Monday, September 13, 2010

How to create a SCOM Windows Events Monitor and alert on the Description field

When creating a monitor that alerts on event logs you may want to be able to monitor based on key words in the description field. This is not a default parmater and needs a few extra steps. But is still very easy to accomplish once you now the steps.
here are the two variables you will be adding to the monitor
parameter name: EventDescription
Alert description: $Data/EventDescription$

1. When you are creating the Event Expression click on insert, then click on button “…: under parameter name
2. Select Use Parameter Name not specified above and enter EventDescription
Select an Event Property-EventDescription$Data/EventDescription$
Select an Event Property-EventDescription
3. change your operator to Contains
4. under the Value, enter the words you want to find in the desction field.
Build Event Expresion - operator and value
Build Event Expresion - operator and value
5. Continue to build your rule until you arrive at the Configure Alerts page. Enter the value $Data/EventDescription$ in the Alert description window. If you do not you will receive errors.
6. Create the rule, and refresh how ever you like. When i am in a hurry i will restart the health service on the server that I am monitoring.
7. To test your rule the OpsMgr Event Creator tool is not going to work. It does not allow you to create custom descriptions. Log onto the server that you want to monitor and open a command window. Using the eventcreate command type the following
eventcreate /t error /ID 1000/d “fieldxu.exe THIS IS JUST A TEST BY Brad Hearn”
/t sets as an error
/ID is the event id
/d is what will be placed into the description field. Remeber to place quotes around your text.

The alerts will look something like this.

Hope this helps out.