Authoring Event Rules in OpsMgr

<?xml:namespace prefix = o ns = “urn:schemas-microsoft-com:office:office” />


Anatomy of a Vista/Server 2008 event

There are three types of Vista/Server 2008 events which are written to various channels in the event log.

1.       The ‘pure’ Vista/Server 2008 event

These events are logged using the new Vista/Server 2008 APIs which means they were written specifically for this platform.  As such most of these events are not backwards compatible with events from a similar application on downlevel platforms.  These events are mostly written to a channel under the “Applications and Services Logs” in the event viewer, though a few creep into the “Windows Logs”.

Example:

<Event xmlns=”http://schemas.microsoft.com/win/2004/08/events/event“>

     <System>

         <Provider Name=”Microsoft-Windows-GroupPolicy Guid=”{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}” />

         <EventID>8007</EventID>

         <Version>0</Version>

         <Level>4</Level>

         <Task>0</Task>

         <Opcode>2</Opcode>

         <Keywords>0x4000000000000000</Keywords>

         <TimeCreated SystemTime=”2008-01-21T19:42:41.009Z” />

         <EventRecordID>397142</EventRecordID>

         <Correlation ActivityID=”{86F2A78B-6A45-4E77-A34C-2809C9AAC658}” />

         <Execution ProcessID=”976 ThreadID=”3516” />

         <Channel>Microsoft-Windows-GroupPolicy/Operational</Channel>

         <Computer>christow-dev.wingroup.windeploy.ntdev.microsoft.com</Computer>

         <Security UserID=”S-1-5-18” />

     </System>

     <EventData>

         <Data Name=”PolicyElaspedTimeInSeconds“>5</Data>

         <Data Name=”ErrorCode“>0</Data>

         <Data Name=”PrincipalSamName“>WINGROUPchristow</Data>

         <Data Name=”IsMachine“>false</Data>