Monitor Windows Event ID in SCOM
Recently we got a request from our project team to monitor few custom applications wherein they wanted to monitor few Event IDs as well.
Earlier they wanted the monitoring to be done through Nagios monitoring tool however when they came to know about other custom applications which are getting monitored in SCOM far better than any other tool, they changed their mind and requested to do the monitoring through SCOM only.
We enabled the application monitoring in SCOM which included critical application services and the Event IDs as well.
Refer my previous post Monitor Application Services through SCOM to know how to monitor application services.
So, below are the steps involved in enabling Windows Event ID monitoring through SCOM:
You should have below information handy so the monitor can be configured:
- Log Name
- Event ID
1: Login on to SCOM console and click on Authoring.
2: Expand Management Pack Objects and click on Monitors.
3: Click on Create a Monitor option under Tasks and click on Unit Monitor.
Here we have both the Error and Normal Event IDs so will create Windows Event Reset monitor. That means, alert will generate when Error Event ID is generated and the alert will close automatically when Normal Event ID generates.
Below table describes all three monitor reset criteria:
|Manual Reset||The monitor is never automatically reset. The user must manually reset the monitor.|
|Timer Reset||The monitor is automatically reset after a specified time.|
|Windows Event Reset||A single specific event indicates that monitor should be reset.|
For more information you can refer Microsoft TechNet article Event Monitor Reset
4: Expand Simple Event Detection under Windows Events and select Windows Event Reset .
5: Select the management pack and click Next to continue.
6: Provide a suitable Name and Description for the monitor.
7: Select Windows Computer as Monitor target.
8: Unselect the Monitor is enabled option and click Next.
9: Specify the Event Log name to read the events from and click OK.
10: Click Next to continue.
11: Provide the Event ID (Error Event) under Event ID field.
12: Provide Event Source and click Next.
Now we need to specify the Normal Event ID (Information Event) details which will reset the monitor and clear the alert.
13: Specify the event log name to read the events from and click Next.
14: Provide the Event ID (Information Event) under Event ID field.
15: Provide Event Source and click Next.
16: Change Health State to Critical for First Event Raised condition.
17: Change Health State to Healthy for Second Event Raised condition.
18: Click Next to continue.
19: Put check mark on Generate alerts for this monitor.
20: Change the Priority or Severity if required.
21: Click Create button to finish the configuration.
Now, the monitor has been created. We need to enable it for the respective servers.
Created monitor should be visible under Monitors view.
22: Right click on the monitor and click on Overrides.
23: Click on Override the Monitor and select For a group option.
We have selected For a group option as we need to enable this monitor the specific servers which are part of a specific group.
24: Select the group and click OK.
25: Change the Override Value to True and click Apply and OK button.
Now whenever Event ID: 14548 generates for the server (part of selected group), alert will generate in SCOM and the alert will close automatically when Event ID: 14549 generates.
Hope this helps.