Friday, March 8, 2013

SCOM 2012 - How to Generate Alerts from the Event Log

As a continuation of how to set up some custom monitors I wanted to expand out the previous segment on How to Generate Alerts from a Log File and talk about how to create an alert from an event in the Event Logs. If you are given a choice monitoring the event log is preferable to monitoring a log file as the results tend to be a bit more consistent, at least in my experience.

First go to the Authoring space.Then go to Management Pack Objects then Monitors. Go ahead and scope the list for Windows Computers. Expand out Windows Computers and Entity Health. Right Click on Availability and select Create a Monitor then Unit Monitor...

When the Create a unit monitor wizard opens up expand out Windows Events then Repeated Event Detection (we did Simple Events last time so this time I want to show you how to look for repeated events). When you get to Repeated Events you again have three choices:
  • Manual Reset - 1 State, Alert - Manually resolve
  • Timer Reset - 2 State, Alert and Auto Resolve (Time Based)
  • Windows Event Reset - 2 State, Alert and Auto Resolve
For this example we are going to use Timer Reset. Select a management pack and Click Next

In General Properties, go ahead and give the monitor a name, uncheck Monitor is enabled and Click Next

In Event Log Name select the event log you are targeting, in our case it will be Application. Click Next

For Build Event Expression enter in the ID of the event you will be looking for, and the Event Source. Click Next

In the Repeat Settings change the Counting Mode: to Trigger on count, and the Compare Count to 10. Then set the interval time to 5 Minutes. This will go out and check the log for your event and if it finds more than 10 failures in 5 minutes it will generate an alert for this event. Click Next

Next set your Auto Timer Reset to 2 minutes. This means the alert will self resolve after two minutes and close. Click Next

Now we want to configure the health settings for failure and healthy. Change Repeated Event Raised to Critical and Click Next

For Configure alerts go ahead and Check Generate Alerts for this monitor. You can configure your alert and the description as required for your particular situation. Click Create

Now we need to enable the monitor for your test server. Right Click on the Monitor and select Overrides, then Override the Monitor then For a specific object of class: Windows Computer. You will be asked for the computer name, select it and Click OK. In the Override check the Enabled check box and change the Override Value to True. Click Apply

Now in Windows Server 2008R2 - How to Create an Event Log Event I showed you how to manually generate events. You can use this to create 10 failures and make sure the monitor is working correctly.

More to come!

Like this blog, give it a g+1


  1. in last portion (over riding )can i slect group rather than selecting specific pc.

    1. Yes you can select groups as a possible choice for the override.