SCOM event collection rule RRS feed

  • General discussion

  • Hi,

    I want to disable all the scom EVENT COLLECTION rules and monitors which are not creating an alert (to increase the performance). I have exported all the event collection rules using powershell command but how can i filter only the rules which are not creating alerts? Can anyone help me.

    • Changed type Saradsa Thursday, January 4, 2018 7:02 AM
    Thursday, January 4, 2018 6:38 AM

All replies

  • The property WriteActionCollection contains the information regarding the collected information. That could be a couple of things: WriteToDB (Write to the OperationsManager Database), WriteToDW (Write to the DataWareHouse database), GenerateAlert (this explains itself), etc. 

    With the below command you can easily see what the most occurring type of actions you have in your environment:

    (Get-SCOMRule).WriteActionCollection.Name | Group-Object | Sort-Object count | Select-Object name,count

    If you would create a query that excludes everything related to alert it would work. The majority of the event collection rules only uses WriteToDB and/or WriteToDW. PerformanceCollections only use this one as well. Therefore you could use the category, but that one is free to use and therefore not the best one to use. Maybe better create a query that filters on conditiondetection. 

    $rules = Get-SCOMRule | ? { (-not ($_.ConditionDetection.Name -match "perf")) -or (-not ($_.WriteActionCollection.Name -match "alert")) }

    Now you have a good base to start. We know for sure that WriteToDB and WriteToDW WriteActions are used by eventcollection rules, therefore this command reveals what they are:

    $rules | ? { $_.WriteActionCollection.Name -contains "WriteToDB" -and $_.WriteActionCollection.Name -contains "WriteToDW" }

    But there are other WriteActions as well that potentially do this, but this is a very good start. I see for example two WriteActions named CollectEventData and CollectEventDataWarehouse that looks very suspicious. Therefore you can potentially query on them as well. 

    Thursday, January 4, 2018 8:55 AM