Howto create a generic text log (alert) in SCOM 2007 or SCE


 

Howto create a generic text log (alert)


 


From Authoring, right click on "rules", and select "Create  a new rule..."



Select "Generic Text Log (Alert)", and your target management pack



Enter the rule name, and description. Hit Select to pick a target.



In this case, I am selecting the "Windows Server" Target.



Enter the location of the log. If you expect the log file to change names (ie test07072007.log), you could use something like test*.log. This pattern should only match 1 active log at a time




On the next screen, enter in "Params/Param[1]" into the Parameter box. For operator, enter what you need, I used "Matches wildcard" in this example.. For value, enter the text you are looking for.



Modify your alert priority/severity and description, then click create.


 


Comments (4)

  1. Some people have asked how to get event data into the Alert Description.

    Here are some values you can use:

    In a rule, use the following variables to display event properties:

    Event Category:

    $Data/EventCategory$

    Event ID:

    $Data/EventDisplayNumber$

    Event Level (i.e. Error, Warning, Information):

    $Data/EventLevel$

    Note: In the alert description, the Event Level variable displays 1 for Error, 2

    for Warning and 4 for Information.

    Event Source:

    $Data/PublisherName$

    Full Event Number (typically the same as Event ID):

    $Data/EventNumber$

    Logging Computer:

    $Data/LoggingComputer$

    Logname (i.e. Application, System, Security):

    $Data/Channel$

    User:

    $Data/UserName$

    Event Description:

    $Data/EventDescription$

    Custom Parameters:

    $Data/Params/Param[1]$

    $Data/Params/Param[2]$

    etc.

    In a monitor, use the following variables to display event properties:

    Event Category:

    $Data/Context/EventCategory$

    Event ID:

    $Data/Context/EventDisplayNumber$

    Event Level (i.e. Error, Warning, Information):

    $Data/Context/EventLevel$

    Note: In the alert description, the Event Level variable displays 1 for Error, 2

    for Warning and 4 for Information.

    Event Source:

    $Data/Context/PublisherName$

    Full Event Number (typically the same as Event ID):

    $Data/Context/EventNumber$

    Logging Computer:

    $Data/Context/LoggingComputer$

    Logname (i.e. Application, System, Security):

    $Data/Context/Channel$

    User:

    $Data/Context/UserName$

    Event Description:

    $Data/Context/EventDescription$

    Custom Parameters:

    $Data/Context/Params/Param[1]$

    $Data/Context/Params/Param[2]$

    etc.

  2. The previous comment i posted will work for most alerts/monitors

    Here is the data that will work for the text log alert:

    "Log File Directory : $Data/EventData/DataItem/LogFileDirectory$

    LogFile name: $Data/EventData/DataItem/LogFileName$

    String: $Data/EventData/DataItem/Params/Param[1]$"

  3. Murad says:

    Getting the following error when I click on any image files

    Media Galleries Temporarily Disabled

    The administrator has temporarily disabled the media galleries.

    Thx

  4. paul says:

    My question is how can I montior for more than one parameter, I add aditional critera that both must be true in order to generate the alarm but I get nothing.

Skip to main content