Authoring Event Rules in OpsMgr

Authoring Event Rules in OpsMgr

  • Comments 5
  • Likes

Anatomy of a Vista/Server 2008 event

There are three types of Vista/Server 2008 events which are written to various channels in the event log.

1.       The ‘pure’ Vista/Server 2008 event

These events are logged using the new Vista/Server 2008 APIs which means they were written specifically for this platform.  As such most of these events are not backwards compatible with events from a similar application on downlevel platforms.  These events are mostly written to a channel under the “Applications and Services Logs” in the event viewer, though a few creep into the “Windows Logs”.

Example:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

     <System>

         <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />

         <EventID>8007</EventID>

         <Version>0</Version>

         <Level>4</Level>

         <Task>0</Task>

         <Opcode>2</Opcode>

         <Keywords>0x4000000000000000</Keywords>

         <TimeCreated SystemTime="2008-01-21T19:42:41.009Z" />

         <EventRecordID>397142</EventRecordID>

         <Correlation ActivityID="{86F2A78B-6A45-4E77-A34C-2809C9AAC658}" />

         <Execution ProcessID="976" ThreadID="3516" />

         <Channel>Microsoft-Windows-GroupPolicy/Operational</Channel>

         <Computer>christow-dev.wingroup.windeploy.ntdev.microsoft.com</Computer>

         <Security UserID="S-1-5-18" />

     </System>

     <EventData>

         <Data Name="PolicyElaspedTimeInSeconds">5</Data>

         <Data Name="ErrorCode">0</Data>

         <Data Name="PrincipalSamName">WINGROUP\christow</Data>

         <Data Name="IsMachine">false</Data>

         <Data Name="IsConnectivityFailure">false</Data>

     </EventData>

  </Event>

       

        Things to notice are the Keywords, legacy/hybrid events will always start with 0x8…, ‘pure’ Vista/Crimson always start with some other number.  Also this example has both Correlation and Execution data.  Correlation is a way to correlate events which occurred as a response to a certain task or activity, and Process gives you both the Process ID and Thread ID where the issue occurred should you want to attach a debugger, or correlate this with other events.  The other interesting thing is the contents of the EventData node, this node contains event specific XML (each event instance defines what this XML looks like).  The event parameters are formatted into this XML based on the XML definition making this sort of a language independent event message.

 

2.       The legacy event

These events are logged using the legacy event APIs, meaning the application logging them was written for downlevel platforms.  As such these events should be backwards compatible with downlevel platforms.  These events are mostly found in the “Windows Logs”, though event sources which wrote to custom event logs on downlevel platforms will show up in the “Applications and Services Logs” in the event viewer.

Example:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

     <System>

      <Provider Name="idsvc" />

          <EventID Qualifiers="0">0</EventID>

          <Level>4</Level>

      <Task>0</Task>

      <Keywords>0x80000000000000</Keywords>

      <TimeCreated SystemTime="2008-01-21T18:47:49.000Z" />

      <EventRecordID>6955</EventRecordID>

      <Channel>Application</Channel>

      <Computer>christow-dev.wingroup.windeploy.ntdev.microsoft.com</Computer>

      <Security />

   </System>

     <EventData>

      <Data>Service stopped successfully.</Data>

   </EventData>

</Event>

 

Some things to note in this are the Keywords (always 0x8…) the Provider node only contains a Name attribute and it’s value is the same as the Source column in the Event Viewer.  Also the EventID has a Qualifiers attribute.  This attribute contains the upper 2 bytes of the event number, Vista/Server 2008 events numbers are 2 bytes but downlevel  events had 4 bytes.  This portion of the event number was always present on downlevel platforms but stripped off in the event viewer.  Also note the EventData node, this contains the event parameters for the event in the form <Data>parameter 1</Data>, <Data>parameter 2</Data> etc…

 

3.       The hybrid event

The hybrid events are essentially downlevel events which have registered as a Vista/Server 2008 event publisher.  They are usually backwards compatible as they use the legacy APIs, and are found in the same places as the legacy events.

Example:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

     <System>

          <Provider Name="Microsoft-Windows-CertificateServicesClient-AutoEnrollment" Guid="{F0DB7EF8-B6F3-4005-9937-FEB77B9E1B43}" EventSourceName="AutoEnrollment" />

          <EventID Qualifiers="32768">64</EventID>

      <Version>0</Version>

      <Level>3</Level>

      <Task>0</Task>

      <Opcode>0</Opcode>

      <Keywords>0x80000000000000</Keywords>

      <TimeCreated SystemTime="2008-01-21T18:19:27.000Z" />

      <EventRecordID>6953</EventRecordID>

          <Correlation />

      <Execution ProcessID="0" ThreadID="0" />

          <Channel>Application</Channel>

      <Computer>christow-dev.wingroup.windeploy.ntdev.microsoft.com</Computer>

      <Security />

      </System>

          <EventData>

         <Data Name="Context">local system</Data>

                     <Data Name="ObjId">4d 6e 68 1c 62 c5 19 85 a3 2c b5 00 2b 84 c7 16 49 28 38 2a</Data>

      </EventData>

  </Event>

 

Things to note are the EventSourceName on the Provider node, this is for Backwards Compatibility and should be the same as the downlevel event source name.  Also note that the EventData section is similar to the ‘pure’ Server 2008/Vista events in that it is event specific XML.

 

Vista/Server 2008 events vs. Downlevel events in OpsMgr

OpsMgr has two different modules for collecting events, but essentially one event type is produced.  At the writing of this document there is no way to specify which module you get when executing a workflow, on Vista/Server 2008 you get the Vista/Server 2008 module, and on downlevel platforms you get the NT event module.  The modules basically do the same job in different ways, but the Vista/Server 2008 module knows how to collect the EventData, Correlation, Execution, etc… properties specific to Vista/Server 2008.

PublisherName vs. EventSourceName

One of the most confusing differences is between the PublisherName and the EventSourceName properties of the event.  The truth is in most cases the two fields are exactly the same.  However, in the case of the Hybrid event the PublisherName field will be set to the value of the Provider node’s Name attribute, and the EventSourceName field will be set to the value of the Provider node’s EventSourceName attribute, so given the following Hybrid event:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

     <System>

          <Provider Name="Microsoft-Windows-CertificateServicesClient-AutoEnrollment" Guid="{F0DB7EF8-B6F3-4005-9937-FEB77B9E1B43}" EventSourceName="AutoEnrollment" />

 

The values for the respective OpsMgr event fields will be

                PublisherName                 Microsoft-Windows-CertificateServicesClient-AutoEnrollment

                EventSourceName          AutoEnrollment

Given the following legacy event:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

     <System>

      <Provider Name="idsvc" />

 

The values for the respective OpsMgr event fields will be

                PublisherName                 idsvc

                EventSourceName          idsvc

 

Given the following ‘pure’ Vista/Server 2008 event:

 <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

     <System>

         <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />

 

The values for the respective OpsMgr event fields will be

                PublisherName                 Microsoft-Windows-GroupPolicy

                EventSourceName          Microsoft-Windows-GroupPolicy

 

What this means is that the EventSourceName is the safest bet if you want your rule to work on both downlevel and Vista/Server 2008 platforms.  As the fields are the same in legacy and ‘pure’ Vista/Server 2008 events, and the EventSourceName is the backwards compatibility name in the case of the Hybrid event.  Here is the caveat, the EventSourceName field was added for SP1, meaning that using this field means taking a hard dependency on SP1.  The EventSourceName field will NOT work on OpsMgr 2007 RTM.

Log vs. Channel

Vista/Server 2008 events use the concept of event channels vs. event logs for downlevel platforms.  As far as OpsMgr is concerned channels and logs are interchangeable.  The Vista/Server 2008 backwards compatibility logs are named the same as they were on downlevel platforms hence workflows reading from these logs are largely unaffected.  The only tricky thing to note about the channels in Vista/Server 2008 is that the folder structure in the event viewer does not necessarily match the channel name.  To make certain that you have the correct channel name use the value from the Channel node provided in the event XML.  This is the case in general in Vista/Server 2008 event logs, the event XML is the authority to use not the event viewer.

Where does OpsMgr get the Event Fields

                Below is a table which gives the source of the event fields in OpsMgr for both Vista/Server 2008 platforms:

OpsMgr Event Field

Vista/Server Event source (from XML)

NT Event Source (from EventViewer)

PublisherName

/System/Provider/@Name

Source

EventSourceName

/System/Provider/@EventSourceName

Source

Channel

/System/Channel

Log

LoggingComputer

/System/Computer

Computer

EventNumber

/System/EventID + /System/EventID/@Qualifiers1

Event ID1

EventDisplayNumber

/System/EventID

Event ID

EventCategory

/System/Task

Category

EventLevel

/System/Level2

Type

UserName

/System/Security/@UserID3

User

@time

/System/TimeCreated/@SystemTime

Time

CorrelationActivityId

/System/Correlation/@ActivityId

 

CorrelationRelatedActivityId

/System/Correlation/@RelatedActivityID

 

ProcessId

/System/Execution/@ProcessID

 

ThreadId

/System/Execution/@ThreadID

 

Opcode

/System/Opcode

 

Keywords

/System/Keywords

 

Version

/System/Version

 

EventData/DataItem/*

/EventData4

 

1The EventNumber is the combination of the EventID

2The event levels used in OpsMgr are NT event numeric constants, Vista/Server 2008 events are mapped to NT event levels

               

Event Level

OpsMgr/Downlevel

Numeric Value

Vista/Server 2008

Numeric value

Success

0

0

Error

1

2

Warning

2

3

Information

4

4

Audit Failure

16

-

Audit Success

8

-

3 Wherever possible the User name is retrieved from the SID, if not possible the SID is used instead.

4 The contents of the EventData node in Crimson are copied into a DataItem container and placed into the EventData of the OpsMgr event.

 

Anatomy of an OpsMgr Event

Tips and Tricks

            Use the event XML view

There can be several pieces of data which can be difficult to find or are manipulated in the event viewer default view.  The safest and easiest way on Vista/Server 2008 to find all data about the event (aside from the event parameters) is to use the Details/Xml View in the event viewer.  This shows the raw event XML which is the source used by OpsMgr to collect event data.  On downlevel platforms this can be a little more difficult though the data is largely unmolested in the viewer.

EventNumber vs. EventDisplayNumber

In general you want to match your event on both the EventSourceName and EventDisplayNumber fields.  The combination of these two fields is typically enough to guarantee the event you match is the one you are interested in.  However, be careful as some downlevel providers overload the EventDisplayNumbers by changing the upper portion of the EventNumber field (discussed above).  In this case some other means will be necessary to distinguish between events, i.e. EventLevel, or you can use the full EventNumber, but this is difficult to obtain as it is not shown in the EventViewer.

EventLevel

The EventLevel field on the OpsMgr event contains the numeric constant only.  This is done for localization reasons where building an expression on the English strings would cause the rule not to function on other locales.  It should also be noted that this OpsMgr uses the downlevel event level constants for backwards compatibility reasons.  Unfortunately this means that the severity of the level constants is not linear, so it is not entirely safe to say something like ‘EventLevel <= Warning’ because as you can see from the above chart Success is also < warning.

EventCategory, Opcode, and Keywords

  These fields on the OpsMgr event also only contain the numeric constant only.  This is done for the same localization reasons mentioned above.

                Parameters

Event parameters are often difficult to figure out, on both the downlevel and the Vista/Server 2008 systems it is not possible to see the raw event parameters in the event viewer.  The best way to get this data is to have access to the message DLL used by the event log to display the event message.  This DLL contains a list of strings which are used by the event viewer (and OpsMgr) to build the event message by inserting the parameters.  An example would be something like:  

“Device error occured %1 times while copying data to %2”

                In this example parameter 1 would contain the repeat count and parameter 2 would contain the device name.

                EventData

This field on the OpsMgr event structure contains a datatype.  In the case of a ‘probe based’ event (script generated, WMI, SNMP, etc…) this field will contain the context of the workflow (the raw dataitem generated by script, WMI, SNMP, etc…).  From an OS perspective EventData is something unique to Vista/Server 2008 events, on downlevel platforms (NT events only) it will always be empty.  On Vista/Server2008 the EventData section is a user defined XML fragment which is roughly analogous to a language agnostic event message (the event parameters are inserted into the XML).  In OpsMgr this data is copied as is to a special datatype (“System.XmlData”), this datatype just acts as a wrapper for the EventData XML fragment.  All this means is that you need to use an XPath query like ‘EventData/DataItem/EventData/Data[1]’ to select the first Data node in the event data section.

Description/Message

This field should not be used in a workflow both for localization reasons and for performance reasons.  Event descriptions are collected by OpsMgr for the system locale on the local box and sent to the server with the Locale information.  This way if the same event is logged on both a Japanese machine and an English machine both the Japanese and English descriptions will be available in the UI, so depending on the User’s locale the Japanese events will be in English or the English events will be in Japanese.

Examples

                The following sample shows a Vista/Server 2008 event and the rule which can be used to collect it:

                Sample Vista/Server 2008 Event:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Windows Error Reporting" />

<EventID Qualifiers="0">1001</EventID>

<Level>3</Level>

<Task>0</Task>

<Keywords>0x80000000000000</Keywords>

<TimeCreated SystemTime="2008-01-24T20:33:44.000Z" />

<EventRecordID>7149</EventRecordID>

<Channel>Application</Channel>

<Computer>christow-dev.wingroup.windeploy.ntdev.microsoft.com</Computer>

<Security />

</System>

<EventData>

<Data>378529931</Data>

<Data>1</Data>

<Data>APPCRASH</Data>

<Data>None</Data>

<Data>0</Data>

<Data>cl.exe</Data>

<Data>14.0.60406.0</Data>

<Data>4439bf04</Data>

<Data>kernel32.dll</Data>

<Data>6.0.6000.16386</Data>

<Data>4549be94</Data>

<Data>e06d7363</Data>

<Data>00023843</Data>

<Data />

<Data />

<Data>C:\Users\christow\AppData\Local\Microsoft\Windows\WER\ReportQueue\Report5f883d64\WER321E.tmp.version.txt C:\Users\christow\AppData\Local\Microsoft\Windows\WER\ReportQueue\Report5f883d64\WER321F.tmp.appcompat.txt C:\Users\christow\AppData\Local\Microsoft\Windows\WER\ReportQueue\Report5f883d64\WER3230.tmp.hdmp C:\Users\christow\AppData\Local\Microsoft\Windows\WER\ReportQueue\Report5f883d64\WER3D19.tmp.mdmp</Data>

<Data />

</EventData>

</Event>

 

                Vista/Server 2008 Event rule:

      <Rule ID="My.VistaEvent.AlertRule" Enabled="true" Target="SCLibrary!Microsoft.SystemCenter.HealthService" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

        <Category>Custom</Category>

        <DataSources>

          <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">

            <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

            <LogName>Application</LogName>

            <Expression>

              <And>

                <Expression>

                  <SimpleExpression>

                    <ValueExpression>

                      <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

                    </ValueExpression>

                    <Operator>Equal</Operator>

                    <ValueExpression>

                      <Value Type="UnsignedInteger">1001</Value>

                    </ValueExpression>

                  </SimpleExpression>

                </Expression>

                <Expression>

                  <SimpleExpression>

                    <ValueExpression>

                      <XPathQuery Type="String">PublisherName</XPathQuery>

                    </ValueExpression>

                    <Operator>Equal</Operator>

                    <ValueExpression>

                      <Value Type="String">Windows Error Reporting</Value>

                    </ValueExpression>

                  </SimpleExpression>

                </Expression>

                <Expression>

                  <SimpleExpression>

                    <ValueExpression>

                      <XPathQuery Type="UnsignedInteger">EventLevel</XPathQuery>

                    </ValueExpression>

                    <Operator>Equal</Operator>

                    <ValueExpression>

                      <!—Even though the Crimson event is level 3 (warning in Crimson) this value is converted to the OpsMgr constant for Warning which is 2. -->

                      <Value Type="UnsignedInteger">2</Value>

                    </ValueExpression>

                  </SimpleExpression>

                </Expression>

              </And>

            </Expression>

          </DataSource>

        </DataSources>

        <WriteActions>

          <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">

            <Priority>1</Priority>

            <Severity>0</Severity>

            <AlertName>Watson Error</AlertName>

            <AlertDescription/>

            <AlertMessageId>$MPElement[Name=" My.VistaEvent.AlertRule.AlertMessage"]$</AlertMessageId>

            <AlertParameters>

              <!—We can use the description after the filter for user readable only data. -->

              <AlertParameter1>$Data/EventDescription$</AlertParameter1>

              <!— The 6th parameter is the faulting application in this case cl.exe -->

              <AlertParameter2>$Data/EventData/DataItem/EventData/Data[6]$</AlertParameter2>

            </AlertParameters>

            <Suppression>

              <SuppressionValue>$Data/EventDescription$</SuppressionValue>

            </Suppression>

          </WriteAction>

        </WriteActions>

      </Rule>

                In this example we are collecting a downlevel event:

                Sample downlevel event:

Event Type:         Error

Event Source:     Userenv

Event Category:                None

Event ID:              1058

Date:                     1/22/2008

Time:                     3:45:10 AM

User:                     NT AUTHORITY\SYSTEM

Computer:          CHRISTOW-DEV2

Description:

Windows cannot access the file gpt.ini for GPO CN={AE79D7A0-CD0E-401A-82B5-22B20BD707DC},CN=POLICIES,CN=SYSTEM,DC=WINGROUP,DC=WINDEPLOY,DC=NTDEV,DC=MICROSOFT,DC=COM. The file must be present at the location <\\wingroup.windeploy.ntdev.microsoft.com\SysVol\wingroup.windeploy.ntdev.microsoft.com\Policies\{AE79D7A0-CD0E-401A-82B5-22B20BD707DC}\gpt.ini>. (Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. ). Group Policy processing aborted.

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

                Downlevel Event rule:

      <Rule ID="My.Downlevel.AlertRule" Enabled="true" Target="SCLibrary!Microsoft.SystemCenter.HealthService" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

        <Category>Custom</Category>

        <DataSources>

          <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">

            <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

            <LogName>Application</LogName>

            <Expression>

              <And>

                <Expression>

                  <SimpleExpression>

                    <ValueExpression>

                      <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

                    </ValueExpression>

                    <Operator>Equal</Operator>

                    <ValueExpression>

                      <Value Type="UnsignedInteger">1001</Value>

                    </ValueExpression>

                  </SimpleExpression>

                </Expression>

                <Expression>

                  <SimpleExpression>

                    <ValueExpression>

                      <XPathQuery Type="String">PublisherName</XPathQuery>

                    </ValueExpression>

                    <Operator>Equal</Operator>

                    <ValueExpression>

                      <Value Type="String">Windows Error Reporting</Value>

                    </ValueExpression>

                  </SimpleExpression>

                </Expression>

              </And>

            </Expression>

          </DataSource>

        </DataSources>

        <WriteActions>

          <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">

            <Priority>1</Priority>

            <Severity>0</Severity>

            <AlertName>GPO Error</AlertName>

            <AlertDescription/>

            <AlertMessageId>$MPElement[Name=" My.Downlevel.AlertRule.AlertMessage"]$</AlertMessageId>

            <AlertParameters>

              <!—We can use the description after the filter for user readable only data. -->

              <AlertParameter1>$Data/EventDescription$</AlertParameter1>

            </AlertParameters>

            <Suppression>

              <SuppressionValue>$Data/EventDescription$</SuppressionValue>

            </Suppression>

          </WriteAction>

        </WriteActions>

      </Rule>

 

 

OpsMgr Event schema

<?xml version="1.0" encoding="utf-8" ?>

<xsd:schema targetNamespace="http://tempuri.org/EventDataType.xsd"

                  elementFormDefault="qualified"

                  xmlns="http://tempuri.org/EventDataType.xsd"

                  xmlns:mstns="http://tempuri.org/EventDataType.xsd"

                  xmlns:xsd="http://www.w3.org/2001/XMLSchema">

 

  <!-- Simple type for a GUID -->

      <xsd:simpleType name="GuidType">

            <xsd:restriction base="xsd:string">

                  <xsd:maxLength value="38"/>

                  <xsd:minLength value="36"/>

                  <xsd:pattern value="\{{0,1}[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\}{0,1}"/>

            </xsd:restriction>

      </xsd:simpleType>

 

  <!-- Base Type for a DataItem -->

  <xsd:complexType name="BaseDataItemType">

    <xsd:attribute name="type" type="xsd:string" use="required"/>

    <xsd:attribute name="time" type="xsd:dateTime" use="optional"/>

    <xsd:attribute name="sourceHealthServiceId" type="GuidType" use="optional"/>

  </xsd:complexType>

 

  <!-- Generic DataItem Type -->

  <xsd:complexType name="GenericDataItemType">

    <xsd:complexContent>

      <xsd:extension base="BaseDataItemType">

        <xsd:sequence>

          <xsd:any minOccurs="0" maxOccurs="unbounded" processContents="lax"/>

        </xsd:sequence>

      </xsd:extension>

    </xsd:complexContent>

  </xsd:complexType>

 

  <!-- Type for Event Parameters -->

  <xsd:complexType name="EventParametersType">

    <xsd:sequence>

      <xsd:element name="Param" type="xsd:string" minOccurs="0" maxOccurs="unbounded"/>

    </xsd:sequence>

  </xsd:complexType>

 

  <!-- Schema for Event data type:

    Sample XML:

   

      <DataItem type="MOM.EventData" time="2000-01-15T20:00:00Z"

                sourceHealthServiceId="7fd77deb-8f26-408b-bac7-fb03fefcda99">

        <EventOriginId>{3dbd7293-7e9d-437d-9ddf-e0800c3c61d6}</EventOriginId>

        <PublisherId>{88227293-7e9d-4444-9ddf-e0800c3c6999}</PublisherId>

        <PublisherName>MyEventSource</PublisherName>

        <EventSourceName>MyEventSource</EventSourceName>

        <Channel>global/System</Channel>

        <LoggingComputer>LoggingComputer</LoggingComputer>

        <EventNumber>2000</EventNumber>

        <EventCategory>2</EventCategory>

        <EventLevel>3</EventLevel>

        <UserName>Domain\User</UserName>

        <RawDescription>Device error occured %1 times while copying data to %2</RawDescription>

        <LCID>0</LCID>

        <Params>

            <Param>1</Param>

            <Param>DVD</Param>

        </Params>

        <EventData></EventData>

        <EventDisplayNumber>2000</EventDisplayNumber>

        <EventDescription>Device error occured 1 times while copying data to DVD</EventDescription>

        <ManagedEntityId>{11117293-7e9d-437d-9ddf-e0800c3c6111}</ManagedEntityId>

        <RuleId>{22227293-7e9d-4444-9ddf-e0800c3c6111}</RuleId>

      </DataItem>   

  -->

  <xsd:element name="DataItem">

    <xsd:complexType>

      <xsd:complexContent>

        <xsd:extension base="BaseDataItemType">

          <xsd:sequence>

 

           

            <!-- Event Identifiers -->

           

            <!-- Unique per event instance ID -->

            <xsd:element name="EventOriginId" type="GuidType"/>

            <!-- Unique per event publisher ID -->

            <xsd:element name="PublisherId" type="GuidType"/>

 

           

            <!-- Standard Event Fields -->

           

            <!-- Publisher Name -->

            <xsd:element name="PublisherName" type="xsd:string"/>

            <!-- Back Compat for VISTA/LONGHORN publisher name or same as publisher name on other platforms -->

            <xsd:element name="EventSourceName" type="xsd:string"/>

            <xsd:element name="Channel" type="xsd:string"/>

            <xsd:element name="LoggingComputer" type="xsd:string"/>

            <xsd:element name="EventNumber" type="xsd:int"/>

            <!-- Numeric identifier for the event category (this is shown as localized text in the event viewer) -->

            <xsd:element name="EventCategory" type="xsd:short"/>

            <!-- Numeric identifier for the event level (this is shown as localized text in the event viewer) -->

            <xsd:element name="EventLevel" type="xsd:short"/>

            <xsd:element name="UserName" type="xsd:string"/>

            <!-- Unformated Description -->

            <xsd:element name="RawDescription" type="xsd:string" minOccurs="0" maxOccurs="1"/>

            <!-- Locale Identifier for the description (as taken from the message dll) -->

            <xsd:element name="LCID" type="xsd:int"  minOccurs="0" maxOccurs="1"/>

            <!-- Flag controlling DB insert of event description -->

            <xsd:element name="CollectDescription" type="xsd:boolean" minOccurs="0" maxOccurs="1"/>

            <!-- Resolved Event Parameters (SIDS -> User/Group names, AD GUIDS -> AD object names) -->

            <xsd:element name="Params" type="EventParametersType" minOccurs="0" maxOccurs="1"/>

           

           

            <!-- DataItem Context for VISTA (UserData XML) and script/WMI/SNMP/Generic (input DataItem XML) events-->

           

            <xsd:element name="EventData" minOccurs="0" maxOccurs="1">

              <xsd:complexType>

                <xsd:sequence>

                  <xsd:element name="DataItem" type="GenericDataItemType" minOccurs="0" maxOccurs="1"/>

                </xsd:sequence>

              </xsd:complexType>

            </xsd:element>

           

           

            <!-- Calculated Fields -->

           

            <!-- Least significant WORD of the EventNumber (EventNumber & 0xFF) -->

            <xsd:element name="EventDisplayNumber" type="xsd:short" minOccurs="0" maxOccurs="1"/>

            <!-- Formated Description with parameter inserts (FormatMessage(RawDescription, Params)) -->

            <xsd:element name="EventDescription" type="xsd:string" minOccurs="0" maxOccurs="1"/>

           

           

            <!-- VISTA/LONGHORN specific fields -->

            <xsd:element name="CorrelationActivityId" type="GuidType" minOccurs="0" maxOccurs="1"/>

            <xsd:element name="CorrelationRelatedActivityId" type="GuidType" minOccurs="0" maxOccurs="1"/>

            <xsd:element name="Opcode" type="xsd:short" minOccurs="0" maxOccurs="1"/>

            <xsd:element name="Keywords" type="xsd:long" minOccurs="0" maxOccurs="1"/>

            <xsd:element name="ProcessId" type="xsd:int" minOccurs="0" maxOccurs="1"/>

            <xsd:element name="ThreadId" type="xsd:int" minOccurs="0" maxOccurs="1"/>

            <xsd:element name="Version" type="xsd:byte" minOccurs="0" maxOccurs="1"/>

           

           

            <!-- MOM specific workflow fields -->

            <xsd:element name="ManagedEntityId" type="GuidType" minOccurs="0" maxOccurs="1" />

            <xsd:element name="RuleId" type="GuidType" minOccurs="0" maxOccurs="1" />

          </xsd:sequence>

        </xsd:extension>

      </xsd:complexContent>

    </xsd:complexType>

  </xsd:element>

 

</xsd:schema>

 

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Gads... does this seem overly complex to anyone else who doesn't spend their days writing code and working with XML? Compared with the ease we had in creating new MOM 2005 rules and MP's, this is daunting stuff.

  • Whatever happened to click, click, done? http://blogs.technet.com/momteam/archive/2008/02/01/authoring

  • Stuart and Rod, Im on your side... MOM2k5 and cliketiclik is so much easier.

    But, on the other hand... when you create a larger MP and you want the reports to show some nice data, the hard way is the only way to do it. :-\

    Tip: Combine Authoring Console and a XML-editor.

  • What are the APIs you're talking about? And, more imporantly, what is this doing and how do I activate it?

    <ViewerConfig>

     <QueryConfig>

       <QueryParams>

         <UserQuery />

       </QueryParams>

       <QueryNode>

         <Name ResourceId="%windir%\system32\svrmgrnc.dll,-418">Terminal Services</Name>

         <Description ResourceId="%windir%\system32\svrmgrnc.dll,-419">System events for Terminal Services</Description>

         <SuppressQueryExecutionErrors>1</SuppressQueryExecutionErrors>

         <QueryList>

           <Query>

             <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-TerminalServices-RemoteConnectionManager']]]</Select>

             <Select Path="Analytic">*[System[Provider[@Name='Microsoft-Windows-TerminalServices-RemoteConnectionManager']]]</Select>

             <Select Path="Operational">*[System[Provider[@Name='Microsoft-Windows-TerminalServices-RemoteConnectionManager']]]</Select>

             <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-TerminalServices-SessionBroker-Client']]]</Select>

             <Select Path="Analytic">*[System[Provider[@Name='Microsoft-Windows-TerminalServices-PnPDevices']]]</Select>

             <Select Path="Admin">*[System[Provider[@Name='Microsoft-Windows-TerminalServices-PnPDevices']]]</Select>

             <Select Path="Operational">*[System[Provider[@Name='Microsoft-Windows-TerminalServices-PnPDevices']]]</Select>

             <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-TerminalServices-SessionBroker']]]</Select>

             <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-TermServLicensing']]]</Select>

             <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-TerminalServices-Licensing']]]</Select>

             <Select Path="System">*[System[Provider[@Name='TermServLicensing']]]</Select>

             <Select Path="Application">*[System[Provider[@Name='TSWebAccess']]]</Select>

             <Select Path="Microsoft-Windows-TerminalServices-Gateway/Operational">*[System[Provider[@Name='Microsoft-Windows-TerminalServices-Gateway']]]</Select>

             <Select Path="Microsoft-Windows-TerminalServices-Gateway/Admin">*[System[Provider[@Name='Microsoft-Windows-TerminalServices-Gateway']]]</Select>

           </Query>

         </QueryList>

       </QueryNode>

     </QueryConfig>

    </ViewerConfig>