none
Alert view for reboot events 1074 and 6009 shows nothing

    Question

  • In order for us to not get false positives on server health, we've had to push the monitor out to 5 min.

    This is fine, but I'm trying to set up an alert/event view monitor that will show user32 event 1074 and event log 6009 events from a reboot.

    After setting this up, I'm getting nothing in the console even though the events are on the server.  How do event monitors handle server reboots?  Is it possible the agent service is stopping before the shutdown event and after the startup event so that nothing appears in the console?  or does this just sound like a config problem on the monitor?

    fyi we are using SCOM 2012 SP1 UR3

    Friday, August 23, 2013 5:15 PM

Answers

  • If the monitor was configured to close alerts it generates, this would be why if your alert view that is only using this monitor as the source would not show new alerts. Make sure to configure the view to show new and closed alerts.

    I would have gone with creating a rule to generate an alert using the event log, I think that would be a better way to go about this. Give it a try and see if it works better. Also you can create a view using that one rule as the source, to show open and closed alerts that the rule generates.

    Hope this helps!


    Scott Moss MVP (Operations Manager) President - System Center Virtual Users Group |Vice President - Atlanta Southeast Management Users Group (ATL SMUG)
    Please remember to click “Mark as Answer” on the post that helps you!
    my new blog om2012.wordpress.com

    Wednesday, August 28, 2013 10:45 PM

All replies

  • The SCOM agent should water mark where it left off, then pick up from that point when it comes back to life.  I am not sure what monitor type you are using, but this is possible.

    Regards, Blake Email: mengotto<at>hotmail.com Blog: http://discussitnow.wordpress.com/ If my response was helpful, please mark it as so, if it answered your question, then please also mark it accordingly. Thank you.

    Friday, August 23, 2013 5:33 PM
  • Hi

    to monitor server reboot need to go for port (ICMP) monitoring instead of event id monitoring, as on server reboot events will be logged on monitoring server and scom agent running on the server will not able to connect to management server to generate alert as all connections will be closed while reboot.

    scom by default generate alert (heartbeat alert) for server unavailability but it as an limitation as below

     If the heartbeat interval is x and count is y then scom will generate alert if agent is down for (X-1)*y (example: if heartbeat interval is 120 and count is set to 3 then scom will generate alert if agent is down for 240 seconds.i.e you will never get an alert if agent reboot <240 sec.)

    http://technet.microsoft.com/en-us/library/hh212798.aspx

    port monitoring will be monitoring particular port for a server from watcher node

    refer below link for port monitoring

    http://technet.microsoft.com/en-us/library/hh457544.aspx

    Regards

     


    sridhar v


    Monday, August 26, 2013 5:47 AM
  • Unfortunately, the heartbeat monitor is set to only alert after 5min, anything lower than that causes false positives in our environment particularly during overnight backup hours.

    With the threshold set to 5 min, there will never be an alert for a straight reboot.

    Monday, August 26, 2013 4:23 PM
  • Thanks for your insight on how the event log monitor works. There must be a config issue with my monitor.


    • Edited by shurton Monday, August 26, 2013 4:26 PM
    Monday, August 26, 2013 4:24 PM
  • If the monitor was configured to close alerts it generates, this would be why if your alert view that is only using this monitor as the source would not show new alerts. Make sure to configure the view to show new and closed alerts.

    I would have gone with creating a rule to generate an alert using the event log, I think that would be a better way to go about this. Give it a try and see if it works better. Also you can create a view using that one rule as the source, to show open and closed alerts that the rule generates.

    Hope this helps!


    Scott Moss MVP (Operations Manager) President - System Center Virtual Users Group |Vice President - Atlanta Southeast Management Users Group (ATL SMUG)
    Please remember to click “Mark as Answer” on the post that helps you!
    my new blog om2012.wordpress.com

    Wednesday, August 28, 2013 10:45 PM