OpsMgr 2007: Parameters Explained

OpsMgr 2007: Parameters Explained

  • Comments 7
  • Likes

Some time ago I showed you can use PowerShell to create Events for OpsMgr 2007. And according to the comments quite some people have questions about Event parameters. After creating the first version of the PowerShell Create Events for OpsMgr 2007 script, Ken added some functionality and one was modifying the question to not only add a EventLog Description but also a EventLog Parameter.

I found some info on MOM 2005 parameters on Rory McCaw’s weblog, but except that article I could not find much info on Event Log parameters. So hopefully this will explain what parameters are and how they can be used in OpsMgr 2007.

EventLog Parameters in the Events

Every Windows event has description text that is filled in by the values of different parameters. You can find the Eventlog parameters of an event by using the Log Parser. (if you know an easier way on Windows 2003 Servers let me know). Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows® operating system such as the Event Log, the Registry, the file system, and Active Directory®.

Example of EventLog Parameters in an Eventlog:

C:\Program Files\Log Parser 2.2>LogParser.exe "SELECT Top1 Strings AS Parameters FROM Application WHERE EventID=301"

Result:
image_thumb

So in this example you can use four parameters in your OpsMgr Rules or Monitor.

Event Parameters in OpsMgr 2007

Eventlog Parameters can be used in OpsMgr Rules and Monitors. An example where you can find EventLog Parameters used is the Windows Activation State Monitor in the Windows Server 2003 MP. This is a 3 State Event Log Monitor and this monitor looks for EventLog Parameters and the values found in the Eventlog change the state of the monitor.

Healthy:    Look for EventId 1006 in Application Log of Source Windows Product Activation
Warning: Look for EventId 1005 in Application Log of Source Windows Product Activation and Params/Param[1] > 6 =< 15
Critical:   Look for EventId 1005 in Application Log of Source Windows Product Activation and Params/Param[1] =< 6

image_thumb10

You can use the PowerShell Create Events script from Ken to test your monitors or rules with with one EventLog parameter. So it won’t work if you need to test a Rule or Monitor which uses more than one parameter in the Eventlog.

So if you want to test the Windows Activation State Monitor and want to Change the State to Critical, you need to create an Event with the next values:

EventID 1005
Source Windows Product Activation
Type Error
Description Your Windows product has not been activated with Microsoft yet. Please use the Product Activation Wizard within <number> days.

More info about this event can be found on EventID.Net

image

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • PingBack from http://windows.wawblog.info/?p=30477

  • When we write rules and monitors to look at events in the event log.... typically the most common criteria

  • If you want to use Logparser in Windows 2008 there is a workaround.

    You could enter the path to the physical location of the eventlog files. Example:

    logparser.exe -i:EVT "Select Count(*) from c:\windows\system32\winevt\logs\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx

    But there is a problem with 64-bit OSes. These use the 'File System Redirector for WOW64' feature. But here is also a solution for:

    logparser.exe -i:EVT "Select Count(*) from c:\windows\sysnative\winevt\logs\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx

    More info on SysNative: http://msdn.microsoft.com/en-us/library/aa384187(VS.85).aspx

  • Hi Stefan

    Cool blog, i am already using it a lot. I have a question though, regarding the following string (this is event 8957 from Application on a SQL server)

    |CHECKDB|StoreDataCleansing||||domain\username|0|1|2|3|......

    Checkdb is param1, StoreDataCleansing is 2, but are the next a parameter even though there are no data between the pipes?

    Thanks a lot!

  • Hi Michael,

    I'm not the logparser developer but I'm guessing you are right;-) There are some empty eventlog parameters in your example.

    Regards,

    Stefan

  • Hi Stefan, nice blog. Tks a lot. Do these paramerts work fine for consolidations and alert supression too? I'm converting rules from MOM to SCOM that have lots of suppression and my concern is about the Domain parameter in MOM, which is no available in SCOM. Should be parameter4 for security events, but I wonder if I have to test for each event and if the localtion of the Domain parameter is going to change from on event to another.

    Thank you,

    Jose Fehse

  • Hey Stefan,

    I am trying to send a custom email as an alert but am having trouble with the output.

    Here is what I have so far:

    I have an SCOM 2007R2 server, picking up Biztalk events from a 2003 box.  The events that I want to create custom alert emails around are coming from a custom application that I have asked the developers to create an event that has this structure:

    Source:Source1

    Description:

    %text%Item1 Item2 Item3

    Item1

    Item2

    Item3

    My thought was that parameter 1 started on line 2, so a rule is setup to look at the source, looking for Source1.  The event is being picked up OK but the alert being sent is:

    Last modified time: 3/16/2011 12:01:24 PM Alert description: Failed to replace parameter while creating the alert.

    Alert: F976C948-A0EA-401C-A0F2-865E5FFF1EA3

    Workflow: MomUIGeneratedRule18b9dbede63a4c8ebb789b9aaa62387e

    Instance:

    Instance ID: {A65528E4-B591-27DD-7473-36F7916957FB}

    Management Group:

    Failing replacement: $Data/Params/Param[4]$

    This is the Alert description data from the Rule created:

    $Data/Params/Param[2]$

    $Data/Params/Param[3]$

    $Data/Params/Param[4]$

    Thinking that this will pick up

    Item1

    Item2

    Item3

    From the original event

    So then I have an email notification channel with a custom email that uses the Parameters to fill in the content:

    This error $Data/Params/Param[2]$ has occurred to $Data/Params/Param[3]$.  This has resulted in this error:  $Data/Params/Param[4]$

    The example above is what is contained within the Email Notification Channel, Format Tab, Email message.

    Could you please provide any help with why this message is unable to send out the parameters correctly.

    Thank you in advance.