SIP Proxy: Many security events have been identified by the proxy stack

Microsoft.LS.2013.Monitoring.UnitMonitor.TimerResetEvent.AccessEdge.SIP_W_FLAT_FILE_LOG_SECURITY_ALERT (UnitMonitor)

Knowledge Base article:

Summary

Many security events have been identified by the proxy stack.

Causes

The server may be under attack, or there might be a configuration problem that is causing errors.

Resolutions

Launch the Lync Server 2013 Logging Tool. Select the "SIPStack" component, the "Errors" level and the TF_SECURITY flag. Review the events reported to the trace log using the "Analyze Log Files" feature of the logging tool.

Element properties:

Target

Microsoft.LS.2013.Component.AccessEdge

Parent Monitor

System.Health.SecurityState

Category

SecurityHealth

Enabled

True

Alert Generate

True

Alert Severity

Error

Alert Priority

Normal

Alert Auto Resolve

True

Monitor Type

Microsoft.LS.2013.MonitorType.TimerResetEvent.Repeated

Remotable

True

Accessibility

Public

Alert Message

[LYNC] Many security events have been identified by the proxy stack.

{0}

Please see the 'Product Knowledge' and the 'Alert Context' tab on Alert Properties view for more information.

RunAs

Default

Source Code:

<UnitMonitor ID="Microsoft.LS.2013.Monitoring.UnitMonitor.TimerResetEvent.AccessEdge.SIP_W_FLAT_FILE_LOG_SECURITY_ALERT" Accessibility="Public" Enabled="true" Target="Microsoft.LS.2013.Component.AccessEdge" ParentMonitorID="Health!System.Health.SecurityState" Remotable="true" Priority="Normal" TypeID="Microsoft.LS.2013.MonitorType.TimerResetEvent.Repeated" ConfirmDelivery="true">

  <Category>SecurityHealth</Category>

  <AlertSettings AlertMessage="Alert_Many_security_events_have_been_identified_by_the_proxy_stack.">

    <AlertOnState>Error</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>Normal</AlertPriority>

    <AlertSeverity>Error</AlertSeverity>

    <AlertParameters>

      <AlertParameter1>$Data/Context/Context/DataItem/EventDescription$</AlertParameter1>

    </AlertParameters>

  </AlertSettings>

  <OperationalStates>

    <OperationalState ID="Microsoft.LS.2013.Monitoring.UnitMonitor.TimerResetEvent.AccessEdge.SIP_W_FLAT_FILE_LOG_SECURITY_ALERT.Timer" MonitorTypeStateID="TimerEventRaised" HealthState="Success"/>

    <OperationalState ID="Microsoft.LS.2013.Monitoring.UnitMonitor.TimerResetEvent.AccessEdge.SIP_W_FLAT_FILE_LOG_SECURITY_ALERT.Repeated" MonitorTypeStateID="RepeatedEventRaised" HealthState="Error"/>

  </OperationalStates>

  <Configuration>

    <ComputerName>$Target/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

    <LogName>Lync Server</LogName>

    <ErrorExpression>

      <And>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="UnsignedInteger">14425</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="String">PublisherName</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="String">LS Protocol Stack</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

      </And>

    </ErrorExpression>

    <AutoResolveInterval>300</AutoResolveInterval>

    <TimerWindowInSeconds>120</TimerWindowInSeconds>

    <RepeatCount>30</RepeatCount>

  </Configuration>

</UnitMonitor>