Some time ago I showed you can use PowerShell to create Events for OpsMgr 2007. And according to the comments quite some people have questions about Event parameters. After creating the first version of the PowerShell Create Events for OpsMgr 2007 script, Ken added some functionality and one was modifying the question to not only add a EventLog Description but also a EventLog Parameter.

I found some info on MOM 2005 parameters on Rory McCaw’s weblog, but except that article I could not find much info on Event Log parameters. So hopefully this will explain what parameters are and how they can be used in OpsMgr 2007.

EventLog Parameters in the Events

Every Windows event has description text that is filled in by the values of different parameters. You can find the Eventlog parameters of an event by using the Log Parser. (if you know an easier way on Windows 2003 Servers let me know). Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows® operating system such as the Event Log, the Registry, the file system, and Active Directory®.

Example of EventLog Parameters in an Eventlog:

C:\Program Files\Log Parser 2.2>LogParser.exe "SELECT Top1 Strings AS Parameters FROM Application WHERE EventID=301"

Result:
image_thumb

So in this example you can use four parameters in your OpsMgr Rules or Monitor.

Event Parameters in OpsMgr 2007

Eventlog Parameters can be used in OpsMgr Rules and Monitors. An example where you can find EventLog Parameters used is the Windows Activation State Monitor in the Windows Server 2003 MP. This is a 3 State Event Log Monitor and this monitor looks for EventLog Parameters and the values found in the Eventlog change the state of the monitor.

Healthy:    Look for EventId 1006 in Application Log of Source Windows Product Activation
Warning: Look for EventId 1005 in Application Log of Source Windows Product Activation and Params/Param[1] > 6 =< 15
Critical:   Look for EventId 1005 in Application Log of Source Windows Product Activation and Params/Param[1] =< 6

image_thumb10

You can use the PowerShell Create Events script from Ken to test your monitors or rules with with one EventLog parameter. So it won’t work if you need to test a Rule or Monitor which uses more than one parameter in the Eventlog.

So if you want to test the Windows Activation State Monitor and want to Change the State to Critical, you need to create an Event with the next values:

EventID 1005
Source Windows Product Activation
Type Error
Description Your Windows product has not been activated with Microsoft yet. Please use the Product Activation Wizard within <number> days.

More info about this event can be found on EventID.Net

image