How to test fire ANY Windows Event on ANY server from ANY application

Anyone who works with events in the Windows Event log can benefit from this.

When creating management packs, or adding monitoring for specific events, it is very helpful to have tools to test fire these events.  In the past, we would use built in tools like EventCreate.  However, these have limitations in which event sources they can create events for, or limitations in the event ID numbers.


Microsoft released the System Center Operations Manager 2007 R2 Admin Resource Kit:

Download Here:  LINK

You can read about some of the scenarios here:


One of the tools is the MP Event Analyzer.

The MP Event Analyzer is built on the original release of EventLog Explorer which never got enough credit or exposure, for such an incredibly powerful tool.


Install the resource kit to your desktop or tools machine, and then you can copy the MP Event Analyzer tool (two files) to any server where you want to test fire an application or OS based event.  You can also run the tool from a mapped drive or UNC path as well:



Open the MPEventAnalyzer.exe.  Select the Investigate Event Sources tab at the bottom:



In this example – I want to test a complex event log entry from SQL, so in the “Source” list I find my Event Source for my SQL instance – in this case “MSSQL$I01”:



Notice that ALL POSSIBLE events that COULD be fired under this event source show up on the right pane.  This is the power of this tool.  You could use this tool to investigate any application that writes to the event log under a given event source, and quickly write a management pack to alert on the most import events.

I my case, I am looking to test a very specific event ID – 3041 – which is a backup failure.  I find this event ID in the list, and place a check mark in the box next to it:



Then choose Action – Add marked events to Execution list:



Once the event shows up in the execution list – you can right click the event, and choose Parameters, and input any specific parameters into the event, if your event rule datasource is only alerting when specific text in present in specific params:



You can also edit the severity of the event to be generated.

When you are happy – press the green “Fire” button at the top:



You will see your event fired perfectly in the log:



And OpsMgr and the management pack fired the alert:



The huge benefit of this tool for testing, is while you are developing your custom MP’s for custom application events, or windows events, this tool can be used to test fire any event possible on the system just as it would be fired by a real issue, with no restrictions on event source, event ID, and you can input highly customized and specific event parameter data.

Comments (8)

  1. Huy Nguyen says:

    Kevin, thanks for taking the time to blog this.  Awesome tool, exactly what I've been looking for to test application event monitoring with SCOM.

  2. Dean says:

    A truly amazing tool, thanks Kevin.

  3. Brian says:

    Nice write up Kevin…..I don't know how many times I've asked vendors to give me the events they write to the event log.  With this tool I can finally see that.  Now I can write MPs for my custom applications.     Thanks!

  4. Dave says:

    thankyou so much … you are making my learning curve as a scadmin much easier.     🙂

  5. Rad says:

    thank you so much ..this tool indeed i started doing authoring stuff with the limited knowledge on SCOM 2007

  6. Brian says:

    Has anyone gotten this to work with the Windows security/auditing log? I always get a permissions error. I even tried giving “Everyone” the user right to “Generate audit logs” in the local policy. Hate to use this vouch for tech support, but this is the first hit I get with Google on this topic.. 🙂

  7. Sushma says:

    This is such a great tool, thanks Kevin!

  8. Jim says:

    This tool is exactly what I was looking for. Thanks for that!

Skip to main content