Another of the Operational challenges SCOM2k7 can solve is offering an Alert upon receipt of a specific Event ID in a Windows Event Log. In this scenario I will generate a Basic Event Monitor. The intent of this Basic Event Monitor is to ensure SCOM2k7 offers a 'Critical Alert' when the specified Event ID is triggered. I will be using the 'EventCreate' utility in Windows to generate a 'test Event ID'.
Here are the general steps to this scenario:
- Focus the Monitor Console on the 'Windows Computer' object.
- Generate a Basic Event Monitor against the Application Event Log of Event ID 945 as a Critical Alert.
- Use the 'EventCreate' Utility to generate a fictitious 'Event ID 945'.
- Examine the 'Alert View' to display the Alert.
- Examine the 'Health Explorer' to see the Alert History and Alert Detail.
- Manually clear the Alert.
If you are looking for a way to understand how to do a similar process when a Windows Service stops you will find a separate Blog entry here titled 'SC Operations Manager 2007 SP1 - Configuration Steps: SCOM2k7 Basic Service Monitor with a Diagnostic and a Recovery for a Stopped Service' with this detail.
1. Here I open the SCOM2k7 SP1 Management Console and move to the 'Active Alerts View'. Notice, no Alerts present.
2. I then move to the 'Authoring Space' which already is Scoped to the 'Windows Computer' object. Upon expanding the 'Availibility' Monitor I target the Basic Event Monitor to the 'Availability' Health Rollup.
3. I initiate creation of a 'Unit Monitor' which starts the 'Create a Unit Monitor' Wizard.
4. I prefer to select the Management Pack that will 'receive' the Monitor first. Then, I select 'Windows Events\Simple Event Detection\Manual Reset' as the Monitor type.
5. I label this Basic Event Monitor explicitly. This is the description that shows up in the Alert View. Additionally, I select the 'Windows Computer' Object as the target of this Monitor. The 'Windows Computer' object allows all Windows Computers to receive this Monitor. If necessary, I can 'focus' this Monitor by using Overrides targeted at specific SCOM2k7 Groups. Notice here also, I have left the toggle 'Monitor is Enabled' on in the caption. I actually proceeded to 'disable' this Monitor as it affords the ability to 'double-check' the Monitor properties prior to setting the Monitor loose in the environment.
6. This Basic Event Monitor is focused against the 'Application Event Log' for a Windows Computer.
7. Next I begin input of the Event criteria. These are the specific parameters the SCOM2k7 Agent will parse in response to this Monitor.
8. The next screen provides the ability to customize the Health State of this Monitor. I modified this value to change the Health State (in Health Explorer for example) to 'Critical'. This would only be appropriate if in fact receiving an Alert for this Event ID is critical. Most Management Packs (those from Microsoft for example) have wisely chosen to defaul this value to 'Warning'. This offers the ability to configure Notifications (E-Mails sent to a shared 'Alert Mailbox') to not pickup 'Warnings' in the middle of the night.
9. I agree to 'Generate Alerts for this Monitor' and 'Automatically Resove the Alert When the Monitor Returns to a Health State'. In addition, I have specified additional detail in the 'Alert Description' that helps better clarify the Alert.
10. Upon completion of the 'Create a Unit Monitor' Wizard a 'Disabled' Monitor appears. Note the detail of the Monitor title.
11. Next I view the specific Properties of the newly created Basic Event Monitor.
12. Properties of the newly created Basic Event Monitor.
13. Properties of the newly created Basic Event Monitor.
14. Properties of the newly created Basic Event Monitor.
15. Properties of the newly created Basic Event Monitor.
16. Properties of the newly created Basic Event Monitor.
17. Properties of the newly created Basic Event Monitor.
18. Properties of the newly created Basic Event Monitor.
19. Finally, upon validation all details for the Properties of the newly created Basic Event Monitor are correct, I select 'Monitor is Enabled'.
20. Note the change in icon appearance and the value of 'Yes' in the 'Enabled by Default' column.
21. I then move focus to the 'Health Explorer' for a single Windows Computer. Notice the appearance of the new Basic Event Monitor under the 'Availability Rollup' for the Server. It is now time to test the function of this Basic Event Monitor by offering a matching Event ID to the Application Event Log.
22. I validate the 'Active Alert View' is clear before proceeding.
23. I have generated a Batch File (.bat extension) that uses the 'EventCreate' utility. 'EventCreate' is provided with the base Windows Operating System and is found in the %windir%\system32 folder.
24. Here is the Batch File and the associated Event Detail to be generated. You can learn more about the 'EventCreate' utility by moving to a Command Prompt and typing: 'eventcreate /?'.
25. I 'Paste' the Batch File contents into a Command Prompt Window.
26. Confirmation the Batch File Contents were accepted correctly.
27. Upon moving to the SCOM2k7 SP1 Operations Console we immediately notice a new 'Critical Alert'.
28. A review of the 'Critical Alert' data indicates several important details including 1) the Monitor Name (left side block) and 2) the Alert Description. Note the detail of the User ID that generated the Alert is specified (Agent Action Account).
29. When I move to 'Health Explorer' for this Windows Server and focus on the new Basic Event Monitor we can observe the 'State Change Events' for this Monitor. The 'State Change Events' provide a 'running history' of how this Basic Event Monitor is triggered.
30. Next I move to 'Manually Close' this Alert per the Basic Event Monitor criteria specified.
31. I attempt a 'Refresh' for the Basic Event Monitor. This does not change the status immediately.
32. I then execute the 'Reset Health' option. This immediate parses to determine aggregate health for this Monitor and resets to the appropriate value of 'healthy'.
As you can see the Basic Event Monitor is a useful operational tool provided by SCOM2k7 SP1. In another Blog entry I will generate a Performance Rule that collects specific Performance Data useful in evaluating long-term Performance Health for a Windows Server.
Lynn Lunik
Independent Security Consultant
Windows(R) Platform
IT Pro Secure Corporation
and
exchangesummit.net
http://itprosecure.com and http://www.exchangesummit.net
blog <at> itprosecure.com
Posted
Oct 21 2008, 08:41 AM
by
lynn lunik