locked
How do I build an override to add a new Event ID expression (from the Operations Manager Log) to a sealed Mgmt Pack RRS feed

  • Question

  • I have a sealed Microsoft Mgmt Pack, System Center Core Monitoring, that restores an alert/monitor back to a Healthy state if it detects the Event IDs 7024 or 2002 in the Operations Manager event log. I want to add the Event ID 7026 to this list, but I'm not able to add it directly because this MP is sealed.

    We have an Override MP for the System Center Core Monitoring MP, but I am confused as to how I add this new Event ID in the override MP.

    How can I add this new Event ID 7026 so the alert/monitor will enter a Healthy state when it is detected in the Operations Manager log?

    Thank you.

    Tuesday, September 15, 2015 6:01 PM

Answers

  • Hi BixbyBridge24,

    As i've learned you cannot edit directly in to sealed management packs. And on technet I've found the following:

    "There are two types of management packs

    • Sealed management packs: A sealed management pack (.mp file) cannot be modified.
    • Unsealed management packs: An unsealed management pack (.xml file) can be modified."

    - source: https://technet.microsoft.com/en-us/library/hh495652.aspx

    So back to your question "How can I add this new Event ID 7026 to the Management Pack?".

    If you have an Override management pack, you can create a new monitor. Follow the next steps:

    - Go to "Authoring" tab.
    - Right click on "Rules" (which can be found under Management Pack Objects)
    - Click on "create new rule"
    - Select "NT Event Log (Alert)" (which can be found under ->Alert Generating Rules -> Event Based)
    - Select the desitination Management Pack and click next(this is your Override Management Pack)
    - Type the rule "name, description (optional)"
    - Then click on "Select" at the rule target and search for the right target (e.g. Windows Server 2012 R2 Core) and click "OK" and click "Next".
    - Type a Log name in and click "Next".
    - Right click on "AND group" and click on "OR group"
    - Type the Event ID in and delete all other parameters and click "Next".
    - Now finish the Configure Alerts page. Type an "Alert name" Set the "Priority" and "Severity" and edit the Alert description if you want (NOTE: Leave the automatic genereted description, don't remove it, just type under it). And click on "Create".

    If you can't get it to work, you can add me on Skype. It's much easier to explain.

    Good luck :)

    Kind Regards,

    Osama Saleh

    Wednesday, September 16, 2015 4:47 PM

All replies

  • For sealed Management pack, there are little room for user to modify the monitor setting. It is all depend on the override option in which the monitor provided. If this monitor has no this override option, user cannnot change this setting.So, what is your monitor?
    Roger
    Wednesday, September 16, 2015 5:08 AM
  • It is the "RunAs Account or Password expired or incorrect" monitor. Under the Expression (Healthy Event) tab I want to add the Event ID 7026 alongside the current Event IDs 7024 and 2002.
    Wednesday, September 16, 2015 1:16 PM
  • Hi BixbyBridge24,

    As i've learned you cannot edit directly in to sealed management packs. And on technet I've found the following:

    "There are two types of management packs

    • Sealed management packs: A sealed management pack (.mp file) cannot be modified.
    • Unsealed management packs: An unsealed management pack (.xml file) can be modified."

    - source: https://technet.microsoft.com/en-us/library/hh495652.aspx

    So back to your question "How can I add this new Event ID 7026 to the Management Pack?".

    If you have an Override management pack, you can create a new monitor. Follow the next steps:

    - Go to "Authoring" tab.
    - Right click on "Rules" (which can be found under Management Pack Objects)
    - Click on "create new rule"
    - Select "NT Event Log (Alert)" (which can be found under ->Alert Generating Rules -> Event Based)
    - Select the desitination Management Pack and click next(this is your Override Management Pack)
    - Type the rule "name, description (optional)"
    - Then click on "Select" at the rule target and search for the right target (e.g. Windows Server 2012 R2 Core) and click "OK" and click "Next".
    - Type a Log name in and click "Next".
    - Right click on "AND group" and click on "OR group"
    - Type the Event ID in and delete all other parameters and click "Next".
    - Now finish the Configure Alerts page. Type an "Alert name" Set the "Priority" and "Severity" and edit the Alert description if you want (NOTE: Leave the automatic genereted description, don't remove it, just type under it). And click on "Create".

    If you can't get it to work, you can add me on Skype. It's much easier to explain.

    Good luck :)

    Kind Regards,

    Osama Saleh

    Wednesday, September 16, 2015 4:47 PM
  • Thank you for the reply Osama. I will give this a try. Thanks again
    Thursday, September 17, 2015 6:32 AM
  • This built-in monitor cannot override its Unhealthy expression and as a result, you should create your own "windows event Reset" monitor with unhealthy event id 7000 and 7026 and healthy event 7024 or 2002 or 7026

    Roger

    Thursday, September 17, 2015 8:17 AM