughput issues. ● Low bandwidth. ● Issues with Rapid Update Server. ● The antivirus vendor has not provided updates in a week (very unlikely).
Resolution	● Ensure that the HTTP proxy server is configured properly. ● Ensure that there are no network issues. ● Ensure that the UNC configuration settings are appropriate.

Antispam engine monitors

These are the monitors that keep track of potential problems with the antispam engine.

Display name	Antispam Engines Last Update Time Monitor
Description	Checks the last update time of the antispam engines
Alert message	The antispam engine has not been updated recently.
Causes	Network throughput issues Low bandwidth The antispam vendor has not provided updates in a week (very unlikely) The firewall is blocking antispam definition updates.
Resolution	Make sure the HTTP proxy is configured properly. Make sure that there are no network issues. Make sure that the UNC configuration settings are appropriate. Make sure that the firewall is configured to allow antispam definition updates.

License monitors

These are the monitors that keep track of potential problems with licenses.

Display name	License State Monitor
Description	Checks if the Forefront Server Protection license is about to expire or has expired
Alert message	The Forefront Server Protection license is about to expire or has expired.
Causes	● A product key has not been entered. ● Your license has expired and a new product key has not been purchased.
Resolution	● Enter the product key from the Forefront Server Protection Administrator console or Forefront Management Shell. ● If you do not have a product key, contact your Microsoft sales representative or visit the Pricing and Licensing site.

Services monitors

These are the monitors that keep track of potential problems with services.

Display name	FSCController Service State Monitor
Description	Checks if the FSCController service is running.
Alert message	Microsoft Forefront Server Protection Controller Service is not running.
Causes	Not applicable
Resolution	Recycle the Exchange services: 1. Stop all Exchange services. Make sure all of the Forefront services are offline. 2. Start Exchange services. Make sure all Forefront services are completely started.

Display name	Eventing Service State Monitor
Description	Checks if the FSCEventing service is running.
Alert message	Microsoft Forefront Server Protection Eventing Service is not running.
Causes	Not applicable
Resolution	Start the Microsoft Forefront Server Protection Eventing Service.

Display name	FSEMailPickup Service State Monitor
Description	Checks if the FSEMailPickup service is running.
Alert message	Forefront Server Protection Mail Pickup Service is not running.
Causes	The cause of this event is uncertain.
Resolution	Start the Microsoft Forefront Server Protection Mail Pickup Service.

Display name	FSCMonitor Service State Monitor
Description	Checks if the FSCMonitor service is running.
Alert message	Forefront Server Protection Monitor Service is not running.
Causes	Not applicable.
Resolution	Start the Microsoft Forefront Server Protection Monitor Service.

Workload integration monitors

These are the monitors that keep track of potential problems with hooking into Microsoft Exchange.

Display name	Forefront Agent State Monitor
Description	Checks if the Forefront Transport agent is successfully registered and scanning.
Alert message	The Forefront Transport agent failed to register completely.
Causes	The Forefront agent is not registered with Exchange correctly. You are running a build of Exchange that is unsupported by your current version of Forefront Protection 2010 for Exchange Server. Unable to open Exchange's setup registry key or query Exchange's MSI Install Path from within the registry. The registration of the Forefront agent using PowerShell failed or timed out.
Resolution	Make sure you are using a build of Exchange that is supported by Forefront Protection 2010 for Exchange Server (FPE) or update your version of FPE to support the build of Exchange you are running. Make sure Exchange's registry settings correctly exist and that the Microsoft Forefront Server Protection Registration Service (which runs as NetworkService) has access to them. Refer to the event log to retrieve the exact cause of why the agent failed to register or contact support for help in pinpointing the error.

Display name	Exchange Transport Hook State Monitor
Description	Checks if the Forefront agent was able to register with the MS Exchange Transport service when it started.
Alert message	The Microsoft Exchange Transport service is running, but the Forefront agent could not register with it.
Causes	The Forefront agent is not registered with Exchange correctly. You are running a build of Exchange that is unsupported by your current version of Forefront Protection 2010 for Exchange Server. Unable to open Exchange's setup registry key or query Exchange's MSI Install Path from within the registry. The registration of the Forefront agent using PowerShell failed or timed out.
Resolution	Make sure you are using a build of Exchange that is supported by Forefront Protection 2010 for Exchange Server (FPE) or update your version of FPE to support the build of Exchange you are running. Make sure Exchange's registry settings correctly exist and that the Microsoft Forefront Server Protection Registration Service (which runs as NetworkService) has access to them. Refer to the event log to retrieve the exact cause of why the agent failed to register or contact support for help in pinpointing the error.

Display name	VSAPI Registration Monitor
Description	Checks if MS Exchange Information Store is running and the Forefront VSAPI library is registered.
Alert message	The Microsoft Exchange Information Store is running but the Forefront VSAPI library Mailbox Agent is not registered.
Causes	The Forefront VSAPI library is not registered with Exchange correctly.
Resolution	Analyze the Event Log for details regarding the error.

Cluster monitors

These are the monitors that keep track of potential problems with clusters.

Display name	Cluster State Monitor
Description	Checks the CCR cluster state.
Alert message	An error occurred when trying to contact the CCR cluster.
Causes	A cluster handle is invalid. Unable to create a cluster notification port. The cluster service or the other cluster node may not be available. The cluster does not grant permission for this service to access it.
Resolution	Analyze the Event Log for details regarding the error. Restart the service if the error continues. Verify the cluster service is functioning on all cluster nodes. Ensure this service (and the node it is running on if necessary) have permission to access the cluster.

Display name	Engine Replication Monitor
Description	Checks the CCR engine replication state
Alert message	An error occurred in the CCR engine replication.
Causes	An unexpected error has occurred.
Resolution	Analyze the Event Log for details regarding the error. Restart the Microsoft Forefront Server Protection CCR Replication Service if the error continues.

Display name	File Synchronization Monitor
Description	Checks the CCR file synchronization state
Alert message	An error occurred in the CCR file synchronization.
Causes	An error occurred while the file was being replicated.
Resolution	Examine the Event Log for details about the error. Contact support if the rollback failed or if the problem continues.

Display name	Active Node Lookup Monitor
Description	Checks the CCR active node lookup monitor state
Alert message	An error occurred while looking up the active node of the CCR cluster.
Causes	Error in the Microsoft Forefront Server Protection CCR Replication Service
Resolution	Analyze the Event Log for details. Verify the Microsoft Forefront Server Protection CCR Replication Service is running.

Display name	Passive State Transition Monitor
Description	Checks the CCR passive state transition state
Alert message	An error occurred while the Microsoft Forefront Server Protection CCR Replication Service transitioned to the passive state.
Causes	Failed to backup one or more files. Failed to obtain the name of the other cluster node.
Resolution	Analyze the Event Log for details. Verify the files to be backed up are available and accessible (not locked). Analyze the Event Log for details. Verify the cluster service is running.

Display name	Microsoft Forefront Server Protection CCR Replication Service State Monitor
Description	Checks the Microsoft Forefront Server Protection CCR Replication Service state
Alert message	An error occurred in the Microsoft Forefront Server Protection CCR Replication Service.
Causes	A problem in the Microsoft Forefront Server Protection CCR Replication Service was not explicitly handled or reported.
Resolution	Analyze the Event Log for details regarding the error. Restart the service.

Transport scan monitors

These are the monitors that keep track of potential problems with the transport scan.

Display name	Transport Scanning Processes State Monitor
Description	Checks if the Transport scanning processes are running normally.
Alert message	There are Transport scanning processes that did not restart properly.
Causes	A possible cause for this alert could be that the server was overloaded and could not start a new process in a timely fashion.
Resolution	Recycle Exchange services.

Display name	Transport Scan Engines Initialization Monitor
Description	Checks if the antimalware engines selected for the Transport scan job have been initialized successfully.
Alert message	No antimalware scan engines have initialized successfully for the Transport scan job.
Causes	A possible cause for this error event could be that the engine subfolder has been deleted.
Resolution	To ensure that the most recent engines are available: Make sure the HTTP proxy is configured properly. Make sure that there are no network issues. Make sure that the UNC configuration settings are appropriate.

Display name	Transport Scan Filter Engine Loading Monitor
Description	Checks if the filter engine is loaded correctly by the Transport scan job.
Alert message	The filter engine is not loaded correctly for the Transport scan job.
Causes	Damaged or inaccessible Forefront Server Protection filter engine.
Resolution	Reinstall Forefront Protection 2010 for Exchange Server.

Display name	Transport Scan Enabled State Monitor
Description	Checks if the Transport scan job has been enabled.
Alert message	The Transport scan job is not enabled.
Causes	The Transport scan job is not enabled.
Resolution	Enable the Transport scan job through the Forefront Protection for Exchange Server Administrator Console or through the Forefront Management Shell.

Display name	Transport Scanning Undeliverable Message State Monitor
Description	Checks if there are any messages in the undeliverable archive.
Alert message	Forefront Protection 2010 for Exchange Server could not complete the scan of a message and it has been put in the undeliverable archive.
Causes	Forefront Protection 2010 for Exchange Server could not complete the scan of a message.
Resolution	Analyze the Event Log for details regarding the error. Restart Exchange Edge Transport Service. Send the archived message to Microsoft for analysis.

Realtime scan monitors

These are the monitors that keep track of potential problems with the realtime scan.

Display name	Realtime Scan Enabled State Monitor
Description	Checks if the Realtime scan job is enabled.
Alert message	The Realtime scan job is not enabled properly.
Causes	The Realtime scan job is not enabled, is bypassed, or is not hooked.
Resolution	Enable the Realtime scan job through the Forefront Protection 2010 for Exchange Server Administrator Console or through Forefront Management Shell.

Display name	Realtime Scan Filter Engine Loading Monitor
Description	Checks if the filter engine is loaded correctly by the Realtime scan job.
Alert message	The filter engine is not loaded successfully for the Realtime scan job.
Causes	Damaged or inaccessible Forefront Server Protection filter engine.
Resolution	Reinstall Forefront Server Protection.

Display name	Realtime Scan Engines Initialization Monitor
Description	Checks if the antimalware engines selected for the Realtime scan job have been initialized successfully.
Alert message	Some antimalware scan engines have not initialized successfully for the Realtime scan job.
Causes	A possible cause for this error could be that the engine subfolder has been deleted.
Resolution	To ensure that the most recent engines are available: Make sure the HTTP proxy is configured properly. Make sure that there are no network issues. Make sure that the UNC configuration settings are appropriate.

Display name	Realtime Scanning Processes State Monitor
Description	Checks if the Realtime scanning processes are running normally
Alert message	There are Realtime scanning processes that did not restart properly.
Causes	A possible cause for this alert could be that the server was overloaded and could not start a new process in a timely fashion.
Resolution	Recycle Exchange services.

Scheduled scan monitors

These are the monitors that keep track of potential problems with the scheduled scan.

Display name	Scheduled Scan Filter Engine Loading Monitor
Description	Checks if the filter engine is loaded correctly by the Scheduled scan job.
Alert message	The filter engine is not loaded correctly for the Scheduled scan job.
Causes	Damaged or inaccessible Forefront Server Protection filter engine.
Resolution	Reinstall Forefront Protection 2010 for Exchange Server.

Display name	Scheduled Scan Engines Initialization Monitor
Description	Checks if the engines selected for the scheduled scan have been initialized successfully.
Alert message	No antimalware scan engines have initialized successfully for the Scheduled scan job.
Causes	A possible cause for this error event could be that the engine subfolder has been deleted.
Resolution	To ensure that the most recent engines are available: Make sure the HTTP proxy is configured properly. Make sure that there are no network issues. Make sure that the UNC configuration settings are appropriate.

Display name	Scheduled Scan Termination Monitor
Description	Checks if the scheduled scan exceeded the allowed scan time limit
Alert message	The Scheduled scan exceeded the configured scan time limit.
Causes	The scheduled scan exceeded the configured scanning timeout.
Resolution	Recovery after a scheduled scan aborts is normally automatic, but we recommend you check that the system is functioning correctly and resolve the alert manually.