System Center Orchestrator is a fantastic automation and scheduling tool from Microsoft which has just gone through a new revision with the System Center 2012 wave of products. It allows me to integrate with a number of systems natively including SCOM, SCCM and VMM as well as a bunch of pre-built scheduling tasks. Codeplex has great Integration Packs available and its worth checking out, which is where I downloaded the Exchange Mail IP.
One of my passions is automation and in the hosting world its how you keep your costs down and drive efficiencies from having to do repetitive tasks. Over the last few years we’ve been running, I’ve been able to collect a lot of great information around alerts, especially OSSEC alerts. We use OSSEC as our IDS and if you haven’t heard of it before, I’d recommend checking it out as it’s a fantastic open source IDS which is very configurable. We use OSSEC for host based agents and also network based, with Snort. Everything is also indexed and pumped into Splunk which gives us superior searching capability across our entire stack of firewall, switches, IDS and reverse proxy servers.
We generate OSSEC alerts via email so, Orchestrator with the Exchange Mail IP allows you configure the monitoring of a mailbox and wrap some rules around it. Here’s an example;
Monitor – Support Mailbox (connection you have setup in the IP previously)
Folder Name – Inbox (folder to monitor)
Body Format – Plain Text
Read Mail Filter – Unread Only
Now we need to configure the rule filters, ie what criteria should be matched in order to trigger this Runbook.
Subject – Contains “Alert level 10”
Body – Contains “WEB-IIS cmd.exe access”
Now you have the ability to get orchestrator to do “something” if the rules are matched like adding the IP address from within the email body to a firewall blocking rule. Additionally instead of monitoring a mailbox, you could get Orchestrator to monitor a log file for the exact same criteria.
I’ve assumed a certain level of Orchestrator knowledge with this post but it shouldn’t be too difficult to work out 🙂