Documentation forServer & Application Monitor

Example: Use a Windows PowerShell Monitor script in a SAM template

The following example shows how to use a Windows PowerShell Monitor script in a SAM template to monitor lsass.exe, a process that enforces security when users log on and change passwords. Monitoring this process can be used to detect dictionary attacks by tracking the average number of read operations performed to check for spikes, and then set up an alert to be notified when the monitor exceeds a certain threshold.

This example shows how to:

  1. Create a template that you can assign to nodes as an application monitor.
  2. Add the predefined Windows PowerShell Monitor to the template
  3. Provide credentials so the script can run on the Orion server.
  4. Create a PowerShell script that uses a Get-WmiObject call to measure the average ReadOperationCount for the lsass.exe process and add it to the template.

Additional sample scripts are provided in the following default folder on the Orion server: C:\Program Files (x86)\SolarWinds\Orion\APM\SampleScriptMonitors

To create the sample template: 

  1. Verify that the WinRM service is enabled and properly configured on the main Orion server and target servers so you can run PowerShell commands remotely. See Using PowerShell in SAM.
  2. Click Settings > All Settings > SAM Settings > Create a New Template
  3. Name the template (for example, Lsass.exe PowerShell Monitor).
  4. Click Add Component Monitor, type "powershell" in the search field, select the Windows PowerShell Monitor, and click Add.
  5. Select a Credential for Monitoring with appropriate permissions to run the script on the Orion server, and that also has appropriate permissions to do whatever else the script requires (in this case, to get the average number of read operations performed on the target node).
  6. Select Remote Host as the Execution Mode.
  7. Click Edit Script and then paste the following PowerShell script into the Script Body field:
    $avg = Get-WmiObject win32_process -ComputerName '${IP}' -Credential '${CREDENTIAL}' | Where-Object {$_.Name -eq "lsass.exe" } | Measure-Object -property ReadOperationCount -Average; Write-Host 'Statistic: ' $avg.Averageexit(0)

    The PowerShell code does the following:

    1. Reads the average ReadOperationCount for the process lsass.exe running on the server at the IP address specified by the ${IP} variable, using the credential specified by the ${CREDENTIAL} variable.

      The user name from the specified Credential for Monitoring is stored automatically in the ${CREDENTIAL} variable by the monitor. Do not add the ${CREDENTIAL} variable in the Script Arguments field. When the script runs and needs a password, the monitor automatically gets the password from the Credential for Monitoring.

    2. Writes the statistic information gathered by the script.
    3. Exits the script with an exit code (0) to report the status of the monitor, as displayed in the Orion Web Console. See Report status through exit codes in SAM script monitors.
  8. Enter the following Script Arguments:

    Use the token ${IP} to populate the IP address in the script body with the IP address of the target node. You can then access the value in the script body using the variable ${IP}.

  9. Select Count Statistic as Difference to change the statistic to be the difference in query values between polling cycles.
  10. Click Set test node. Browse the tree view, select the desired target node for the PowerShell script, and then click Select.
  11. Change the Statistic Warning Threshold to, greater than 800.
  12. Change the Statistic Critical Threshold to, greater than 1000.
  13. Click Test, and then click Submit.
  14. Navigate to the Manage Application Template page, select the new template you created, and click Assign to Node.
  15. Expand the tree view, select a target node, and then click Next.
  16. Select "Inherit credentials from template", and then click Test to confirm the credentials.
  17. Click Assign Application Monitors and then click Done.