To create a rule that generates an alert whenever an error occurs in the Application event log:
In the Operations console. click the Authoring button.
In the navigation pane:
Expand Authoring, and then expand Management Pack Objects.
Right-click Rules, and then click Create a new rule… to start the Create Rule Wizard.
On the Select a Rule Type page:
Expand Alert Generating Rules, expand Event Based, and then click NT Event Log (Alert).
Select the destination management from the list (Windows Core Library – Customizations) or click New… to create a management pack.
Click Next.
On the Rule Name and Description page:
In the Rule name box, type Application Event Log Error.
Optionally, type a description for the rule.
Click Select to select the item to target.
In the Select Items to Target dialog, select Windows Computer, and then click OK.
Ensure the Rule is enabled option is checked and then click Next.
On the Event Log Name page, ensure Log name is set to Application, and then click Next.
On the Build Event Expression page:
Specify the following expression:
Parameter Name Operator Value
Event Level Equals Error
Click Next.
On the Configure Alerts page:
In the Alert description box, specify the following:
Source: $Data/EventSourceName$
Event ID: $Data/EventDisplayNumber$
Event Category: $Data/EventCategory$
User: $Data/UserName$
Computer: $Data/LoggingComputer$
Event Description: $Data/EventDescription$
In the Severity option, click Warning.
Click Alert suppression… to define the handling of duplicate alerts. In the Alert Suppression dialog:
Click the following fields:
Event ID
Event Source
Logging Computer
Event Category
User
Description
Click OK.
Click Create.
Repeat the process to create a similar alert for errors in the System event log.
Important
If you do not specify any fields in the Alert Suppression dialog, then you may receive numerous alerts within a short period of time (for example, when SharePoint Server 2010 floods the Application event log due to an issue with least-privilege configuration).
When this occurs, Operations Manager will detect the high frequency of alerts and temporarily suspend the notification, and display a different alert instead:
Alert rule: Alert generation was temporarily suspended due to too many alerts.
Alert description: A rule has generated 50 alerts in the last 60 seconds. Usually, when a rule generates this many alerts, it is because the rule definition is misconfigured. Please examine the rule for errors. In order to avoid excessive load, this rule will be temporarily suspended until …
Note
The reason why I choose to set the Severity to Warning (instead of the default — Critical) is so that when an event log error generates a similar alert in one of the other management packs, I immediately focus on the “primary” alert (rather than the “duplicate” generated by the custom rule).
In order to minimize the effort required to investigate errors in the event logs, I include details from the event in the alert. This is especially useful for quickly understanding errors on a server since it is also included in email generated by the alert.
Generating alerts for any errors that occur in the Application and System event logs will definitely motivate you to take corrective action to resolve the errors. It will also encourage you to try to prevent the same errors from occurring again in the future.
Recent Comments