One of the my most famous phrase, during SCOM’s sessions, is that a monitoring software must be flexible and customizable to give a real value. This means that the software must allows creation of custom monitor object to extend the functionality….for example to monitor own software or own service.
System Center Operations Manager is compliant to do these activities and in this article we will see how to keep under control custom Event Viewer ID in order to generate alarms.
SCOM users know that all the monitoring are based by Management Pack, an .xml files with all rules to monitor software/hardware: Event Viewer, Performance Monitor, Service and File Server…so SCOM collects many values to give us the status of our infrastructure.
To create our monitor rules it’s important start from an empty Management Pack; this can be created from pane Administrator – Management Pack, as showed in figure 1.
Before create the alert monitor is fundamental create a collection rule to set the SCOM’s Agent to detect specific EventID on each machine where the agent is installed. To create a new Rule is necessary open the pane Authoring – Management Pack Objects – Rules, as showed in figure 2.
Insert a name and a target group where enable the control, figure 3; if you are not familiar with Computer Group, use the main group called Windows Server 2012 R2 Computer.
Next step is select the event source: by default is Application but you can change it without problem. The last step is set the criteria detection: it is possible be more selective or more generic it’s by your request. In this case we will monitor eventID 9999, as showed in figure 4.
Repeat the same task for eventID 9998.
Now we are able to catch event and so it’s time to create a rule to generate alerts into console. Inside pane Authoring – Management Pack Objects – Monitors it’s possible create the right rule, as showed in figure 5.
As you can see, there are many ways to do monitoring so let’s see the details about Simple Event Detection:
Manual Reset – Monitoring is generated by a specific EventID and the user must reset the alert manually
Timer Reset – Monitoring is generated by a specific EventID and the alert reset is done after X minutes
Windows Event Reset – Monitoring is generated by a specific EventID and the alert reset is done by another EventID
We will use the last one option, because we caught two different EventID.
Set a name, target group and the parent monitor – figure 6.
Next step is set value to generate Unhealthy and Healthy alarms, so what are the EventID that will generate/reset the monitor’s state, as showed in figure 7 and 8.
One the last task is configure the visual state into the SCOM console, as showed in figure 9.
We are arrived to the end, or rather configuration of notification via console (and email) – figure 10.
Before create the Event View, is necessary test if what we have done is right. To do this, open a PowerShell window and run this cmdlet:
Write-Eventlog -logname ‘Application’ -source ‘Application’ -eventID 9999 -EntryType Information -message “Houston we have a problem!”
You should receive the notification into Active Alerts with a message similar figure 11.
To reset the alert, run this cmdlet:
Write-Eventlog -logname ‘Application’ -source ‘Application’ -eventID 9998 -EntryType Information -message “Problem solved!”
In this moment we are ready to keep under control our servers and generate an alert every time the EventID 9999 is generated. To close the ring we can create a view to keep together all of these alerts. This can be done into Monitoring pane: create an Event View into the folder called as Management Pack created at beginning; this view collect all the events 9999. Figure 12 show an example to configure the view.
Close the wizard and test the final result, as showed in figure 13.
Cool right? This is what I mean with “flexible monitoring” and System Center Operations Manager is perfect to do this!