Rules Components
All rules are composed of one or more components which enable them to be configured and behave as the author wants. Some components are designed for certain rules or rule sub types.
Provider
In order for a rule to determine where to derive data to be analyzed, a provider must be used or created for the rule. The provider types that a rule can use include:
Windows Event Log Provider
Windows Performance Counter Provider
Application Log Provider
WMI Events Provider
WMI Numeric Events Provider
Timed Event Provider
More information on configuring a rule provider can found in the Providers section of this guide.
Criteria
A rules criteria defines which specific instance of data being scanned by the rule provider is interesting. For example, an event rule might have a criteria of:
Event ID: 100
Event Source: My Application Source
This can be managed by using the Criteria tab of an Event rules property sheet.
A Performance rule type might have the following criteria, which is managed by using the Threshold tab of an Event rules property sheet:
Threshold Type: Average of values over 6 samples
Threshold Value: > 99
Schedule
Basic scheduling for rules can be added. This scheduling functionality enables a rule to be active, or inactive, during certain hours. MOM enables scheduling in the following ways:
By time of day
By day
By default, a rule will be configured to processes data on a 24 hour a day, seven days a week, basis.
Alert Suppression Policy
Certain rule subtypes can raise an alert as a response to a successful criteria match. By default, an alert is created for each instance of the criteria match. This might not be useful to operations personnel if each new alert instance is displayed in the MOM Operator console as a new issue. MOM allows you to configure the rule so that duplicate instances of the alert are suppressed, or hidden, within an existing, but unresolved, alert. When the representative alert is resolved, so are all suppressed alerts within it.
Alert suppression is rule-based and a rule can only suppress alerts that it generated. If two different alert-generating rules matched the same event, then two unique alerts would appear in the MOM Operator console.
The options for Alert Suppression include:
Alert Name
Alert Description
Alert Source
Severity
Computer
Domain
Source Name
Event Number
Category
Description
Event Type
Message DLL
Message DLL File Version
Provider Name
User Name
Important
The operations personnel using your Management Pack might want to configure your rules to suppress additional parameters in the events. The event collection rules might not collect these parameters by default, and therefore, suppressing on these parameters would not be possible. In building your event collection rules, make sure that you configure them to collect these additional parameters. Security Log events are a good example of events that end users will want to suppress.
Alert suppression policy is highly-configurable but default settings (Computer and Domain checked) satisfy most Management Pack needs. Custom alert suppression policy might be used in the following cases:
A rule executes a script that runs a number of health checks on an application. As a result, the script might generate two or more different alerts directly from the script code. The author suppresses on "Alert Name".
A rule is configured to generate an alert, based on an event that might expose different health states and problems. In this case, the difference in the heath states can be distinguished by the text in the description. The author can suppress by "Description" such that unique alerts are generated when the descriptions vary.
Note
Suppressing on description can be problematic if the description consists of non-static text. For example, suppressing on a description that contains dates and times would not work as expected.
Reponses
When a criteria match occurs, an author might want to execute something in response to the match. MOM provides authors with the ability to execute the following types of responses:
Generate an alert
Execute a script
Run an executable or batch file
Send a SNMP trap
Send notification to a notification group
Update a state variable
Transfer a file
Call a method from a managed code assembly
A rule can execute one or more responses for any criteria match. For more information, see the Automated Responses section in this guide.
Vendor Knowledge
Authors should add knowledge to every rule group and rule in their Management Pack. The knowledge serves many purposes, but its primary function is to give operations personnel detailed information on the rule group or rule.
Knowledge is authored in HTML, which can be added to the knowledge template on the Advanced Knowledge tab of the Rule property sheet. The Rules Knowledge template includes the following sections:
Summary
Causes
Resolutions
External Knowledge Sources
Sample Event
Related Events
Other Information
Internal Comment
All rules should contain information in the Summary section to describe the purpose and function of the rule. If a rule is designed to generate an alert, the Summary must describe the end user impact of the issue, and must include sufficient information in the Causes and Resolutions sections.
Note
The Internal Comment section is where authors can add private notes about a rule. This information is not included in the Management Packs that are exported for operations personnel.
The Rule Group knowledge template includes the following sections, which should be provided for each rule group in the Management Pack:
Purposes
Features
Configuration
Customer Knowledge
Operations personnel might find it is necessary to augment or add comments to the vendor knowledge. The Company knowledge section is for this purpose. You are not required to add information to the Company Knowledge, when building a Management Pack.
Advanced Settings
There are a number of settings that can be modified in the Advanced tab of a rule group or rules property sheet. For more information on these settings, see the MOM 2005 SDK.