Using Event Description as criteria for a rule

re: Using Event Description as criteria for a rule

Mike — Thu, 28 Aug 2008 01:12:59 GMT

When I try this, I get:

Alert description: {0} {1} {2} {3} {4}

Using OpsMgr to see which servers have not been logged on to via RDP

Kevin Holman's OpsMgr Blog — Thu, 04 Sep 2008 00:46:38 GMT

This came up in a discussion group.... and while it maybe not be all that interesting of a topic....

re: Using Event Description as criteria for a rule

Stephan Lalonde — Thu, 25 Sep 2008 22:15:26 GMT

This does not work. It fails to filter out the correct information and when you specify these parameters as part of the alert description to see which one is which, you get {0} {1} {2} {3} {4} etc... As previously stated!!!

re: Using Event Description as criteria for a rule

Will Kaiser — Fri, 03 Oct 2008 19:32:39 GMT

Just to elaborate, the above posts are ultimately correct.

The log parser does indeed give you parameter numbers for an event log, and you can indeed build a rule based on that which will fire off appropriately.

The problem is that when you use parameters you apparently cannot pull other data from the event log into the alert description.

So in my case, I'm looking for 'logon type: 10' in a particular security event log. I used the log parser to discover that '10' is parameter 4. I built my rule to watch for parameter 4 is equal to 10. It works, an alert is generated when that specific log is created, HOWEVER, when I attempt to display information from that event log in the alert description, the values are '{1} {2}' etc instead of the actual data from the alert, which renders this approach worthless.

Note that I have roughly 40 other rules that watch security event logs like this, and I have created a template that I paste into the body of alert that provides the alert description as well as the alerting source in a readable fashion. That template works with all other event log based rules and passes the event description into alert body successfully. Using the above approach, I now only get '{1} {2} {3}...'.

Any thoughts on this? Is there a way to translate the {1} values into actual data from the event?

re: alert description not working?

kevinhol — Fri, 03 Oct 2008 20:47:00 GMT

I dont know what to say - it works fine for me.

I would start by testing this - dont paste in anything - just use the flyouts... and add JUST PARAMETER 1.... using the UI controls. Start with a blank alert description, click the ellipsis, click data, specify parameter 1 only, click ok.

Then - give that enough time to propogate down to the agent - then test the event... then go back and add in all the appropriate parameters. It works fine for me... I did get it to mess up once, but now I cannot repro it. It might have something about the alert description not liking a pasted in text dump from html... or the spaces, or the <BR /> in some combination. I cannot repro it not working, however....

Authoring rules for Windows 2008 events, and how to cheat

Kevin Holman's OpsMgr Blog — Wed, 25 Feb 2009 04:56:05 GMT

So…. with the introduction of Server 2008 into OpsMgr… as a monitored agent, you might need to re-evaluate

OpsMgr 2007: How to get alerts for domain group membership changes

The Operations Manager Support Team Blog — Thu, 18 Jun 2009 18:32:56 GMT

Using System Center Operations Manager 2007, you want to get an alert for any change in the domain admin

re: Using Event Description as criteria for a rule

Roger — Wed, 15 Jul 2009 20:22:48 GMT

I am having trouble triggering on the User Name for 531 or 539 security events. The unit monitor works fine if I don't specify an AND User Name condition.

Here is my log parse output

C:\Documents and Settings\rcline>"C:\Program Files (x86)\Log Parser 2.2\LogParse

r.exe" "select top 1 Strings AS Parameters FROM security where EventID=531"

Parameters

--------------------------------------------------------------------------------

-----------

)|912|-|-|-

Here is my unit monitor Event Expression

( ( Parameter 1 Contains scomsql ) AND ( ( Event ID Equals 539 ) OR ( Event ID Equals 531 ) ) )

What am I missing here ?

re: Using Event Description as criteria for a rule

Andrew Blumhardt — Tue, 18 Aug 2009 22:01:27 GMT

I'm currently using a dummy rule to expose the parameter information for a given event using SCOM alert description criteria. For example:

$Data/Params/Param[1]$

$Data/Params/Param[2]$

$Data/Params/Param[3]$

$Data/Params/Param[4]$

$Data/Params/Param[5]$

Now I just have to wait for my target alert to trigger to determine the parameters I need. Hope this helps. Thanks, Andrew

re: Using Event Description as criteria for a rule

Colin — Fri, 21 Aug 2009 08:38:46 GMT

I require all event parameters stored into the datawarehouse. How to achieve this?

re: Using Event Description as criteria for a rule

RonBen — Wed, 02 Dec 2009 19:00:06 GMT

I have this working if I'm only searching for 1 value in Param 1. The below query does not work. Is there something I'm missing?

( ( Event ID Equals 644 ) AND ( Event Source Equals Security ) AND ( ( Parameter 1 Contains scomusr ) OR ( Parameter 1 Contains tonyh99 ) ) )

Ron

re: Using Event Description as criteria for a rule

kevinhol — Wed, 02 Dec 2009 20:01:57 GMT

the problem may be using "contains".

Have you tried using a "matches wildcard" or "matches regular expression" ?