Part 4: Use VSAE fragments to create an alert generating event log rule


 

This is Part 4 in a series of posts described here:  https://blogs.technet.microsoft.com/kevinholman/2016/06/04/authoring-management-packs-the-fast-and-easy-way-using-visual-studio/

 

In our next example fragment – we will monitor the event log for a specific event, and generate an alert if it occurs.

 

Step 1:  Download and extract the sample MP fragments.  These are available here:  https://gallery.technet.microsoft.com/SCOM-Management-Pack-VSAE-2c506737

I will update these often as I enhance and add new ones, so check back often for new versions.

 

Step 2:  Open your newly created MP solution, and open Solution Explorer.  This solution was created in Part 1, and the class was created in Part 2.

 

Step 3:  Create a folder and add the fragment to it.

Create a folder called “Rules” in your MP:

image

 

Right click Rules, and Add > Existing item.

Find the fragment named “Rule.AlertGenerating.EventLog.mpx” and add it.

Select Rule.AlertGenerating.EventLog.mpx in solution explorer to display the XML.

 

Step 4:  Find and Replace

Replace ##CompanyID## with our company ID which is “Fab

Replace ##AppName## with our App ID, which is “DemoApp

Replace ##ClassID## with the custom class we created in Step 2.  This was “Fab.DemoApp.Class” from our previous class fragment.

Replace ##EventID## with an event.  I will use “100

Replace ##EventSource## with a valid Event Source for our event, I will use “TEST

Replace ##LogName## with the event log you want to monitor.  I will use “Application

 

That took all of 2 minutes.  Take another few minutes to review the XML we have in this fragment.  It is a simple rule definition, that will generate an alert when the event is seen in the log.  There are also display strings which can be modified for the rule display name, alert name, and alert description.

 

Step 5:  Build the MP.   BUILD > Build Solution.

image

 

 

Step 6:  Import or Deploy the management pack.

image

 

 

Step 7:  Test the MP.

We need to wait for the agent to get the new MP version.  You can watch for this in the agents OperationsManager event log.

We will see a 1200, 1201, then 1210 event sequence:

image

 

Once you get the 1210 – you can test the MP.

I will use EVENTCREATE to test this rule.  At an elevated command prompt, run:

eventcreate /T ERROR /ID 100 /L APPLICATION /SO TEST /D “This is a Test event 100”

Verify you get the event:

image

 

Verify you got the alert:

 

image

 

All done!  Time to hit the easy button.

 

image


Comments (1)

  1. Excellent Article Kelvin.

Skip to main content