Event Based Monitor Not Showing Proper Data in Description


  • Hello,

    Recently, I was asked to create a unit monitor to be alerted for any file changes in the environment.

    So, I created an event based timer reset monitor, which targets the security log and a particular ID and a parameter.

    The alerting works fine in SCOM whenever the ID and parameter are triggered together in the event viewer.

    The problem is with the description that is shown in SCOM.

    The event shows proper format of descrption as shown below:

    A handle to an object was requested.

     Security ID:  DOM\user
     Account Name:  user
     Account Domain:  DOM
     Logon ID:  0x1c77b615e

     Object Server:  Security
     Object Type:  File
     Object Name:  \Device\HarddiskVolume7\test\testuser\testuserH\Reports\test\test2012\user2012\Security2012.xlsx
     Handle ID:  0x0

    Process Information:
     Process ID:  0x4
     Process Name:  

    Access Request Information:
     Transaction ID:  {00000000-0000-0000-0000-000000000000}
     Accesses:  DELETE
        ReadData (or ListDirectory)
     Access Reasons:  DELETE: Unknown or unchecked
        READ_CONTROL: Granted by Ownership
        ACCESS_SYS_SEC: Not granted due to missing SeSecurityPrivilege
        ReadData (or ListDirectory): Unknown or unchecked
        ReadEA: Unknown or unchecked
        ReadAttributes: Granted by ACE on parent folder D:(A;OICIID;0x1301bf;;;S-1-5-21-3362488545-1801783553-3570299896-10108)
     Access Mask:  0x1030089
     Privileges Used for Access Check: -
     Restricted SID Count: 0

    However, in the event viewer friendly view (both general and XML) the data is displayed as shown below:


      SubjectUserSid S-1-5-21-3362488545-1801783553-3570299896-4101
      SubjectUserName user
      SubjectDomainName DOM
      SubjectLogonId 0x1c77b615e
      ObjectServer Security
      ObjectType File
      ObjectName  \Device\HarddiskVolume7\test\testuser\testuserH\Reports\test\test2012\user2012\Security2012.xlsx
      HandleId 0x0
      TransactionId {00000000-0000-0000-0000-000000000000}
      AccessList %%1537 %%1538 %%1542 %%4416 %%4419 %%4423 
      AccessReason %%1537: %%1809 %%1538: %%1804 %%1542: %%1810 SeSecurityPrivilege %%4416: %%1809 %%4419: %%1809 %%4423: %%1811 D:(A;OICIID;0x1301bf;;;S-1-5-21-3362488545-1801783553-3570299896-10108) 
      AccessMask 0x1030089
      PrivilegeList -
      RestrictedSidCount 0
      ProcessId 0x4

    The same XML data (from friendly view) is displayed in SCOM.

    Is there a way I can get SCOM to read the data from the general view of the eventviewer instead of it reading from the friendly View.

    Any Help will be appreciated.

    Thanks in Advance!


    Abdul Karim

    Saturday, September 08, 2012 9:13 AM

All replies

  • Hi,

    Please see if this method is helpful on adjusting the description:

    Adding custom information to alert description (s) and notifications


    Nicholas Li

    TechNet Community Support

    Monday, September 10, 2012 8:39 AM
  • Hi Nicolas,

    I have created a unit monitor and the description detail is the same as shown in the link provided. ($Data/Context/EventDescription$)

    However, it is still reading from the friendly/xml view and not the general view.

    Is there any other workaround for this?

    Thank You!

    Sunday, September 16, 2012 8:24 AM
  • Script-based events shows only last event when all fields except description are same. You can read here about this issue, but article on russian language - And here I asked this question - This problem still exists in both versions of OpsMgr - 2007 and 2012.

    Vladimir Zelenov |

    • Edited by bobgreen84 Monday, September 17, 2012 9:38 AM
    Monday, September 17, 2012 9:36 AM
  • Hi Nicolas,

    I have created a unit monitor and the description detail is the same as shown in the link provided. ($Data/Context/EventDescription$)

    However, it is still reading from the friendly/xml view and not the general view.

    Is there any other workaround for this?

    Thank You!

    Workaround - increase or change any value "Event Number" or "Log Name".

    Vladimir Zelenov |

    Monday, September 17, 2012 9:44 AM
  • Hi Vladimir,

    Thank You for the post.

    I was wondering how will increasing or changing the event number help as I am targetting a particular event id targetting the security log.

    Is there a way we can parse the XML data into more readable format ?

    Please Advise!

    Thanks in Advance!


    Abdul Karim

    Monday, September 17, 2012 7:30 PM
  • With other event modules is all ok. I've never experienced problems with other event modules, only with script-based. What you used? Authoring Console or Authoring Tools?

    Vladimir Zelenov |

    Tuesday, September 18, 2012 7:29 AM
  • Hi Vladimir,

    I am trying to create an event based monitor targetting windows event security log for event ID 4656 and parameter 6 through the SCOM Authoring Console. The alerting works fine when that particular event is raised, however it is the description is meaningless as it reads from the friendly xml view.

    Yes, I have created other event based monitors from the SCOM authoring console targetting application and other logs and that works fine for me.

    Hope this answers your question :)



    Tuesday, September 18, 2012 8:51 AM
  • Is there a way I could parse the values from xml to normal readable view?
    Tuesday, September 18, 2012 9:15 AM
  • The alert description Parma is xpath of the monitor, you can pull the alert information from the scom server with scom powershell command get-alert | where-object{$ –match “<Name of the alert>”} | select name, context.

    The context is the xml tags of you monitor Data source module, you can get the xpath of the required filed followed by $data\context in alert description.

    sridhar v

    Thursday, March 21, 2013 6:06 PM
  • Try using the MP Simulator to find the xpath values. MP Simulator is the source of truth - it will show you exactly what data is available for referencing in your alert description.

    Sometimes it can get a little tricky, like this example.

    Jonathan Almquist | SCOMskills, LLC (

    Sunday, March 24, 2013 10:11 PM