locked
Alert generated from Windows Log Event in a particular Alert View RRS feed

  • Question

  • Hi,

    I have created a rule which generates an alert whenever event log is generated in Operations Manager Event Log with id = 1234. This rule targets my management pack and displays alert in Active Alert. But my management pack also has an alert view and I want this generated alert to show in my alert view.

    How can I implement changes in my management pack to preform this action?


    Regards, Ravi
    • Changed type Ravi_Raj Thursday, August 11, 2011 2:20 PM
    Thursday, August 11, 2011 2:16 PM

Answers

  • Hello Ravi,

    I know it is late reply, but I hope it helps..

    But you can do this simply using the Alert View (Select Conditions) with one of the following two options:

    1- With a specific name: (Your Alert Name, wildcards could be used)

    2- Created by specific sources: (Select your rule from the list)

    While createing the Rule,, your Rule Category must be Alert in order to to appear in the list of specific sources.

    "Rule Category is the key if you want to create a custom views based on specific sources (rule / monitor). So you need to select the right category for getting the desired results"

    Hope this helps!

    Regards,

    Mazen


    • Edited by Mazen AhmedMicrosoft employee Saturday, February 25, 2012 9:57 AM
    • Marked as answer by Ravi_Raj Monday, February 27, 2012 6:10 AM
    • Unmarked as answer by Ravi_Raj Monday, February 27, 2012 10:09 AM
    • Marked as answer by Ravi_Raj Monday, February 27, 2012 11:07 AM
    Saturday, February 25, 2012 9:53 AM
  • Ok i got the error I was doing. I corrected by following code:

    <SourceList>
      <Source>
        <Type>Rule</Type>
        <Id>$MPElement[Name='MY.MP.R2.$TemplateConfig/TypeId$.TopNodeFault.General.Rule']$</Id>
      </Source>
    </SourceList>

    But in SCOM Console when I see the property of this view, I find the source name as:

    created by: Microsoft.EnterpriseManagement.Mom.Internal.UI.ViewCreations.AlertViewCriteriaXSDSource sources

    I am not able to figure this out. But my view is working perfectly.


    Regards,
    Ravi

    • Marked as answer by Ravi_Raj Monday, February 27, 2012 11:07 AM
    Monday, February 27, 2012 11:07 AM

All replies

  • Hi

    What exactly does your rule target? It needs to target a class (and it can't target a management pack).

    You can scope your alert view to contain alerts from a specific class although this will display other alerts targeted at that class.

    Or one of the alert view criteria is to filter on a custom property - so you could include in your rule, a custom property that you can then target the alert view on.

    Cheers

    Graham


    New SCOM 2012 Blog! - http://www.systemcentersolutions.com/blog/
    View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
    Thursday, August 11, 2011 3:00 PM
  • Hey,

    This rule er target means what I see in Create rule wizard(Rule Target, we have to select), but in the code the rule targets "MYMP.$TemplateConfig/TypeId$.Equipment", where Equipment is a class containing other entities like server components. In this rule i don't have any custom property as it only monitors the eventlog. I can show you the code:

     

    <Rule ID="MYMP.$TemplateConfig/TypeId$.ManagementPort.General.Rule" Enabled="true" Target="MYMP.$TemplateConfig/TypeId$.Equipment" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
    <Category>Alert</Category>
     <DataSources>
    	<DataSource ID="DataSource" TypeID="Windows!Microsoft.Windows.EventProvider">
    	 <ComputerName>.</ComputerName>
    	 <LogName>Operations Manager</LogName>
    	 <Expression>
    		<And>
    		 <Expression>
    			<SimpleExpression>
    			 <ValueExpression>
    				<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
    			 </ValueExpression>
    			 <Operator>Equal</Operator>
    			 <ValueExpression>
    				<Value Type="UnsignedInteger">1234</Value>
    			 </ValueExpression>
    			</SimpleExpression>
    		 </Expression>
    		 <Expression>
    			<SimpleExpression>
    			 <ValueExpression>
    				<XPathQuery Type="String">PublisherName</XPathQuery>
    			 </ValueExpression>
    			 <Operator>Equal</Operator>
    			 <ValueExpression>
    				<Value Type="String">Health Service Script</Value>
    			 </ValueExpression>
    			</SimpleExpression>
    		 </Expression>
    		</And>
    	 </Expression>
    	</DataSource>
     </DataSources>
     <WriteActions>
    	<WriteAction ID="GenerateAlert" TypeID="$Reference/Health$System.Health.GenerateAlert">
    	 <Priority>2</Priority>
    	 <Severity>2</Severity>
    	 <AlertName />
    	 <AlertDescription />
    	 <AlertOwner />
    	 <AlertMessageId>$MPElement[Name="MYMP.$TemplateConfig/TypeId$.ManagementPort.General.Rule.StringResource"]$</AlertMessageId>
    	 <AlertParameters>
    		<AlertParameter1>$Data/EventDescription$</AlertParameter1>
    	 </AlertParameters>
    	 <Suppression>
    		<SuppressionValue>$Data/EventDescription$</SuppressionValue>
    	 </Suppression>
    	 <Custom1 />
    	 <Custom2 />
    	 <Custom3 />
    	 <Custom4 />
    	 <Custom5 />
    	 <Custom6 />
    	 <Custom7 />
    	 <Custom8 />
    	 <Custom9 />
    	 <Custom10 />
    	</WriteAction>
     </WriteActions>
    </Rule>
    
    
    Can you tell me what changes I have to do. How can i change the scope of the alert view?

     


    Regards, Ravi
    Friday, August 12, 2011 3:53 AM
  • Hi

    As part of the write actions (in the Authoring console, Rules, Actions - you can configure the custom attributes). So when event 1234 is detected, as part of the alert a custom property (e.g. 10) can be set to "Equipment.Problem"

    Then scope the view to Custom Property 10 = Equipment.ProblemX

    You could use this to get more granular with different types of problems.

    So scope a view to CustomProperty 10 contains Equipment to show all equipment problems

    Then have "sub-alert" views which are scoped to Equipemnt.ProblemX etc so that the problems can be segregated. It depends on the situation as to what works best.

    Cheers

    Graham


    New SCOM 2012 Blog! - http://www.systemcentersolutions.com/blog/
    View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
    Friday, August 12, 2011 9:19 AM
  • This is all fine but the MP implementation is rather different. I can show you the code which shows all the alerts generated from the servers:

    <View ID="MYMP.$TemplateConfig/TypeId$.Proxy.AlertView" Accessibility="Public" Enabled="true" Target="MYMP.$TemplateConfig/TypeId$.Proxy" TypeID="$Reference/SC$Microsoft.SystemCenter.AlertViewType" Visible="true">
    <Category>Operations</Category>
    <Criteria>
    <ResolutionState>
     <State>0</State>
    </ResolutionState>
    </Criteria>
    <Presentation>
    <ColumnInfo Index="0" SortIndex="0" Width="22" Grouped="true" Sorted="false" IsSortable="true" Visible="true" SortOrder="Ascending">
     <Name>Severity</Name>
     <Id>Severity</Id>
    </ColumnInfo>
    <ColumnInfo Index="1" SortIndex="-1" Width="54" Grouped="false" Sorted="false" IsSortable="false" Visible="true" SortOrder="Ascending">
     <Name>Icon</Name>
     <Id>Icon</Id>
    </ColumnInfo>
    <ColumnInfo Index="2" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="true" SortOrder="Ascending">
     <Name>Path</Name>
     <Id>MonitoringObjectPath</Id>
    </ColumnInfo>
    <ColumnInfo Index="3" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="true" SortOrder="Ascending">
     <Name>Source</Name>
     <Id>MonitoringObjectDisplayName</Id>
    </ColumnInfo>
    <ColumnInfo Index="4" SortIndex="-1" Width="22" Grouped="false" Sorted="false" IsSortable="true" Visible="false" SortOrder="Ascending">
     <Name>Maintenance Mode</Name>
     <Id>MonitoringObjectInMaintenanceMode</Id>
    </ColumnInfo>
    <ColumnInfo Index="5" SortIndex="-1" Width="250" Grouped="false" Sorted="false" IsSortable="true" Visible="true" SortOrder="Ascending">
     <Name>Name</Name>
     <Id>Name</Id>
    </ColumnInfo>
    <ColumnInfo Index="6" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="true" SortOrder="Ascending">
     <Name>Resolution State</Name>
     <Id>ResolutionState</Id>
    </ColumnInfo>
    <ColumnInfo Index="7" SortIndex="-1" Width="150" Grouped="false" Sorted="false" IsSortable="true" Visible="true" SortOrder="Ascending">
     <Name>Created</Name>
     <Id>TimeRaised</Id>
    </ColumnInfo>
    <ColumnInfo Index="8" SortIndex="1" Width="100" Grouped="false" Sorted="true" IsSortable="true" Visible="true" SortOrder="Ascending">
     <Name>Age</Name>
     <Id>Age</Id>
    </ColumnInfo>
    <ColumnInfo Index="9" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="false" SortOrder="Ascending">
     <Name>Type</Name>
     <Id>Category</Id>
    </ColumnInfo>
    <ColumnInfo Index="10" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="false" SortOrder="Ascending">
     <Name>Owner</Name>
     <Id>Owner</Id>
    </ColumnInfo>
    <ColumnInfo Index="11" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="false" SortOrder="Ascending">
     <Name>Priority</Name>
     <Id>Priority</Id>
    </ColumnInfo>
    <ColumnInfo Index="12" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="false" SortOrder="Ascending">
     <Name>Latency</Name>
     <Id>Latency</Id>
    </ColumnInfo>
    <ColumnInfo Index="13" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="true" SortOrder="Ascending">
     <Name>Description</Name>
     <Id>Description</Id>
    </ColumnInfo>
    <ColumnInfo Index="14" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="false" SortOrder="Ascending">
     <Name>Connector</Name>
     <Id>ConnectorId</Id>
    </ColumnInfo>
    <ColumnInfo Index="15" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="false" SortOrder="Ascending">
     <Name>Forwarding Status</Name>
     <Id>ConnectorStatus</Id>
    </ColumnInfo>
    <ColumnInfo Index="16" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="false" SortOrder="Ascending">
     <Name>Class</Name>
     <Id>Class</Id>
    </ColumnInfo>
    <ColumnInfo Index="17" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="false" SortOrder="Ascending">
     <Name>Time in State</Name>
     <Id>TimeInState</Id>
    </ColumnInfo>
    <ColumnInfo Index="18" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="true" SortOrder="Ascending">
     <Name>Custom Field 1</Name>
     <Id>CustomField1</Id>
    </ColumnInfo>
    <ColumnInfo Index="19" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="true" SortOrder="Ascending">
     <Name>Custom Field 2</Name>
     <Id>CustomField2</Id>
    </ColumnInfo>
    <ColumnInfo Index="20" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="true" SortOrder="Ascending">
     <Name>Custom Field 3</Name>
     <Id>CustomField3</Id>
    </ColumnInfo>
    <ColumnInfo Index="21" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="true" SortOrder="Ascending">
     <Name>Custom Field 4</Name>
     <Id>CustomField4</Id>
    </ColumnInfo>
    <ColumnInfo Index="22" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="true" SortOrder="Ascending">
     <Name>Custom Field 5</Name>
     <Id>CustomField5</Id>
    </ColumnInfo>
    <ColumnInfo Index="23" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="true" SortOrder="Ascending">
     <Name>Custom Field 6</Name>
     <Id>CustomField6</Id>
    </ColumnInfo>
    <ColumnInfo Index="24" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="true" SortOrder="Ascending">
     <Name>Custom Field 7</Name>
     <Id>CustomField7</Id>
    </ColumnInfo>
    <ColumnInfo Index="25" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="true" SortOrder="Ascending">
     <Name>Custom Field 8</Name>
     <Id>CustomField8</Id>
    </ColumnInfo>
    <ColumnInfo Index="26" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="true" SortOrder="Ascending">
     <Name>Custom Field 9</Name>
     <Id>CustomField9</Id>
    </ColumnInfo>
    <ColumnInfo Index="27" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="true" SortOrder="Ascending">
     <Name>Custom Field 10</Name>
     <Id>CustomField10</Id>
    </ColumnInfo>
    <ColumnInfo Index="28" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="false" SortOrder="Ascending">
     <Name>Resolved By</Name>
     <Id>ResolvedBy</Id>
    </ColumnInfo>
    <ColumnInfo Index="29" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="false" SortOrder="Ascending">
     <Name>Time Resolved</Name>
     <Id>TimeResolved</Id>
    </ColumnInfo>
    <ColumnInfo Index="30" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="false" SortOrder="Ascending">
     <Name>Last State Change</Name>
     <Id>TimeResolutionStateLastModified</Id>
    </ColumnInfo>
    <ColumnInfo Index="31" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="false" SortOrder="Ascending">
     <Name>Last Modified</Name>
     <Id>LastModified</Id>
    </ColumnInfo>
    <ColumnInfo Index="32" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="false" SortOrder="Ascending">
     <Name>Last Modified By</Name>
     <Id>LastModifiedBy</Id>
    </ColumnInfo>
    <ColumnInfo Index="33" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="false" SortOrder="Ascending">
     <Name>Management Group</Name>
     <Id>ManagementGroup</Id>
    </ColumnInfo>
    <ColumnInfo Index="34" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="false" SortOrder="Ascending">
     <Name>Site</Name>
     <Id>SiteName</Id>
    </ColumnInfo>
    <ColumnInfo Index="35" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="false" SortOrder="Ascending">
     <Name>Repeat Count</Name>
     <Id>RepeatCount</Id>
    </ColumnInfo>
    <ColumnInfo Index="36" SortIndex="-1" Width="100" Grouped="false" Sorted="false" IsSortable="true" Visible="false" SortOrder="Ascending">
     <Name>Ticket ID</Name>
     <Id>TicketId</Id>
    </ColumnInfo>
    </Presentation>
    </View>

    So can you tell me how can I make the alert for the rule to show under this alert view?


    Regards, Ravi
    Tuesday, August 16, 2011 11:20 AM
  • Hello Ravi,

    I know it is late reply, but I hope it helps..

    But you can do this simply using the Alert View (Select Conditions) with one of the following two options:

    1- With a specific name: (Your Alert Name, wildcards could be used)

    2- Created by specific sources: (Select your rule from the list)

    While createing the Rule,, your Rule Category must be Alert in order to to appear in the list of specific sources.

    "Rule Category is the key if you want to create a custom views based on specific sources (rule / monitor). So you need to select the right category for getting the desired results"

    Hope this helps!

    Regards,

    Mazen


    • Edited by Mazen AhmedMicrosoft employee Saturday, February 25, 2012 9:57 AM
    • Marked as answer by Ravi_Raj Monday, February 27, 2012 6:10 AM
    • Unmarked as answer by Ravi_Raj Monday, February 27, 2012 10:09 AM
    • Marked as answer by Ravi_Raj Monday, February 27, 2012 11:07 AM
    Saturday, February 25, 2012 9:53 AM
  • Hi Mazen,

    I am able to get this view through SCOM console. Now When I checked the MP I can see this definition update:

    <View ID="MY.MP.R2.ea09f05fe23444c9948083d5185325a6.TopNodeFault.AlertView" Accessibility="Public" Enabled="true" Target="MY.MP.R2.ea09f05fe23444c9948083d5185325a6.Proxy" TypeID="SC!Microsoft.SystemCenter.AlertViewType" Visible="true">
            <Category>Operations</Category>
            <Criteria>
              <SourceList>
                <Source>
                  <Type>Rule</Type>
                  <Id>1cbea7d9-a9c5-fd41-406f-4a134a3a4443</Id>
                </Source>
              </SourceList>
            </Criteria>

    Now I am implementing this to my main MP with following definition:

    <View ID="MY.MP.R2.$TemplateConfig/TypeId$.TopNodeFault.AlertView" Accessibility="Public" Enabled="true" Target="MY.MP.R2.$TemplateConfig/TypeId$.Proxy" TypeID="$Reference/SC$Microsoft.SystemCenter.AlertViewType" Visible="true">
                  <Category>Operations</Category>
                  <Criteria>
                    <SourceList>
                      <Source>
                        <Type>Rule</Type>
                        <Id>MY.MP.R2.$TemplateConfig/TypeId$.TopNodeFault.General.Rule</Id>
                      </Source>
                    </SourceList>
                  </Criteria>

    After importing this MP to SCOM, I get this error:

    : No matches were found on input string [MY.MP.R2.ea09f05fe23444c9948083d5185325a6.TopNodeFault.General.Rule]. Cannot resolve to ManagementElementReference.

    Am I doing this right way? I think there is a problem in my <ID> reference. What I have to fill it in?


    Regards,
    Ravi

    Monday, February 27, 2012 10:18 AM
  • Ok i got the error I was doing. I corrected by following code:

    <SourceList>
      <Source>
        <Type>Rule</Type>
        <Id>$MPElement[Name='MY.MP.R2.$TemplateConfig/TypeId$.TopNodeFault.General.Rule']$</Id>
      </Source>
    </SourceList>

    But in SCOM Console when I see the property of this view, I find the source name as:

    created by: Microsoft.EnterpriseManagement.Mom.Internal.UI.ViewCreations.AlertViewCriteriaXSDSource sources

    I am not able to figure this out. But my view is working perfectly.


    Regards,
    Ravi

    • Marked as answer by Ravi_Raj Monday, February 27, 2012 11:07 AM
    Monday, February 27, 2012 11:07 AM