This documentation is archived and is not being maintained.

How to Create an Alert Generating NT-Event-Log-Based Rule in Operations Manager 2007

Updated: May 22, 2009

Applies To: Operations Manager 2007 R2, Operations Manager 2007 SP1

Use the following procedure to create an alert generating NT-event-log-based rule in Operations Manager 2007. The alerts generated by the rule will display in alert views for the targeted objects.

To create an alert generating an NT-event-log-based rule in Operations Manager 2007

  1. Start the Operations Manager 2007 Create Rule Wizard.

    noteNote
    For information about starting the Create Rule Wizard, see How to Start the Create Rule Wizard in Operations Manager 2007.

  2. On the Select a Rule Type page, do the following:

    1. Expand Alert Generating Rules, expand Event Based, and then click NT Event Log (Alert).

    2. Select a Management pack from the list, such as Default Management Pack, or click New to create a management pack with the Create a Management Pack Wizard.

      noteNote
      The rule will be added to the specified management pack; therefore, only unsealed management packs are listed. By default, when you create a management pack object, disable a rule or monitor, or create an override, Operations Manager saves the setting to the Default Management Pack. As a best practice, you should create a separate management pack for each sealed management pack you want to customize, rather than saving your customized settings to the Default Management Pack. For more information, see Default Management Pack.

    3. Click Next.

  3. On the Rule Name and Description page, do the following:

    1. Type the Rule name, such as Win App Event 1000 LoadPerf.

    2. Optionally, type a Description for the rule.

    3. Click Select, select a target, such as Windows Computer, and then click OK.

    4. Leave Rule is enabled selected, to have the rule take effect at the completion of the wizard, or clear the check box to enable the rule at a later time, and then click Next.

  4. On the Event Log Name page, provide the name of the log file from which to read events. You can either browse to locate a log file or type the name of the file in directly.

    noteNote
    If you enter the location and file name of the log file manually, ensure that you do not include any variables in the path (for example, “%4” instead of the forward slash [/]). Also, do not include the file name extension (such as “.evtx”).

    For example, the following log file name is incorrect:

    Microsoft-Windows-TerminalServices-Gateway%4Operational.evtx

    This is the correct name for the file above:

    Microsoft-Windows-TerminalServices-Gateway/Operational

  5. On the Build Event Expression page, build the query the rule will use to generate alerts, for example:

    1. Set Event ID equal to the Windows Event ID of the events you want the rule to collect, such as 1000.

    2. Set the Event Source to a specific source of the events, such as .LoadPerf.

      noteNote
      Click Insert to add an Expression, such as Event Level equals Error, or group expressions with OR or AND operators.

    3. Click Next.

    noteNote
    The rule created in the preceding example will generate an alert when Windows event 1000 is raised by .LoadPerf. Event ID and Source are properties of a Windows event and can be viewed in the Windows Event Viewer.

  6. On the Configure Alerts page, set the properties of the alert, for example:

    1. Type the Name for the alert, such as Alert generating Rules Win App Event 1000 LoadPerf.

    2. Optionally, type the Description for the alert. You can also click the () button and select Target and Data variables to include in the description, such as NetBIOS Computer Name.

    3. Select a Priority from the list, such as Low.

    4. Select a Severity from the list, such as Information.

    5. Optionally, click Custom alert fields and type values or click the () button and insert variables in the custom fields, and then click OK.

    6. Optionally, click Alert suppression, and then select one or more Fields of the alert. Alert suppression is useful when there are multiple alerts for the same issue.

    7. Click Create.

Show: