SC Operations Manager: Monitor Custom EventID

6 Min Read

One of the my most famous phrase, during SCOM’s sessions, is that a monitoring software must be flexible and customizable to give a real value. This means that the software must allows creation of custom monitor object to extend the functionality….for example to monitor own software or own service.

 

System Center Operations Manager is compliant to do these activities and in this article we will see how to keep under control custom Event Viewer ID in order to generate alarms.

 

SCOM users know that all the monitoring are based by Management Pack, an .xml files with all rules to monitor software/hardware: Event Viewer, Performance Monitor, Service and File Server…so SCOM collects many values to give us the status of our infrastructure.

 

To create our monitor rules it’s important start from an empty Management Pack; this can be created from pane Administrator – Management Pack, as showed in figure 1.

 

2015_20_12_SCOM01
Figure 1 – New MP

 

Before create the alert monitor is fundamental create a collection rule to set the SCOM’s Agent to detect specific EventID on each machine where the agent is installed. To create a new Rule is necessary open the pane Authoring – Management Pack Objects – Rules, as showed in figure 2.

 

2015_20_12_SCOM02
Figure 2 – NT Event Log Rule

 

Insert a name and a target group where enable the control, figure 3; if you are not familiar with Computer Group, use the main group called Windows Server 2012 R2 Computer.

 

2015_20_12_SCOM03
Figure 3 – New Rule

 

Next step is select the event source: by default is Application but you can change it without problem. The last step is set the criteria detection: it is possible be more selective or more generic it’s by your request. In this case we will monitor eventID 9999, as showed in figure 4.

 


Figure 4 – Detection Criteria

 

Repeat the same task for eventID 9998.

 

Now we are able to catch event and so it’s time to create a rule to generate alerts into console. Inside pane Authoring – Management Pack Objects – Monitors it’s possible create the right rule, as showed in figure 5.

 

2015_20_12_SCOM05
Figure 5 – Monitor Rule

 

As you can see, there are many ways to do monitoring so let’s see the details about Simple Event Detection:

 

Manual Reset – Monitoring is generated by a specific EventID and the user must reset the alert manually
Timer Reset – Monitoring is generated by a specific EventID and the alert reset is done after X minutes
Windows Event Reset – Monitoring is generated by a specific EventID and the alert reset is done by another EventID

 

We will use the last one option, because we caught two different EventID.

 

Set a name, target group and the parent monitor – figure 6.

 

2015_20_12_SCOM06
Figure 6 – Monitor Name

 

Next step is set value to generate Unhealthy and Healthy alarms, so what are the EventID that will generate/reset the monitor’s state, as showed in figure 7 and 8.

 

2015_20_12_SCOM07
Figure 7 – Unhealthy Criteria

 

2015_20_12_SCOM08
Figure 8 – Healthy Criteria

 

One the last task is configure the visual state into the SCOM console, as showed in figure 9.

 

2015_20_12_SCOM09
Figure 9 – Health State

 

We are arrived to the end, or rather configuration of notification via console (and email) – figure 10.

 


Figure 10 – Alert Settings

 

Before create the Event View, is necessary test if what we have done is right. To do this, open a PowerShell window and run this cmdlet:

 

Write-Eventlog -logname ‘Application’ -source ‘Application’ -eventID 9999 -EntryType Information -message “Houston we have a problem!”

 

You should receive the notification into Active Alerts with a message similar figure 11.

 

2015_20_12_SCOM11
Figure 11 – Alert Notification

 

To reset the alert, run this cmdlet:

 

Write-Eventlog -logname ‘Application’ -source ‘Application’ -eventID 9998 -EntryType Information -message “Problem solved!”

 

In this moment we are ready to keep under control our servers and generate an alert every time the EventID 9999 is generated. To close the ring we can create a view to keep together all of these alerts. This can be done into Monitoring pane: create an Event View into the folder called as Management Pack created at beginning; this view collect all the events 9999. Figure 12 show an example to configure the view.

 

2015_20_12_SCOM12
Figure 12 – Event View Wizard

 

Close the wizard and test the final result, as showed in figure 13.

 

2015_20_12_SCOM13
Figure 13 – Event View

 

Cool right? This is what I mean with “flexible monitoring” and System Center Operations Manager is perfect to do this!

 

S

Tags: