How to find all possible event ID’s for a given event source
I recently got this question from a customer… and felt it would be good to blog about this.
The customer wants to create an Alert, anytime there is a event in the System event log, from a USER32 event source:
HOWEVER – it is a best practice in SCOM – to create our event matching criteria to be MOST SPECIFIC as possible.
The problem: How do I know all possible event ID’s that COULD show up under a given event source?
The solution? Use the MOM 2005 resource kit tool, called MPWizard.exe.
NOTE: The MOM 2005 MPWizard states that it needs to be run on a MOM 2005 management server… but I have tested, and it only really needs to be run on a machine with the MOM 2005 console installed…. if you don't have a MOM 2005 environment, simply install only the console and you can use this tool. There might be a “cheat” way to run this tool registering a couple MOM 2005 DLL’s – but I haven't looked into that. If you get a COM error, and cannot get this to run, and the MOM 2005 console is not an option – I recommend you check out using LogParser – which I have a link below.
MPWizard will let us interrogate the local computer, OR a remote computer, and determine ALL POSSIBLE events for a given event source, and has the added benefit of showing us the event parameters as well.
For example, I will launch MPWizard, and choose “Event Source Monitoring”:
Give it a “TEST” rule group name… since we really wont be creating a MOM 2005 Management Pack here.
Click “Add”, and choose the local computer, or a remote computer example.
Choose the event source we are interested in:
As you can see – this will interrogate the Event log source DLL for the USER32 event source, and show all possible events that *could* be created by this event source (dll) and their parameters for each event.
Now – I can create a much more specific rule – and include the event ID’s, and also use event parameters if needed:
Now – if I DONT want this alert on a specific group of machines…. I can create an exception, based on parameter 1:
Using the MOM 2005 MP wizard is a very easy way to find all possible event ID’s for a given event source, AND will show us the parameters that each event uses…. very helpful in keeping with SCOM best practices if being very specific, and using event parameters instead of searching the entire event description, which is resource intensive.
You can get the MOM 2005 reskit download HERE: http://technet.microsoft.com/en-us/opsmgr/bb498240.aspx
Also – be sure to check out how to use LogParser – another free tool – to find event parameters, in this blog post: Using Event Description as criteria for a rule
