Forefront Security SQL DB Tool

Have you tried installing a LEM Agent on the DB server? If you do that, you should be able to configure the Forefront Security SQL Database tool on that Agent and it will send the normalized alerts from your DB server to the LEM Manager.

Do you know which FEP DB the tool needs access to? Also, we will be making a username specifically for LEM for when it accesses the SQL DB. What role does the user need to be to access and normalize the logs?

The default values for Database Name, Database Server Instance Name, and Database Server Port in the tool are a good place to start. However, your DB admin should know what to use if the defaults aren't right for your DB.

Regarding the user account, the tool is configured to use the sa account by default, but the only thing it needs permissions to do is to query items from the SDKEventView table. As long as the SQL user you create for LEM can do that, you should be fine.

Are we sure that this tool is actually for Microsoft Forefront Endpoint Protection and not Symantec Forefront Client Security? I don't even see Microsoft Forefront Endpoint Security on the list of compatible AV.

www.solarwinds.com/.../comprehensive-data-source-support.aspx

We do support Forefront AV (Endpoint Security) via either the MOM (SCOM, or equivalent current Microsoft term) database OR the event log (event log would require an agent on each system, database would be centralized - basically MOM pulls from the event log and pushes to the database). The DB tool is "Forefront Security SQL Database."

There's a few possibilities:

1. The instance and/or user and/or password and/or port are incorrect 
2. There are additional configuration steps that need to happen.
3. In a distant third, something has changed in the database schema
   

#1: You should see errors/alerts in your Console that indicate this one - they'd be in "SolarWinds Alerts" (or "TriGeo Alerts" in earlier versions). You may also see noise in the agent log, if you're running this from an agent.

#2: You do need to configure MOM (SCOM, et al) to pull in the event log data and push it to the database. From our documentation having worked with Microsoft using MOM 2005 (so, they may have changed slightly):

• Start in the MOM Administrator Console, in the left pane, navigate to expand _Microsoft Operations Manager (<Server>) > Management Packs > Rule Groups > Microsoft Forefront Client Security > _ Host Alerts > Event Rules.
• Right click on Event Rules to Create a new Event Rule
• Select Alert on or Respond to Event (Event)
• The Data Provider dialog opens. Under Provider name, select Application or System depending on the event and click Next.
• NOTE: You'll have to select the Event Log that you want to gather the events from, some are Application, some are System (you can create multiple rules for each)
• The Criteria dialog opens. Place a check mark next to from source and enter the source of the event you want alert from and click Next.
• NOTE: The "source" should match the Event Log source you want to match.
• Click Next on the Schedule dialog ("Always Process Data")
• The Alert dialog opens. If an alert is wanted in the MOM console (NOT required), place a check mark next to Generate alert and complete the necessary fields and click Next.
• Click Next in the Alert Suppression dialog. (Optionally, choose whether you want duplicates suppressed)
• In the Responses dialog, click Add and select Send a notification to a Notification Group.
• On the Notification tab, select Client Security Notification Group from the Notification Group drop down. Place a check mark next to Run this response before duplicate alert suppression (optional). Click OK and then click Next.
• Click Next on the Knowledge Base dialog. (Optionally, if you use this, fill it out)
• Enter a Rule Name on the General dialog page and click Finish.
• Finally, rule additions and changes must be committed. Expand Microsoft Operations Manager (<Server>) and right-click on Management Packs and select Commit Configuration Change. A Configuration Change dialog will appear stating that the configuration changes have been transmitted to the servers.

I can pull in some screen shots that fill those in if it's not quite matching up.

#3: If all else fails, it IS possible that we need to update our tool. Support can help gather data and confirm this is the case.

HTH.

Screen Shots would be awesome if you could get them

Here's a copy of the full instructions with screenshots included. It's the same as my paraphrased version, but with a few extra comments (and the pictures ;)).

HTH!!

This document outlines the steps needed to configure event rules on the MOM Server. This document assumes that Forefront Security for Exchange and/or Forefront Security for Sharepoint Management Packs have been previously installed on the MOM Server.

Any Forefront system which is being managed by Microsoft Operations Manager can be monitored by ForefrontSQLDB.xml. Forefront Security products need to have corresponding management packs installed and configured on the MOM server in order for it to interpret the Windows Event logs. Once the management pack is installed, rules have been configured and committed, the rule configs will be pushed to the relevant MOM agents on the servers which will enable the events to be sent and stored in the MOM DB.

Event Rules in MOM Administrator Console

Forefront Security Client management pack contains predefined rules including a few for virus detections, but more rules may need to be added. Forefront Security for Sharepoint / Exchange only have rules predefined for scan, service and engine update monitoring. In order to get events for virus detections, rules need to be configured through the MOM Administrator Console.
Determining the Data Provider
Some events are logged under the Windows Application Event log while others are logged under the Windows System Event log. When configuring a particular event, refer to the Windows Event log to see which log the message is being logged to. This information is entered on the Data Provider dialog page.
Configuring Rules
Rules need to be entered under the correct rule base. Sharepoint rules will be entered under Microsoft Forefront Security for Sharepoint and Exchange rules will be entered under Microsoft Forefront Security for Exchange.
Client Security Rule Additions
In the MOM Administrator Console, in the left pane, navigate to expand _Microsoft Operations Manager (<Server>) > Management Packs > Rule Groups > Microsoft Forefront Client Security >_ Host Alerts > Event Rules.
Exchange Rule Additions
In the MOM Administrator Console, in the left pane, navigate to expand _Microsoft Operations Manager (<Server>)  Management Packs  Rule Groups  Microsoft Forefront Server Security _ Microsoft Forefront Security for Exchange Server  Event Rules.



Sharepoint Rule Additions
In the MOM Administrator Console, in the left pane, navigate to expand _Microsoft Operations Manager (<Server>) > Management Packs > Rule Groups > Microsoft Forefront Server Security > Microsoft Forefront Security for Sharepoint > Event Rules._

Right-Click Event Rules and select Create Event Rule…



From the Select Event Rule Type dialog, select Alert on or Respond to Event (Event).

The Data Provider dialog opens. Under Provider name, select Application or System depending on the event and click Next.


The Criteria dialog opens. Place a check mark next to from source and enter the source of the event you want alert from and click Next.

Click Next on the Schedule dialog.


The Alert dialog opens. If an alert is wanted in the MOM console, place a check mark next to Generate alert and complete the necessary fields and click Next.



Click Next in the Alert Suppression dialog.


In the Responses dialog, click Add and select Send a notification to a Notification Group.

On the Notification tab, select Client Security Notification Group from the Notification Group drop down. Place a check mark next to Run this response before duplicate alert suppression (optional). Click OK and them click Next.



Click Next on the Knowledge Base dialog.

Enter a Rule Name on the General dialog page and click Finish.



Committing rule additions and changes
Rule additions and changes must be committed. Expand Microsoft Operations Manager (<Server>) and right-click on Management Packs and select Commit Configuration Change. A Configuration Change dialog will appear stating that the configuration changes have been transmitted to the servers.



Repeat these steps for any events which do not have predefined rules. Be sure that the Data Provider has been entered correctly so the rules are reading from the correct Windows Event log.

I still don't understand. It really doesn't look like we are on the same page. We use Microsoft Forefront Endpoint Protection, and we manage it through SCCM, not through MOM or SCOM.

The only way to receive the events centrally is through MOM/SCOM, as far as I know.

Otherwise, the events come into the event log on each system running the AV, and you deploy an agent to each system, and configure tools on that agent.

PS: If you can see the events in SCCM and it looks like we should be able to pick them up there, I can have our development team do a little deeper investigation.