How to Create a Correlated Windows Event Unit Monitor in Operations Manager 2007

Applies To: Operations Manager 2007 R2, Operations Manager 2007 SP1

A single event immediately followed by a second event can be indicative of a serious issue. To monitor these types of issues, you can configure the correlated Windows event unit monitor to define a health state for two different events that occur within a short time frame.

In the Create Monitor Wizard, you define three events in succession. The first event you define is the simple event. This event triggers a timer. The second event you define is the first correlated event. This event is compared to the simple event to specify the health state for the monitor. The third event you define is the second correlated event to reset the health state to Healthy.

To create a correlated Windows event unit monitor

  1. Log on to the computer with an account that is a member of the Operations Manager Administrators user role or Operations Manager Authors user role for the Operations Manager 2007 management group.

  2. In the Operations console, click the Authoring button.

  3. In the Authoring pane, expand Authoring, expand Management Pack Objects, and then click Monitors.

  4. Click Change Scope.

  5. In the Scope Management Pack Objects dialog box, in the Find text box, type Windows Computer, select the Windows Computer target check box, and then click OK.

  6. In the Monitors pane, expand Windows Computer, expand Entity Health, right-click Availability, point to Create a monitor, and then click Unit Monitor.

  7. In the Create Monitor Wizard, on the Select a Monitor Type page, expand Windows Events, expand Correlated Event Detection, click Windows Event Reset, and then click Next.

    Note

    You can select a management pack from the Select destination management pack list or create a new unsealed management pack by clicking New. By default, when you create a management pack object, disable a rule or monitor, or create an override, Operations Manager saves the setting to the Default Management Pack. As a best practice, you should create a separate management pack for each sealed management pack you want to customize, rather than saving your customized settings to the Default Management Pack. For more information, see Default Management Pack.

  8. On the General Properties page, in the Name box, type a name for the Windows event unit monitor, and then as an option, you can type a description.

  9. Click the Parent monitor arrow, select the appropriate parent monitor, and then click Next.

  10. On the Event Log Name page (for the simple event), under Log name, click the () button.

  11. In the Select Event Log dialog box, under Computer, click the () button. The Select Computer dialog box opens. In the Enter the object name to select box type the name of the computer, and then click OK.

  12. On the Select Event Log dialog box, click one of the available event logs, and then click OK.

  13. On the Event Log Name page, click Next.

  14. On the Build Event Expression page (for Build Simple Event Expression), in the Event ID row, click the alert icon in the Operator column and then use the drop-down box to select the Event ID operator. In the Value column click () and select the value for the Windows Event ID that you want to monitor.

  15. On the Event Source row, click the alert icon on the Operator column and then use the drop-down box to select an operator. In the Value column click () and select a value equal to the source of the event, and then click Next.

    Note

    Event ID and Source are properties of an event and can be viewed in the Windows Event Viewer.

  16. On the Event Log Name page (for Define Event Log Name A), under Log name, click the () button.

  17. On the Select event log page, under Computer, click the () button or type the name of the computer, click one of the available event logs, and then click OK.

  18. On the Event Log Name page, click Next.

  19. On the Build Event Expression page (for Build Event Log Expression for A), set Event ID equal to the Windows Event ID that you want to monitor, set Event Source equal to the source of the event, and then click Next.

    Note

    Event ID and Source are properties of an event and can be viewed in the Windows Event Viewer.

  20. On the Event Log Name page (for Define Event Log Name B), under Log name, click the () button.

  21. On the Select event log page, under Computer, click the () button or type the name of the computer, click one of the available event logs, and then click OK.

  22. On the Event Log Name page, click Next.

  23. On the Build Event Expression page (for Build Event Log Expression B), set Event ID equal to the Windows Event ID that you want to monitor, set Event Source equal to the source of the event, and then click Next.

    Note

    Event ID and Source are properties of an event and can be viewed in the Windows Event Viewer.

  24. On the Correlated Events Configuration page:

    1. Under Correlation Interval, set the correlation interval you want.

      Note

      The minimum value for a correlation interval is 1 second. The maximum value is 2,147,483,647 seconds (approximately 68 years).

    2. Under Correlation Details, click the Correlate when the following happens arrow and select an entry in the list that defines the relationship between the simple event (A) and the first correlating event (B).

    3. Click Next.

  25. On the Configure Health page:

    1. For the CorrelatedEventRaised row, click the name in the Operational State column and type a new name for this event, click health state in the Health State column, and then click Healthy.

    2. For the row, EventRaised click the name in the Operational State column and type a new name for this event, click health state in the Health State column, and then click Critical or Warning.

    3. Click Next.

  26. On the Configure Alerts page, set the properties of the alert, and then click Create.

    Note

    You can test the functionality of the event monitor with the eventcreate.exe command-line utility that is included with Windows XP and Windows Server 2003 operating systems. The following is an example: C:\WINNT\system32\eventcreate.exe /L SYSTEM /ID 100 /T ERROR /D "System Event ID 100 from source EventCreate". For more information about EventCreate, see https://go.microsoft.com/fwlink/?LinkId=79244.