In OpsMgr, for notification, we use a command line channel to send pages. We have it configured as such (for example).

               $Data[Default='$Data/Context/DataItem/Context/DataItem/Params/Param[1]$']/Context/DataItem/Custom1$

That way, if Custom1 is blank we can page out on Param[1] value. This works great in paging, but when we try to do the same thing in email, it doesn’t work. It passes the literal text. How can we do the same thing in email?

Kevin,

How do you embed diagnostic output in the alert notification?  For example, I have a script-based diagnostic attached to a percent processor utilization performance monitor.  The script lists the top running processes at the time, along with their individual processor utilization percentages.  It returns this information to the alert as a property bag property called 'Result'.  The diagnostic result appears in Health Explorer all right, but I also want to include it in the alert notification.  I would like to use something like this:

$Data/Diagnostic/DataItem/Property[@Name='Result']$

(from: technet.microsoft.com/.../ff714576.aspx ), but it does not work.  I have also tried this without success:

$Data/Context/Property[@Name='Result']$

BTW, ditto to David Strebel's question above.

Thanks!

hi thanks nice artical.. but i have one query / help.

i want to customized My own words like..

Server Name ,

Server Role,

Up -

Down -

Down time -

so can you suggest any way to how we can costomized alert....!

Hi Kevin, I have a rule configured to capture the event log information from id's 644 & 4740, account lockouts.  I have a view setup to filter these account lockouts to just show service accounts in this format using text from the description:  'COMPANY\s-%'. This filter works great. However I cannot get the same filter to work when sending out the notification in email. It seems to be all account lockouts or nothing. Any ideas how I can make this work? Thanks!

What's the value for setting SQL Instance name under SCOM Alert Message..?

Hello Kevin,

Recently, I was asked to create a unit monitor to be alerted for any file changes in the environment.

So, I created an event based timer reset monitor, which targets the security log and a particular ID and a parameter.

The alerting works fine in SCOM whenever the ID and parameter are triggered together in the event viewer.

The problem is with the description that is shown in SCOM.

The event shows proper format of descrption as shown below:

A handle to an object was requested.

Subject:

 Security ID:  DOM\user

 Account Name:  user

 Account Domain:  DOM

 Logon ID:  0x1c77b615e

Object:

 Object Server:  Security

 Object Type:  File

 Object Name:  \Device\HarddiskVolume7\test\testuser\testuserH\Reports\test\test2012\user2012\Security2012.xlsx

 Handle ID:  0x0

Process Information:

 Process ID:  0x4

 Process Name:  

Access Request Information:

 Transaction ID:  {00000000-0000-0000-0000-000000000000}

 Accesses:  DELETE

    READ_CONTROL

    ACCESS_SYS_SEC

    ReadData (or ListDirectory)

    ReadEA

    ReadAttributes

 Access Reasons:  DELETE: Unknown or unchecked

    READ_CONTROL: Granted by Ownership

    ACCESS_SYS_SEC: Not granted due to missing SeSecurityPrivilege

    ReadData (or ListDirectory): Unknown or unchecked

    ReadEA: Unknown or unchecked

    ReadAttributes: Granted by ACE on parent folder D:(A;OICIID;0x1301bf;;;S-1-5-21-3362488545-1801783553-3570299896-10108)

 Access Mask:  0x1030089

 Privileges Used for Access Check: -

 Restricted SID Count: 0

However, in the event viewer friendly view (both general and XML) the data is displayed as shown below:

EventData

 SubjectUserSid S-1-5-21-3362488545-1801783553-3570299896-4101

 SubjectUserName user

  SubjectDomainName DOM

 SubjectLogonId 0x1c77b615e

 ObjectServer Security

 ObjectType File

 ObjectName  \Device\HarddiskVolume7\test\testuser\testuserH\Reports\test\test2012\user2012\Security2012.xlsx

  HandleId 0x0

 TransactionId {00000000-0000-0000-0000-000000000000}

 AccessList %%1537 %%1538 %%1542 %%4416 %%4419 %%4423  

 AccessReason %%1537: %%1809 %%1538: %%1804 %%1542: %%1810 SeSecurityPrivilege %%4416: %%1809 %%4419: %%1809 %%4423: %%1811 D:(A;OICIID;0x1301bf;;;S-1-5-21-3362488545-1801783553-3570299896-10108)

  AccessMask 0x1030089

 PrivilegeList -

 RestrictedSidCount 0

 ProcessId 0x4

 ProcessName

The same XML data (from friendly view) is displayed in SCOM.

Is there a way I can get SCOM to read the data from the general view of the eventviewer instead of it reading from the friendly View.

Any Help will be appreciated.

Thanks in Advance!

Regards,

Abdul Karim

The event rule variables don't seem to work. I have tried  $Data/EventDescription$ as well as  $Data/Context/EventDescription$ I tried them both in the rule itself and in a SMTP channel for a subscription that fires an email for that rule and always get blank results? Can you confirm where we use these variables, in the rule or alert channel and what they should be for an NT Event Log rule?

We have the software remedy and if we try to add [$$BLABLA$$] for example. But the $ always gets interpreted as a variable and we need 2 $ because of the remedy.

Here an example:

Service Type !1000000099!: [$$Infrastructure Event$$]

But it's always:

Service Type !1000000099!: [$Infrastructure Event$]

In some cases it gets interpreted correctly with 4$ but in some cases not. So do you have a solution for my problem what works for my whole problem?

Regards,

Jules

I'm trying to update Custom Fields with IP address from text file, is there any suggestions on why I can update the fields with text but not IP?

Hello and thank you for all the details you have provided to us.

My question is this - within Monitoring, I've created a rule for EventID = 6000 (Log file is full) - can I pass $Data/LoggingComputer$ to a PowerShell script as a parameter when specifying command line execution settings?

I want to have it go off and perform event log backup & clear on that remote server.

Thanks!

Can some one tell me how to add Ip address in case of Linux unix alerts

Thanks for posting this. I put this information on the authoring guide: http://social.technet.microsoft.com/wiki/contents/articles/15300.operations-manager-management-pack-authoring-variables.aspx