How to create a SCOM Windows Events Monitor and alert on the Description field

When creating a monitor that alerts on event logs you may want to be able to monitor based on key words in the description field. This is not a default parmater and needs a few extra steps. But is still very easy to accomplish once you now the steps.

here are the two variables you will be adding to the monitor

parameter name: EventDescription

Alert description: $Data/EventDescription$

1. When you are creating the Event Expression click on insert, then click on button “…: under parameter name

2. Select Use Parameter Name not specified above and enter EventDescription

Select an Event Property-EventDescription$Data/EventDescription$

Select an Event Property-EventDescription

3. change your operator to Contains

4. under the Value, enter the words you want to find in the desction field.

Build Event Expresion - operator and value

Build Event Expresion - operator and value

THIS IS NOT DONE!!!!

5. Continue to build your rule until you arrive at the Configure Alerts page. Enter the value $Data/EventDescription$ in the Alert description window. If you do not you will receive errors.

6. Create the rule, and refresh how ever you like. When i am in a hurry i will restart the health service on the server that I am monitoring.

7. To test your rule the OpsMgr Event Creator tool is not going to work. It does not allow you to create custom descriptions. Log onto the server that you want to monitor and open a command window. Using the eventcreate command type the following

eventcreate /t error /ID 1000/d “fieldxu.exe THIS IS JUST A TEST BY Brad Hearn”

/t sets as an error

/ID is the event id

/d is what will be placed into the description field. Remeber to place quotes around your text.

The alerts will look something like this.

Hope this helps out.

February 17, 2009 | Filed Under OpsMgr, SCOM, System Center Operations Manager 

Comments

3 Responses to “How to create a SCOM Windows Events Monitor and alert on the Description field”

  1. Maxim on July 15th, 2009 4:54 pm

    Hi!
    $Data/EventDescription$ for alert description didn’t work in my installation. $Data/Context/EventDescription$ – works ok.

  2. Henry Isham on November 4th, 2009 10:46 pm

    This is very helpful, thank you. However, I’m stuck on setting up a notification based on this specific alert. I can setup a general notification subscription for all alerts of type Critical. However, I’m interested in targeting the notification for this particular alert, to a set of users. Any ideas?

    -Henry

  3. Brad Hearn on November 5th, 2009 2:30 pm

    Hi Henry,

    There are a couple of ways to do this. The simplest would be if you are running R2. If you are then you can right click on the alert under Alerts View when it is triggered and select “Notification Subscription”. This will launch a wizard that will create a notification for the alert and allow you to assign it to a subscriber.

    If you are not at R2 Level, then you can create a custom alert. In the criteria section you will want to only select “Created by specific rules or monitors”. Then you can specify which monitor you want to alert on. Again, you will be able to assign this subscription to a subscriber of your choice.

    Hope this helps.

    Brad

Got something to say?

You must be logged in to post a comment.