Kevin Holman's System Center Blog

Posts in this blog are provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified in the Terms of UseAre you interested in having a dedicated engineer that will be your Mic

How to find all possible event ID’s for a given event source

How to find all possible event ID’s for a given event source

  • Comments 3
  • Likes

I recently got this question from a customer… and felt it would be good to blog about this.

The customer wants to create an Alert, anytime there is a event in the System event log, from a USER32 event source:

image

 

HOWEVER – it is a best practice in SCOM – to create our event matching criteria to be MOST SPECIFIC as possible.

 

The problem:  How do I know all possible event ID’s that COULD show up under a given event source?

The solution?  Use the MOM 2005 resource kit tool, called MPWizard.exe.

 

NOTE:  The MOM 2005 MPWizard states that it needs to be run on a MOM 2005 management server… but I have tested, and it only really needs to be run on a machine with the MOM 2005 console installed…. if you don't have a MOM 2005 environment, simply install only the console and you can use this tool.  There might be a “cheat” way to run this tool registering a couple MOM 2005 DLL’s – but I haven't looked into that.  If you get a COM error, and cannot get this to run, and the MOM 2005 console is not an option – I recommend you check out using LogParser – which I have a link below.

 

MPWizard will let us interrogate the local computer, OR a remote computer, and determine ALL POSSIBLE events for a given event source, and has the added benefit of showing us the event parameters as well.

 

For example, I will launch MPWizard, and choose “Event Source Monitoring”:

 

image

 

Give it a “TEST” rule group name… since we really wont be creating a MOM 2005 Management Pack here.

Click “Add”, and choose the local computer, or a remote computer example. 

Choose the event source we are interested in:

 

image

 

 

As you can see – this will interrogate the Event log source DLL for the USER32 event source, and show all possible events that *could* be created by this event source (dll) and their parameters for each event.

 

Now – I can create a much more specific rule – and include the event ID’s, and also use event parameters if needed:

 

image

 

 

Now – if I DONT want this alert on a specific group of machines…. I can create an exception, based on parameter 1:

 

image

 

 

Using the MOM 2005 MP wizard is a very easy way to find all possible event ID’s for a given event source, AND will show us the parameters that each event uses…. very helpful in keeping with SCOM best practices if being very specific, and using event parameters instead of searching the entire event description, which is resource intensive.

 

You can get the MOM 2005 reskit download HERE:  http://technet.microsoft.com/en-us/opsmgr/bb498240.aspx

 

Also – be sure to check out how to use LogParser – another free tool – to find event parameters, in this blog post:  Using Event Description as criteria for a rule

Comments
  • When we write rules and monitors to look at events in the event log.... typically the most common criteria

  • So…. with the introduction of Server 2008 into OpsMgr… as a monitored agent, you might need to re-evaluate

  • this is greatness...why isn't there an updated version?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
Search Blogs