Problem Creating Custom Event Monitor Type

Dashboard Server
,
1

I’m attempting to create a custom Windows event monitor similar to what Jonathan Almquist created in the following post: http://blog.scomskills.com/event-description-pattern-matching-with-minimal-impact/

The goal is to create an event monitor that will search the event description without using too much CPU. I created the type definition and configured it but I’m still not seeing alerts. Below is the code that I’ve created and loaded into OM.

<?xml version=”1.0″ encoding=”utf-8″?>
<ManagementPack SchemaVersion=”2.0″ ContentReadable=”true” xmlns:xsd=”http://www.w3.org/2001/XMLSchema”>
<Manifest>
<Identity>
<ID>CheckPoint</ID>
<Version>1.0.0.25</Version>
</Identity>
<Name>CheckPoint</Name>
<References>
<Reference Alias=”MicrosoftWindowsLibrary7585010″>
<ID>Microsoft.Windows.Library</ID>
<Version>7.5.8501.0</Version>
<PublicKeyToken>31bf3856ad364e35</PublicKeyToken>
</Reference>
<Reference Alias=”Health”>
<ID>System.Health.Library</ID>
<Version>7.0.8433.0</Version>
<PublicKeyToken>31bf3856ad364e35</PublicKeyToken>
</Reference>
<Reference Alias=”System”>
<ID>System.Library</ID>
<Version>7.5.8501.0</Version>
<PublicKeyToken>31bf3856ad364e35</PublicKeyToken>
</Reference>
</References>
</Manifest>
<TypeDefinitions>
<MonitorTypes>
<UnitMonitorType ID=”Checkpoint.SingleEventLogTimer2StateMonitorType” Accessibility=”Public”>
<MonitorTypeStates>
<MonitorTypeState ID=”FirstEventRaised” />
<MonitorTypeState ID=”TimerEventRaised” />
</MonitorTypeStates>
<Configuration>
<IncludeSchemaTypes>
<SchemaType>System!System.ExpressionEvaluatorSchema</SchemaType>
</IncludeSchemaTypes>
<xsd:element name=”LogName” type=”xsd:string” xmlns:xsd=”http://www.w3.org/2001/XMLSchema” />
<xsd:element name=”EventSourceName” type=”xsd:string” xmlns:xsd=”http://www.w3.org/2001/XMLSchema” />
<xsd:element name=”EventDisplayNumber” type=”xsd:string” xmlns:xsd=”http://www.w3.org/2001/XMLSchema” />
<xsd:element name=”EventLevel” type=”xsd:integer” xmlns:xsd=”http://www.w3.org/2001/XMLSchema” />
<xsd:element name=”EventDescriptionContains” type=”xsd:string” xmlns:xsd=”http://www.w3.org/2001/XMLSchema” />
<xsd:element name=”TimerWaitInSeconds” type=”xsd:integer” xmlns:xsd=”http://www.w3.org/2001/XMLSchema” />
</Configuration>
<MonitorImplementation>
<MemberModules>
<DataSource ID=”DataSource” TypeID=”MicrosoftWindowsLibrary7585010!Microsoft.Windows.EventProvider”>
<ComputerName>$Target/Property[Type=”MicrosoftWindowsLibrary7585010!Microsoft.Windows.Computer”]/NetworkName$</ComputerName>
<LogName>$Config/LogName$</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventSourceName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>$Config/EventSourceName$</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>$Config/EventDisplayNumber$</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventLevel</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>$Config/EventLevel$</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
<ProbeAction TypeID=”System!System.PassThroughProbe” ID=”OnDemandReset” />
<ConditionDetection ID=”FilterDescription” TypeID=”System!System.ExpressionFilter”>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery>EventDescription</XPathQuery>
</ValueExpression>
<Operator>MatchesRegularExpression</Operator>
<Pattern>$Config/EventDescriptionContains$</Pattern>
</RegExExpression>
</Expression>
</ConditionDetection>
<ConditionDetection TypeID=”System!System.TimerCondition” ID=”TimerCondition”>
<TimerWaitInSeconds>$Config/TimerWaitInSeconds$</TimerWaitInSeconds>
</ConditionDetection>
</MemberModules>
<RegularDetections>
<RegularDetection MonitorTypeStateID=”FirstEventRaised”>
<Node ID=”FilterDescription”>
<Node ID=”DataSource” />
</Node>
</RegularDetection>
<RegularDetection MonitorTypeStateID=”TimerEventRaised”>
<Node ID=”TimerCondition”>
<Node ID=”FilterDescription”>
<Node ID=”DataSource” />
</Node>
</Node>
</RegularDetection>
</RegularDetections>
<OnDemandDetections>
<OnDemandDetection MonitorTypeStateID=”TimerEventRaised”>
<Node ID=”OnDemandReset” />
</OnDemandDetection>
</OnDemandDetections>
</MonitorImplementation>
</UnitMonitorType>
</MonitorTypes>
</TypeDefinitions>
<Monitoring>
<Monitors>
<UnitMonitor ID=”CheckPoint.CheckPoint.Event116.Code80004005″ Accessibility=”Internal” Enabled=”false” Target=”MicrosoftWindowsLibrary7585010!Microsoft.Windows.Computer” ParentMonitorID=”Health!System.Health.AvailabilityState” Remotable=”true” Priority=”Normal” TypeID=”Checkpoint.SingleEventLogTimer2StateMonitorType” ConfirmDelivery=”false”>
<Category>AvailabilityHealth</Category>
<AlertSettings AlertMessage=”CheckPoint.CheckPoint.Event116.Code80004005.AlertMessage”>
<AlertOnState>Warning</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>Normal</AlertPriority>
<AlertSeverity>MatchMonitorHealth</AlertSeverity>
<AlertParameters>
<AlertParameter1>$Data[Default=”]/EventDescription$</AlertParameter1>
</AlertParameters>
</AlertSettings>
<OperationalStates>
<OperationalState ID=”FirstEventRaised” MonitorTypeStateID=”FirstEventRaised” HealthState=”Warning” />
<OperationalState ID=”TimerEventRaised” MonitorTypeStateID=”TimerEventRaised” HealthState=”Success” />
</OperationalStates>
<Configuration>
<LogName>Application</LogName>
<EventSourceName>TempSys Temperature Assurance Controller</EventSourceName>
<EventDisplayNumber>116</EventDisplayNumber>
<EventLevel>1</EventLevel>
<EventDescriptionContains>^.*80004005.*$</EventDescriptionContains>
<TimerWaitInSeconds>900</TimerWaitInSeconds>
</Configuration>
</UnitMonitor>
</Monitors>
</Monitoring>
<Presentation>
<StringResources>
<StringResource ID=”CheckPoint.CheckPoint.Event116.Code80004005.AlertMessage” />
</StringResources>
</Presentation>
<LanguagePacks>
<LanguagePack ID=”ENU” IsDefault=”true”>
<DisplayStrings>
<DisplayString ElementID=”CheckPoint.CheckPoint.Event116.Code80004005″>
<Name>CheckPoint Event 116 Code 80004005</Name>
<Description>Unit monitor to look for event 116 and code 80004005 in the event description</Description>
</DisplayString>
<DisplayString ElementID=”CheckPoint.CheckPoint.Event116.Code80004005.AlertMessage”>
<Name>CheckPoint Event 116 – Code 80004005</Name>
<Description>The Checkpoint Refrigeration Monitoring application logged event 116 – Code 80004005 to the event log.  This indicated that there could be a problem with communication to the database.

Event Description:

{0}</Description>
</DisplayString>
<DisplayString ElementID=”CheckPoint.CheckPoint.Event116.Code80004005″ SubElementID=”FirstEventRaised”>
<Name>FirstEventRaised</Name>
<Description>FirstEventRaised</Description>
</DisplayString>
<DisplayString ElementID=”CheckPoint.CheckPoint.Event116.Code80004005″ SubElementID=”TimerEventRaised”>
<Name>TimerEventRaised</Name>
<Description>TimerEventRaised</Description>
</DisplayString>
<DisplayString ElementID=”CheckPoint”>
<Name>CHCO Checkpoint Refrigeration Monitoring Application MP</Name>
</DisplayString>
</DisplayStrings>
<KnowledgeArticles></KnowledgeArticles>
</LanguagePack>
</LanguagePacks>
</ManagementPack>
2 Likes
2

First, I’ll point you to this that I happened to stumble across the other day Event Rule Blog. Worth a read - it suggests using Parameter x, rather than EventDescription and that will save you resource. I’ve not tried it yet.

Also something that I’ve fallen into a few times is that the Event Source display value is sometimes different from the raw value (usually for Microsoft events - they stick a prefix on some of them) Right click on the Event, select Event properties, Go to Details tab, expand System. The Provider name is the Source. Yours looks like a custom source, so it’s probably not that, but it’s worth checking.

Did you not use the SCOM Author console to create the monitor…?

1 Like
3

What is the issue you’re having?

4

The issue is that I’m not picking up the error in the event log and flipping the health state or alerting. I can do an event create with everything that the monitor is looking for with no result. It would appear that I’ve done something wrong implementing the expression.