Welcome to TechNet Blogs Sign in | Join | Help

TimHe's Blog of SMS SCCM SCOM MOM and SCE

I will be blogging about issues i run into while supporting these products
Howto create a generic text log (alert) in SCOM 2007 or SCE
 

Howto create a generic text log (alert)

 

From Authoring, right click on "rules", and select "Create  a new rule..."

Select "Generic Text Log (Alert)", and your target management pack

Enter the rule name, and description. Hit Select to pick a target.

In this case, I am selecting the "Windows Server" Target.

Enter the location of the log. If you expect the log file to change names (ie test07072007.log), you could use something like test*.log. This pattern should only match 1 active log at a time

On the next screen, enter in "Params/Param[1]" into the Parameter box. For operator, enter what you need, I used "Matches wildcard" in this example.. For value, enter the text you are looking for.

Modify your alert priority/severity and description, then click create.

 

Posted: Tuesday, September 11, 2007 2:52 PM by timhe

Comments

timhe said:

Some people have asked how to get event data into the Alert Description.

Here are some values you can use:

In a rule, use the following variables to display event properties:

Event Category:

$Data/EventCategory$

Event ID:

$Data/EventDisplayNumber$

Event Level (i.e. Error, Warning, Information):

$Data/EventLevel$

Note: In the alert description, the Event Level variable displays 1 for Error, 2

for Warning and 4 for Information.

Event Source:

$Data/PublisherName$

Full Event Number (typically the same as Event ID):

$Data/EventNumber$

Logging Computer:

$Data/LoggingComputer$

Logname (i.e. Application, System, Security):

$Data/Channel$

User:

$Data/UserName$

Event Description:

$Data/EventDescription$

Custom Parameters:

$Data/Params/Param[1]$

$Data/Params/Param[2]$

etc.

In a monitor, use the following variables to display event properties:

Event Category:

$Data/Context/EventCategory$

Event ID:

$Data/Context/EventDisplayNumber$

Event Level (i.e. Error, Warning, Information):

$Data/Context/EventLevel$

Note: In the alert description, the Event Level variable displays 1 for Error, 2

for Warning and 4 for Information.

Event Source:

$Data/Context/PublisherName$

Full Event Number (typically the same as Event ID):

$Data/Context/EventNumber$

Logging Computer:

$Data/Context/LoggingComputer$

Logname (i.e. Application, System, Security):

$Data/Context/Channel$

User:

$Data/Context/UserName$

Event Description:

$Data/Context/EventDescription$

Custom Parameters:

$Data/Context/Params/Param[1]$

$Data/Context/Params/Param[2]$

etc.

# October 24, 2007 4:03 PM

timhe said:

The previous comment i posted will work for most alerts/monitors

Here is the data that will work for the text log alert:

"Log File Directory : $Data/EventData/DataItem/LogFileDirectory$

LogFile name: $Data/EventData/DataItem/LogFileName$

String: $Data/EventData/DataItem/Params/Param[1]$"

# October 25, 2007 11:22 AM
Anonymous comments are disabled
Page view tracker