This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 32%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EW%3C/text%3E%3C/svg%3E)
Hi,
New to SCOM trying to make some modifications to an alert description from a log event monitor. I have looked at some of the blogs and posts about some of the parameter variables, but still haven't been able to achieve the results I want. I am trying to grab certain fields from within the alert XML data. Since the XML data is not very long I will paste it here:
< DataItem type =" System.XmlData " time =" 2021-02-02T18:21:22.9683726-05:00 " sourceHealthServiceId =" 486239AE-5D94-3C1F-1D1B-0990DD8C43FE " >
< UserData >
< CertNotificationData ProcessName =" taskhostw.exe " AccountName =" XXXXXXXXXXXX " Context =" Machine " >
< CertificateDetails Thumbprint =" c671adc74e2a61e2597664dbee80e3400ea2038b " >
< Template Name =" XXXXXXXXXXX " OID =" 1.3.6.1.4.1.311.21.8.15504135.12588515.2314127.10440875.7078001.165.5330265.16365739 " />
< SubjectNames >
< SubjectName > XXXXXXXXXXXX </ SubjectName >
</ SubjectNames >
< EKUs >
< EKU Name =" Server Authentication " OID =" 1.3.6.1.5.5.7.3.1 " />
< EKU OID =" 1.3.6.1.4.1.311.54.1.2 " />
</ EKUs >
< NotValidAfter > 2021-02-24T19:52:32Z </ NotValidAfter >
</ CertificateDetails >
</ CertNotificationData >
</ UserData >
</ DataItem >
As I'm sure you can tell it is from certificate events. What I am trying to do is grab the <Template Name> and <NotValidAfter>
Things that I have tried thus far:
So I'm not sure why trying to grab all of DataItem picks up some things and leaves out others. My only thought was those 2 have immediate closing tags after them. Or possibly the = in the tags is throwing something off. Trying to point directly to an item only results in nothing being displayed. I could also just have the syntax all wrong.
Any assistance is appreciated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 31%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
At a first glance what you tried seems correct, so I'll have to test it a bit further to see what could wrong. The $/data/Context/blabla syntax is always a mess to get right anyway :D
But in the meantime, since it looks like you're trying to monitor certificates, have you considered using Raphael Burri's PKI MP? It's great!
https://github.com/rafabu/SCOM-PKICertificateMP/releases/tag/v1.4.3.0
Thank you for your response. It's good to know I'm on the right track at least. :)
We do have a PKI MP in our environment, but it is older and doesn't perform what I am trying to do. I will consider the MP you mention, but that could be a ways off. In our environment, new MPs have to be tested, go through a bunch of red tape for approvals to be deployed, etc. So I'm looking for a solution that I can implement faster than a few months that putting a new MP into our environment would take.
One thing I have noticed from looking at the XML data more, I'm curious if it has something to with the quotes within the tags? As I mentioned, adding $Data/Context/EventData/DataItem$ to the description shows the two fields and those fields are the only ones that do not have quotes around the information.