OpsMgr 2007: How to create an Alert rule based on an Event description

Here's a cool tip sent to me by Milan Jajal, a support engineer in our Manageability group.  If you ever find the need to create a rule based on the description of an event then this one's for you.

UPDATE: Kevin Holman wrote a similar post and sent me this caveat:

Before we continue - let me STRESS that using event parameters is the correct way to match on specific lines in an event description wherever possible.  If we try and search the entire event description, there is a substantial cost to doing this from an agent design/performance perspective as matching on parameter is the lowest impact.  If you match on an event description, this description is localized text and wont work in all locales.  By writing a rule that matches on even description, if you didnt specify several other criteria then there is a risk that every single event description would be searched, across all agents.  Very bad.  So keep this in mind if you decide to use this.

Thanks Kevin! 


If you need to generate an alert based on the description contained within an event then follow these steps:

1. Open the Operations Manager Console.
2. Go to Authoring.
3. Under Authoring - Management Pack Objects - Select Rules
4. Right click on Rules and select - Create a new rule
5. Select Alert Generating Rules - Event Based - NT Event Log (Alert)
6. On the same screen select your destination management pack and click Next
7. Give a name to your Rule and optionally give it a Description.
8. Rule Category can be anything you like.
9. Select the Rule Target as the class of your choice, normally it can be Windows Computer.
10. Make sure the Rule is Enabled and select Next.
11. Select the Event log name from where event will be monitored and click Next.  (for example Application or System or Security)
12. Build the Expression to filter the events with the below details:
     a. Parameter Name = Event ID, Operator = Equals and Value = (any event id of your choice)
     b. Parameter Name = Event Source, Operator = Equals and Value = (any source of your choice) (you may delete this filter if you want)
     c. Click on Insert button at Top and it will put the cursor at Parameter Name, click square button with 3 dots [...] and it will popup another screen.
     d. In that box, select the 3rd radio button named 'Use parameter name not specified above' and there manually type 'EventDescription' (without quotes) and click OK.
     e. Then come back to filter screen, now here you will see Parameter Name = EventDescription, and for Operator select Contains and then for Value you can type any word you want to key on from the Event description.
13. After building the desired Expression, click Next.
14. Configure Alerts as you like and click the Create button.

Once you complete these steps, this will monitor the event logs and if the event description matches it will generate and alert for you.


Thanks Milan!

J.C. Hornbeck | Manageability Knowledge Engineer

Comments (4)

  1. Anonymous says:

    Source: Manageability Blog If you need to generate an alert based on the description contained within

  2. John Lan says:

    Can you use the sub parameter names within eventdata(event description) as rule filter? For example, event ID 5136, "an AD object was modified", contains a lot useful info to categorize my alerts, but I have to use "param11=organizationUnit" instead of
    "ObjectClass=organizationUnit" to track OU changes. Or I did something wrong in the process.

Skip to main content