“I have to write any article to my blog, I have to get back to my audience” this is what consumes my mind during the last year. Although I hadn’t wrote any articles but I had a wonderful challenging year. From time to time, I write articles but they are always saved in the draft.
So it is the time to be back again.
I have a test lab and I had seen some messages that was generated from my domain controller but those events should be taken care by many team; supposing we are in real scenario.
I have disk capacity issue in dive C where Active Directory DIT files are stored.
At the same time, the Active Directory team is monitoring domain controller with Active Directory related policies and they have been alerted with the below events.
We need to tell both admins which event are root cause and which event are symptoms.
I will select the four alerts and Click on “Relate Events”
Select the identified Root event.
You can see now the event are categorized as root and symptoms under (C)orrelation column.
When you open any of the events you can see the correlation on “Related Events” tab.
What I have just done, is just manual correlation.
I have apply the same concept but with automation based on OMi topology based event correlation which Checks the events associated with Health Indicators against Topology relations as in our case we have filesystem connected with node that hosts domain controller. So if events with HI associated with FileSystem and other events with HIs associated with DomainController the can be correlated with the presence of TBEC rule as below.
I will select the events that has the HIs as below.
Note: I have selected one more event related to Node, to ensure that I will have the right topology relations
Then Identified the root cause event.
Give the Rule Name and description
It is just fun to create correlation rules, and you can let your operators focus on root cause events.