How MOM Works

MOM is an event and performance datadriven monitoring system that effectively allows for large-scale management of mission-critical servers. Organizations with a medium to large investment in Windows Server 2003 or Windows 2000 servers will find that MOM allows for an unprecedented ability to keep on top of the tens of thousands of event log messages that occur on a daily basis. In its simplest form, MOM performs two functions: processing gathered events and performance data, and issuing alerts and automatic responses based on those data.

MOM provides for several major pieces of functionality, as follows:

• Event Log Consolidation MOM Agents, deployed on managed systems, forward all event log information to a central MOM SQL Server database, which is managed and groomed by MOM. This data is used for reporting, auditing, and monitoring the specific events.

• Advanced Alerting Capabilities MOM provides advanced alerting functionality by enabling email alerts, paging, and functional alerting roles to be defined.

• Performance Monitoring MOM collects performance statistics that can let an administrator know whether a server is being overloaded or is close to running out of disk space, among other things.

• Built-in Application-specific Intelligence MOM management packs are packages of information about a particular application or service, such as Windows Server 2003, FRS, DNS, DHCP, Exchange Server, or other applications. The Microsoft management packs are written by the design teams for each individual product, and they are loaded with the intelligence and information necessary to properly troubleshoot and identify problems.

Processing Events and Performance Data

MOM manages Windows Server 2003 networks through event consolidation and performance data gathering. It collects application, system, and security events throughout the Windows Server 2003 network and writes them to a single database repository. Processing rules define how MOM collects, handles, and responds to the information gathered. MOM processing rules handle incoming event data and allow MOM to react automatically, either to respond to a predetermined problem scenario, such as a failed hard drive, with a predefined action (trigger an alert, execute a command or script) or to consolidate multiple events into one event that correlates a group of related events. The processing rules also enable MOM to automatically determine which events are important to a network administrator, minimizing administrative overhead.

Generating Alerts and Responses

MOM processing rules can generate alerts based on critical events or performance thresholds that are met or exceeded. An alert can be generated by a single event or by a combination of events or performance thresholds. For example, a failed fan can generate a simple alert, whereas a failed database generates a more complex alert relating to the failed SQL database services and IIS Web pages that rely on the availability of the database. Alerts can also be configured to trigger responses such as email, pages, Simple Network Management Protocol (SNMP) traps, and scripts to notify administrators of potential problems.

MOM can be configured to notify various IT groups. For example, an alert triggered by a failed database can alert the help desk with email and the database administrator with email and a paged message. In brief, MOM is completely customizable in this respect and can be modified to fit most alert requirements.