Spoofed Data Check

Microsoft.SystemCenter.HealthService.Security.SpoofedDataCheck (UnitMonitor)

This monitor reports on spoofed data received by this System Center Management Health Service.

Knowledge Base article:

Summary

Data is being rejected because agent proxying is not enabled for the agent that is trying to perform the action.

Causes

Agent proxying is not enabled for the agent.

Resolutions

Enable agent proxying or use overrides to disable the relevant discoveries for that agent. To enable agent proxy:

In the Operations console, click Administration.
Find the computer in the Agent Managed view
Open the Properties for that agent
On the Security tab, check the Allow this agent to act as a proxy option
Click OK

Element properties:

Target

Microsoft.SystemCenter.HealthService

Parent Monitor

Microsoft.SystemCenter.HealthService.Security.DataIntegrityRollup

Category

SecurityHealth

Enabled

True

Alert Generate

True

Alert Severity

Warning

Alert Priority

High

Alert Auto Resolve

True

Monitor Type

Microsoft.Windows.RepeatedEventLogTimer2StateMonitorType

Remotable

True

Accessibility

Public

Alert Message

Data Integrity Warning

The System Center Management Health Service is receiving data items which are invalid. This can be an indication of a defect in a management pack or an attack on the System Center Management Health Service. Examine the alert context for more details.

RunAs

Default

Source Code:

<UnitMonitor ID="Microsoft.SystemCenter.HealthService.Security.SpoofedDataCheck" Accessibility="Public" Enabled="true" Target="SCLibrary!Microsoft.SystemCenter.HealthService" ParentMonitorID="Microsoft.SystemCenter.HealthService.Security.DataIntegrityRollup" Remotable="true" Priority="Normal" TypeID="Windows!Microsoft.Windows.RepeatedEventLogTimer2StateMonitorType" ConfirmDelivery="true">

  <Category>SecurityHealth</Category>

  <AlertSettings AlertMessage="Microsoft.SystemCenter.HealthService.Security.DataIntegrityRollup_AlertMessageResourceID">

    <AlertOnState>Warning</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>High</AlertPriority>

    <AlertSeverity>Warning</AlertSeverity>

  </AlertSettings>

  <OperationalStates>

    <OperationalState ID="Microsoft.SystemCenter.HealthService.Security.SpoofedDataCheck.Warning" MonitorTypeStateID="RepeatedEventRaised" HealthState="Warning"/>

    <OperationalState ID="Microsoft.SystemCenter.HealthService.Security.SpoofedDataCheck.Success" MonitorTypeStateID="TimerEventRaised" HealthState="Success"/>

  </OperationalStates>

  <Configuration>

    <RepeatedComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</RepeatedComputerName>

    <RepeatedLogName>Operations Manager</RepeatedLogName>

    <RepeatedExpression>

      <And>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="String">Params/Param[1]</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="String">$Target/ManagementGroup/Name$</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="String">PublisherName</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="String">OpsMgr Connector</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

        <Expression>

          <Or>

            <Expression>

              <SimpleExpression>

                <ValueExpression>

                  <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

                </ValueExpression>

                <Operator>Equal</Operator>

                <ValueExpression>

                  <Value Type="UnsignedInteger">21037</Value>

                </ValueExpression>

              </SimpleExpression>

            </Expression>

            <Expression>

              <SimpleExpression>

                <ValueExpression>

                  <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

                </ValueExpression>

                <Operator>Equal</Operator>

                <ValueExpression>

                  <Value Type="UnsignedInteger">21038</Value>

                </ValueExpression>

              </SimpleExpression>

            </Expression>

          </Or>

        </Expression>

      </And>

    </RepeatedExpression>

    <Consolidator>

      <ConsolidationProperties/>

      <TimeControl>

        <WithinTimeSchedule>

          <Interval>900</Interval>

        </WithinTimeSchedule>

      </TimeControl>

      <CountingCondition>

        <Count>2</Count>

        <CountMode>OnNewItemTestOutputRestart_OnTimerSlideByOne</CountMode>

      </CountingCondition>

    </Consolidator>

    <TimerWaitInSeconds>3600</TimerWaitInSeconds>

  </Configuration>

</UnitMonitor>