Creating a Repeated Event Detection *Rule*

<!--[if lt IE 9]>


Comments (13)
  1. Kevin Holman says:

    MP author doesn’t have this capability, but they could add this as a feature. MP author adds the ability to had a condition detection that is a scheduler filter, which is different than the consolidator module. The scheduler filter adds the ability to
    only make the workflow active during certain time periods, like business hours, not during weekends, etc.

    1. Bruce Morey says:

      I’m attempting to follow your steps, any reason you can think of why I can’t create a rule in Health Model Pane? I’m an admin and running in admin mode. Only action available is refresh.

      1. Kevin Holman says:

        did you create a new empty Management Pack first?

        1. Bruce Morey says:

          Sorry I’m taking so long to respond, but yes that was my problem. Here is a dumb question though: I did all this, saved and imported it. Now, won’t I need to create a new rule that references this new management pack?

          1. Bruce Morey says:

            Cancel that last response, I answered my own question. Thanks for this great article Kevin.

  2. I had similar issues that you have with the reset conditions of repeated event monitors. I made a monitor type that uses the missing event Condition Detection as the reset condition.

  3. Mike Hanlon says:

    Another great post Kevin. I wonder if one could you create the same type of alert rule with the Silect MP Author tool? It has an option to schedule an event log rule by minutes.

  4. anitha says:

    Good one
    I need help in troubleshooting an rule which is already configured.

    A rule for rightfax servers for eventid 3314 was configured for Windows computer group. though it is overwridden it is affecting the entire MG and all the agents including RMS,MS are in warning.
    Due to this SDK service keeps stopping. and here is the error.

    I have already diabled this perticular Rule. which is affecting but no use
    help will be appriciated.

    The Windows Event Log Provider was unable to open the Application event log on computer "server name" for reading. The provider will retry opening the log every 30 seconds. Most recent error details: The RPC server is unavailable. One or more workflows were
    affected by this. Workflow name: MSExchangeMonitoringCorrelationConnectivityToRMS Instance name: Correlation Engine – sdwpcfs712a (Correlation Engine) – C-SDW Instance ID: {A9528C38-6A1E-9A5F-1B23-C8FE49941B59} Management group:

  5. Sean Tompkins says:

    Very nice – I always look for this under rules, then remember it’s only under monitors. It’s nice that the only addition is the condition detection – should make for easy XML editing if someone wanted to do it that way, or create a script to add the counter
    to an existing rule.

  6. Dudu Sakharovich says:

    I have a problem monitoring SQL job failures. The default monitor which comes with the SQL MP doesn’t count job failures before firing the alert.
    I need to create a rule/monitor that can generate alert after X sql job failures with the option to choose the X counter depending on the job.
    But I also need a way to clear the counter by using a different event ID than the SQL job failure event ID (Event 208 on application log).

    So basically i need to create a configurable monitor/rule for sql job failure which can be customized for X failures for each job and also be able to clear the X counter with another event ID.

    For example I have a job called "test" which is configured to generate alert after 3 consecutive job failures.
    But if the job failed twice and then succeeded and then failed one more time the alert shouldn’t be generated.

    I’ll be happy to receive some help with that.
    Thx in advance.

  7. evan says:

    I didn’t see any reason why this shouldn’t work for creating a rule for SCOM 2012 R2, so I went ahead and did that, updated the version numbers in the XML, and imported the MP. The MP is showing up in Administration –> Management Packs, but it is not
    in the MP list when selecting the Scope in Authoring –> Management Pack Objects –> Rules, and the rule is not showing up when I select all MPs and search for it.

    Is this normal, or should it be showing up?



  8. Anonymous says:

    I had a customer looking for an example of how SCOM can monitor a server for multiple reboots in a period

  9. Scott says:

    I hope this is still being followed..

    I’m trying to use this methodology in 2012 R2 to create a rule that generates a simple alert if more than 5 event id 4625’s are detected in the security log in under a minute, and it doesn’t seem to work. Any ideas? I started with an empty management pack, and pointed at the security log rather than the application log, and selected event id 4625 instead of the below, and that’s the only real difference, but no alerts are generated when the condition is violated. Later I would want to scope the source of course to the same server.

Comments are closed.

Skip to main content