none
Get alert description property from related monitor or rule

    Question

  • How do I get a monitor's or rule's related alert description?  I prefer using powershell for this.  Essentially I want to document what will get generated in the alert description when a particular rule or monitor fires.

    For example, I have the output from get-monitor and I want to get the related alert configuration properties:

    >get-monitor -id cf09d891-8b2a-b830-c4a0-1e14beb2bd98


    ManagementGroup            : DEVR2
    ManagementGroupId          : 593bccef-bb82-f561-40c2-358ca5b1dbd7
    HasNonCategoryOverride     : True
    TypeID                     : ManagementPackElementUniqueIdentifier=594a8231-2815-af64-d08f-6b772802982c
    ConfirmDelivery            : False
    OperationalStateCollection : {StatusOK, StatusFailed}
    Configuration              : <TargetSystem>$Target/Host/Property[Type="Unix!Microsoft.Unix.Computer"]/Network
                                 Name$</TargetSystem><Uri>http://schemas.microsoft.com/wbem/wscim/1/cim-schema/2/
                                 SCX_FileSystemStatisticalInformation?__cimnamespace=root/scx</Uri><Filter/><Spli
                                 tItems>true</SplitItems><Interval>300</Interval><InstanceName>$Target/Property[T
                                 ype="Unix!Microsoft.Unix.LogicalDevice"]/DeviceID$</InstanceName><InstanceProper
                                 ty>//*[local-name()="Name"]</InstanceProperty><Status>//*[local-name()="IsOnline
                                 "]</Status><ExpectedStatus>true</ExpectedStatus>
    XmlTag                     : UnitMonitor
    Enabled                    : true
    Target                     : ManagementPackElementUniqueIdentifier=71ebe598-7397-c099-6b90-c879bb4b875b
    ParentMonitorID            : ManagementPackElementUniqueIdentifier=a6c69968-61aa-a6b9-db6e-83a0da6110ea
    Remotable                  : True
    Priority                   : Normal
    RunAs                      :
    Category                   : PerformanceHealth
    AlertSettings              : Microsoft.EnterpriseManagement.Configuration.ManagementPackMonitorAlertSettings
    Accessibility              : Public
    Name                       : Microsoft.HPUX.11iv2.LogicalDisk.DiskHealth.Monitor
    Id                         : cf09d891-8b2a-b830-c4a0-1e14beb2bd98
    DisplayName                : Logical Disk Health
    Description                : HPUX 11iv2 Logical Disk Health Monitor
    LanguageCode               : ENU
    Comment                    :
    Status                     : Unchanged
    LastModified               : 2/9/2011 9:16:08 PM
    TimeAdded                  : 9/25/2009 7:15:40 PM


    Ted
    Wednesday, January 18, 2012 3:39 PM

Answers

  • Getting AlertParameters is easier than digging into mp.configurationgroup. You already have them in monitors' and rules' confgis. For example:

    Monitor...

    $monitor.alertsettings

    AlertMessage     : ManagementPackElementUniqueIdentifier=98afec8f-4768-a66f-595f-13c33e00c29f
    AlertOnState     : Error
    AutoResolve      : True
    AlertPriority    : Normal
    AlertSeverity    : MatchMonitorHealth
    AlertParameter1  : $Target/Property[Type="Windows!Microsoft.Windows.LogicalDevice"]/DeviceID$
    AlertParameter2  : $Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/PrincipalName$
    AlertParameter3  : $Data/Context/Property[@Name='PctFree']$
    AlertParameter4  : $Data/Context/Property[@Name='MbFree']$

    or Rule...

    ([xml]$config).root

    Priority        : 1
    Severity        : 1
    AlertMessageId  : $MPElement[Name="Microsoft.Wi...
    AlertParameters : AlertParameters
    Suppression     : Suppression

    (([xml]$config).root).alertparameters

    AlertParameter1
    ---------------
    $Data/EventDescription$

    I might be wrong but I don't think you can go any further than this $data/event/... because, as I understand, these values are filled only when the alert fires. Especially in event based rules- the full description is taken from the target server eventlog, until then there's no other info or exact figures.

    How to replace {0} with alertsettings...you may use some string methods I think. Like replacing "{0}" with ($monitor.alertsettings).("alertparameter"+ "i+1") # where i=0 taken from {0}

    Hope that helps.
    Best regards. Alex
    • Marked as answer by Ted T Hacker Wednesday, January 25, 2012 7:50 PM
    Wednesday, January 25, 2012 3:58 PM

All replies

  • The alert configuration is already there. It is after Configuration: it is noted in XML.

    If you need a description of a specific alert (generated by the monitor), use the get-alert cmdlet


    Regards,
    Marc Klaver
    http://jama00.wordpress.com/
    Thursday, January 19, 2012 7:17 AM
  • Thanks for the responses.

    It seems like MPVIEWER is not a scriptable utility.  It is not clear how I could use that in a script to determine what the alert description will be when a monitor or rule trips.

    I don't see the alert description embedded within the configuration property of the monitor object.

    >(get-monitor -id cf09d891-8b2a-b830-c4a0-1e14beb2bd98).configuration
    <TargetSystem>$Target/Host/Property[Type="Unix!Microsoft.Unix.Computer"]/NetworkName$</TargetSystem><Uri>htt
    ://schemas.microsoft.com/wbem/wscim/1/cim-schema/2/SCX_FileSystemStatisticalInformation?__cimnamespace=root/
    cx</Uri><Filter/><SplitItems>true</SplitItems><Interval>300</Interval><InstanceName>$Target/Property[Type="U
    ix!Microsoft.Unix.LogicalDevice"]/DeviceID$</InstanceName><InstanceProperty>//*[local-name()="Name"]</Instan
    eProperty><Status>//*[local-name()="IsOnline"]</Status><ExpectedStatus>true</ExpectedStatus>

    When I use the GUI to get the alert description, it looks like the following for the monitor referenced above:  "The status for disk $Target/Property[Type="Unix!Microsoft.Unix.LogicalDevice"]/DeviceID$ is not healthy."

    I am assuming the management pack containing the alert description and monitors, etc. is installed in a SCOM management group.  I have been using powershell to get the list of monitors in a particular management pack and now I want to know some of the alert properties.

    I suppose I could use a SQL query to get the data, but the downside with that is that MS could change where it is located.  My preference is to use powershell directly.

    Got any ideas?


    Ted
    Thursday, January 19, 2012 2:51 PM
  •  

    Hi,

     

    Please see if you can get the similar information referring to the SQL queries “Top 20 Alerts in an Operational Database, by Alert Count” and “Top 20 Alerts in an Operational Database, by Repeat Count”:

     

    Useful Operations Manager 2007 SQL queries

    http://blogs.technet.com/b/kevinholman/archive/2007/10/18/useful-operations-manager-2007-sql-queries.aspx

     

    Hope this helps.

     

    Thanks.


    Nicholas Li

    TechNet Community Support

    Friday, January 20, 2012 4:58 AM
  • Hi!

    One of the properties the get-monitor cmdlet gives you is "AlertSettings".

    $monitor.alertsettings gives you:

    AlertMessage     : ManagementPackElementUniqueIdentifier=98afec8f-4768-a66f-595f-13c33e00c29f
    AlertOnState     : Error
    AutoResolve      : True
    AlertPriority    : Normal
    AlertSeverity    : MatchMonitorHealth

    ....and so on. We need the first line- AlertMessage.

    It's a link to StringResources in the management pack containing your monitor.

    So save the id (I saved it as a string) and get the management pack.

    Now, the managementpack has the getstringresources() method. (Find it through $MP | gm)

    $MP.getstringresources() | where {$_.id -eq $PreviouslySavedId}

    ManagementGroup   : ###
    ManagementGroupId : ####
    XmlTag            : StringResource
    Name              : Microsoft.Windows.Server.2003.LogicalDisk.FreeSpace.AlertMessage
    Id                : #######
    DisplayName       : Logical Disk Free Space is low
    Description       : The disk {0} on computer {1} is running out of disk space. The values that exceeded the threshold are {2}% free space and {3} free Mbytes.

    ...

    Hope that helps.


    Best regards. Alex
    • Proposed as answer by Marc Klaver Monday, January 23, 2012 1:56 PM
    Monday, January 23, 2012 10:34 AM
  • Thanks for both of your comments.  We're getting closer.

    The information related to "Top 20 Alerts in an Operational Database, by Alert Count"  or the AlertView is for alerts that have already generated.  The alert description in the db is the same sort of one derived below with {0} and similar parameters.  The values of those parameters are resolved in this table to the actual values.  I am looking for more of a general answer.

    Here is the example of what I would love to get:  "The status for disk $Target/Property[Type="Unix!Microsoft.Unix.LogicalDevice"]/DeviceID$ is not healthy."

    $MonitorId is defined elsewhere but contains a valid goid value for a monitor which has an alert.

      $Monitor = get-monitor -id $MonitorId
      $mp=get-managementpack ($Monitor.getmanagementpack()).id.tostring()
      $Description = $mp.getstringresources() | where {$_.id -eq ((($Monitor.alertsettings).alertmessage).id).tostring()}


      #At this point the description contains a string of characters with embedded variables which are {n} where n=0,1,2...
      # and those variables are located in the management pack under the <AlertParameters> section within the rule/monitor definition.

    So is there a way to do this for rules which alert?  The output of the get-rule does not contain a property called alertsettings

    Also, is there a way to resolve the AlertParameters to their strings?  The real name strings are more meaningful than just the parameter numbers, {1}

    I see that the output of the get-rule has an interesting property called writeactioncollection which should contain the alert information.  It is not clear how to get from this to the real or even parameterized description.

    >$r.WriteActionCollection


    ManagementGroup   : GlobalProd
    ManagementGroupId : ca7c92de-a7ca-284b-206d-8c8186f950ad
    TypeID            : ManagementPackElementUniqueIdentifier=17b7ae4b-5f28-42ab-abeb-5e69b433968d
    Target            :
    RunAs             :
    Configuration     : <Priority>1</Priority><Severity>1</Severity><AlertMessageId>$MPElement[Name="Microsoft.Wi
                        ndows.Server.2000.OperatingSystem.DuplicateNameonNetwork.Alert.AlertMessage"]$</AlertMess
                        ageId><AlertParameters><AlertParameter1>$Data/EventDescription$</AlertParameter1></AlertP
                        arameters><Suppression><SuppressionValue/></Suppression>
    Name              : GenerateAlert
    Id                : a573beba-e52c-4e83-3669-29677bd2a9ca
    ParentElement     : Microsoft.Windows.Server.2000.OperatingSystem.DuplicateNameonNetwork.Alert
    DisplayName       :
    Description       :
    LanguageCode      :

    Do you have any ideas?


    Ted
    Monday, January 23, 2012 7:48 PM
  • It a bit tricky but let's try :)

    We get the WriteActionCollection. It's really a collection even if it has only 1 member, so..

    $config = $r.writeactioncollection[0].configuration

    #you may have several writeactions, pick the one named "Alert" or "GenerateAlert"

    $config = "<root>" + $config + "</root>" #making it easier to work with

    ([xml]$config).root

    Priority         : 2
    Severity         : 2
    AlertName        :
    AlertDescription :
    AlertOwner       :
    AlertMessageId: $MPElement[Name="MomUIGeneratedRuled2c072193e154c0a8bd3d54b15dc04e8.AlertMessage"]$
    AlertParameters  : AlertParameters
    Suppression      :
    Custom1          :

    (([xml]$config).root).AlertMessageId

    $MPElement[Name="MomUIGeneratedRuled2c072193e154c0a8bd3d54b15dc04e8.AlertMessage"]$

    Now we need to get the name  of a StringResource from the AlertMessageID string. Should be easy, so I'll just copy-paste.

    $MP.getstringresources() | where {$_.name -eq "MomUIGeneratedRuled2c072...blablabla"}

    # that's a custom rule I work with so the name is a bit weird. Note that we're using names here, not IDs

    And you get the same output as in the Monitor example above.


    Best regards. Alex
    • Edited by Alexander_G Tuesday, January 24, 2012 10:40 AM
    Tuesday, January 24, 2012 10:32 AM
  • Your help is getting me to what I need.  Thanks a ton.

    Nice trick with adding the <root></root> around the configuration, by the way. :)

    Is there a way to resolve the AlertParameter# to the value in the management pack?

    On the rule I was testing, Microsoft.Windows.Server.2000.OperatingSystem.EventLogFull.Alert the Alert Description turned out to be just {0}.

    Other rules' and monitors' alerts also contain various parameters which come from the MP.

    I think the alert parameters are hiding in $mp.getconfigurationgroup which is in turn hiding 'ManagementPackMonitorAlertSettings' which has something called AlertParameter1 through AlertParameter10.  I do understand that the parameter may be an MPElement string, but at least that is more descriptive than {0} or whatever.  It is just not clear how to get from

    Here is the code I have so far:

    $r = get-rule -id 4b8b724d-6344-e6d5-c7f8-1906eace7b03
    "Rule:"
    $r

    $mp=get-managementpack ($r.getmanagementpack()).id.tostring()

    $r.WriteActionCollection|
        where {$_.Name -match "Alert"}|
        foreach {
            $rAlertMessageId = ([xml]"<root>$($_.configuration)</root>").root.AlertMessageId
            #the rAlertMessageId has the name embedded for example:
            #$MPElement[Name="Microsoft.Windows.Server.2000.OperatingSystem.EventLogFull.Alert.AlertMessage"]$
            "AlertMessageId:"
            $rAlertMessageId
           
            # the following will get the description out of the related string, but sometimes that string contains
            #parameters that reside elsewhere in the MP.  

            "Alert Description:"
            $mp.getstringresources() |
                where {$_.name -eq ($rAlertMessageId.split("""")[1])} |
                foreach {$_.Description}
        }


    Ted
    Tuesday, January 24, 2012 7:27 PM
  • Getting AlertParameters is easier than digging into mp.configurationgroup. You already have them in monitors' and rules' confgis. For example:

    Monitor...

    $monitor.alertsettings

    AlertMessage     : ManagementPackElementUniqueIdentifier=98afec8f-4768-a66f-595f-13c33e00c29f
    AlertOnState     : Error
    AutoResolve      : True
    AlertPriority    : Normal
    AlertSeverity    : MatchMonitorHealth
    AlertParameter1  : $Target/Property[Type="Windows!Microsoft.Windows.LogicalDevice"]/DeviceID$
    AlertParameter2  : $Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/PrincipalName$
    AlertParameter3  : $Data/Context/Property[@Name='PctFree']$
    AlertParameter4  : $Data/Context/Property[@Name='MbFree']$

    or Rule...

    ([xml]$config).root

    Priority        : 1
    Severity        : 1
    AlertMessageId  : $MPElement[Name="Microsoft.Wi...
    AlertParameters : AlertParameters
    Suppression     : Suppression

    (([xml]$config).root).alertparameters

    AlertParameter1
    ---------------
    $Data/EventDescription$

    I might be wrong but I don't think you can go any further than this $data/event/... because, as I understand, these values are filled only when the alert fires. Especially in event based rules- the full description is taken from the target server eventlog, until then there's no other info or exact figures.

    How to replace {0} with alertsettings...you may use some string methods I think. Like replacing "{0}" with ($monitor.alertsettings).("alertparameter"+ "i+1") # where i=0 taken from {0}

    Hope that helps.
    Best regards. Alex
    • Marked as answer by Ted T Hacker Wednesday, January 25, 2012 7:50 PM
    Wednesday, January 25, 2012 3:58 PM
  • Alex,

    Thanks for all your help with this.  It works like a dream.  Albiet slowly.

     


    Ted
    Wednesday, January 25, 2012 7:50 PM