• SCOM 2012 Documentation
  • Microsoft OpsMgr Team Blog
  • Kevin Holman’s Blog
  • thoughtsonopsmgr
  • SCOM2K7 Blog
  • BICTT Blog
  • Cameron Fuller
  • JC’s SCOM Blog
  • Tao Yang SCOM Blog
SCOM GOD

SCOM Catch All Error Events Log Rule

January 14, 2014 2:33 pm / Leave a Comment / SCOMGod

From: http://blogs.msdn.com/b/jjameson/archive/2011/03/18/operations-manager-alerts-for-event-log-errors.aspx

To create a rule that generates an alert whenever an error occurs in the Application event log:

In the Operations console. click the Authoring button.

In the navigation pane:
Expand Authoring, and then expand Management Pack Objects.
Right-click Rules, and then click Create a new rule… to start the Create Rule Wizard.

On the Select a Rule Type page:
Expand Alert Generating Rules, expand Event Based, and then click NT Event Log (Alert).
Select the destination management from the list (Windows Core Library – Customizations) or click New… to create a management pack.
Click Next.

On the Rule Name and Description page:
In the Rule name box, type Application Event Log Error.
Optionally, type a description for the rule.
Click Select to select the item to target.
In the Select Items to Target dialog, select Windows Computer, and then click OK.
Ensure the Rule is enabled option is checked and then click Next.

On the Event Log Name page, ensure Log name is set to Application, and then click Next.
On the Build Event Expression page:
Specify the following expression:
Parameter Name Operator Value
Event Level Equals Error
Click Next.

On the Configure Alerts page:
In the Alert description box, specify the following:

Source: $Data/EventSourceName$
Event ID: $Data/EventDisplayNumber$
Event Category: $Data/EventCategory$
User: $Data/UserName$
Computer: $Data/LoggingComputer$
Event Description: $Data/EventDescription$
In the Severity option, click Warning.

Click Alert suppression… to define the handling of duplicate alerts. In the Alert Suppression dialog:
Click the following fields:
Event ID
Event Source
Logging Computer
Event Category
User
Description
Click OK.
Click Create.

Repeat the process to create a similar alert for errors in the System event log.

Important
If you do not specify any fields in the Alert Suppression dialog, then you may receive numerous alerts within a short period of time (for example, when SharePoint Server 2010 floods the Application event log due to an issue with least-privilege configuration).

When this occurs, Operations Manager will detect the high frequency of alerts and temporarily suspend the notification, and display a different alert instead:

Alert rule: Alert generation was temporarily suspended due to too many alerts.

Alert description: A rule has generated 50 alerts in the last 60 seconds. Usually, when a rule generates this many alerts, it is because the rule definition is misconfigured. Please examine the rule for errors. In order to avoid excessive load, this rule will be temporarily suspended until …

Note
The reason why I choose to set the Severity to Warning (instead of the default — Critical) is so that when an event log error generates a similar alert in one of the other management packs, I immediately focus on the “primary” alert (rather than the “duplicate” generated by the custom rule).

In order to minimize the effort required to investigate errors in the event logs, I include details from the event in the alert. This is especially useful for quickly understanding errors on a server since it is also included in email generated by the alert.

Generating alerts for any errors that occur in the Application and System event logs will definitely motivate you to take corrective action to resolve the errors. It will also encourage you to try to prevent the same errors from occurring again in the future.

Posted in: SCOM Tips

Leave a Reply Cancel reply

You must be logged in to post a comment.

Post Navigation

← Previous Post
Next Post →

Recent Comments

  • admin on SCOM SQL Script to show gray agent data historical reasons
  • admin on SCOM SQL Script to show gray agent data historical reasons
  • Gene on SCOM SQL Script to show gray agent data historical reasons
  • admin on SCCM 2012 SP1 Installation Pre-reqs
  • Ryan on SCCM 2012 SP1 Installation Pre-reqs

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Blogroll

  • Anders Blog
  • Daniele's Blog
  • Great SCOM Report Tutorial
  • Microsoft SCOM Forums
  • Savision Sample Dashboards
  • SCOM Blog
  • SCOM FAQ
  • scom-2012.blogspot.be
  • System Center 2012 Notes From the Field
  • Veam Install PDF

Recent Posts

  • PowerShell Script RDP Sessions List
  • Powershell Search Thru IIS Logs for Text String
  • PowerShell Reboot AD Based Computers
  • PowerShell Dump ACL of a Path Folder
  • SCOM Maintenance Mode Group of Servers
  • WMI Admin Access without Domain Admin Privilege
  • Script to Update User Redirected Folders ACL
  • Windows 2012 R2 Folder Redirection Step by Step
  • SharePoint 2013 Pre-reqs Link
  • Windows 2012 TSAdmin Download
  • Server Reboot Batch File
  • SCOM Get Missing Performance Data
  • SCOM 2012 Linux Agent gray and critical – Requires uninstall of agent & cert
  • SCOM 2012 Batch File to Clear Health Service Cache
  • SCOM 2012 Put URL into Maintenance Mode
  • MS Operations Management Suite Survival Guide
  • Script to Logoff All Disconnected Citrix Sessions
  • SCOM 2012 R2 Close All Alerts Script
  • SCOM Health Service Flush Scripts
  • SCOM 2012 PowerShell One Liners
  • GreenMachine for SCOM 2012
  • VBS Script to get AD Group Members
  • SCOM 2012 Maintenance Mode Notification MP
  • SCOM 2012 Reminder Alerts – PowerShell Script to Update Alert Resolution
  • SCOM 2012 R2 Test Event MP
  • SCOM Cluster Failover Events MP
  • SCOM 2012 R2 Maintenance Mode Powershell Script for Single Server
  • SCOM Reports Edit Issue QFE_MOMEsc_4724
  • Clean Windows 2008R2 Space
  • SCOM Linked Availability Report
  • SCOM Catch All Management Pack
  • PowerShell Script Close All SCOM Alerts 2007R2
  • Windows Update Error 80072EFE in Client Hyper-V Guest
  • SCOM query to get all data about an obejct
  • SCOM 2012 Cluster Disks management pack addendum
  • SCOM Cluster CSV Query
  • SCOM REPORT MODELS
  • SCOM 2012 Bulk URL Editor Manager Download
  • SCOM Catch All Error Events Log Rule
  • SCOM 2012 iSCSI Volume Shadow Copy Rules MP
  • Configuring Hyper-V for multiple subnets with only one NIC (Server 2012 R2 Edition)
  • Windows 2012 USB Boot Disk
  • SCOM Web Console Path Not Showing
  • Windows 2012 R2 BlueScreen Fix
  • AD Password Expiration Report Script
  • SCCM Query: Uptime and Last Reboot Time
  • SCOM 2012 ToolBox Downloads
  • EMC SCOM 2012 Management Pack ESI
  • SCOM ETL Trace Instructions
  • Extended SQL MP
  • SQL Instance List Report for SCOM
  • SCOM SQL Script to show gray agent data historical reasons
  • List of all SCOM Monitors from Various Popular Management Packs
  • How to extend date of SCOM certificate issued by Stand Alone CA
  • How to Run Hyper-V on a Laptop
  • SCOM Alert for Specific Account lockout
  • Microsoft Technet Lab Guides
  • SCOM Gateway Troubleshooting Steps – Jonathan Cowan Credit
  • SCOM 2012 Maintenance Mode Utility
  • How to Reinstall SCOM Reporting
  • SCCM 2012 Client Action Tool!
  • SCOM Report Data Source Fix
  • SCOM 2012 Health Check Script
  • SCOM RunAs Account Fixer PowerShell Script!
  • File Share Check and Email Script
  • SCOM 2012 Exchange 2010 MP Filling Logs with Login Failures
  • SCOM 2012 Report Data Source Option Missing
  • SCOM 2012 File Share Management Pack
  • Dynamic Groups with Expressions in OpsMgr
  • SCOM 2012 Unsealed Management Pack Backup
  • SCOM 2012 Web View Widget
  • Windows 2003 Bits 2.5 Download
  • SCOM 2012 Maintenance Mode
  • SCOM 2012 Utilization Reports Processor Data Missing
  • Windows Server 2012 Keyboard Shortcuts
  • SQL SCOM 2012 Alerts By Email Script
  • Windows 2012 Interface Explanation from Microsoft
  • Microsoft Private Cloud Step By Step
  • Managing SCOM 2012 Alerts: Daily Tasks
  • SCOM 2012 Training Guides and Videos
  • SCCM 2012 SP1 Installation Pre-reqs
  • SCOM SQL Run As Account Guidelines
  • Windows Server 2012 Won’t Activate: DNS Server Not Found
  • Brian Wren’s Sample Network Management Pack for System Center 2012 Operations Manager
  • The Greatest PowerShell Script of All Time for Windows Admins by Sean Duffy
  • SCOM Health Check Excel Template
  • List All AD User Object Attributes
  • Sharepoint 2010 Management Pack for SCOM 2012
  • How to Run a Powershell Script as a rule in SCOM as a Command
  • OpsLogix PING MP for SCOM 2012
  • SQL Server cannot authenticate using Kerberos because the Service Principal Name (SPN) is missing, misplaced, or duplicated.
  • SCOM Maintenance Mode EXE – Awesome Utility
  • SCOM Grey Agent MP from SCC
  • The All Management Servers Pool has not reported availability
  • SCOM ACS Filter Events
  • SCOM ACS Modified SQL Stored Procedures
  • MMS 2012 Session Listing Download
  • SQL Database Stuck in Restoring Mode
  • SCOM Maintenance Mode Script
  • SCOM Active Directory Security Management Pack
January 2021
M T W T F S S
« Apr    
 123
45678910
11121314151617
18192021222324
25262728293031

About

This site is a collection of tools and tips that I needed to place in the cloud. I have given credit where credit is due and respect all the hard work of those in the SCOM community that are miles above me in terms of knowledge, experience and accolades.
© Copyright 2021 - SCOM GOD
Infinity Theme by DesignCoral / WordPress