Share via

Creating a Repeated Event Detection *Rule*

  • Article

<!--[if lt IE 9]>

<![endif]-->

Comments

  • Anonymous
    January 01, 2003
    MP author doesn't have this capability, but they could add this as a feature. MP author adds the ability to had a condition detection that is a scheduler filter, which is different than the consolidator module. The scheduler filter adds the ability to only make the workflow active during certain time periods, like business hours, not during weekends, etc.
    • Anonymous
      December 09, 2016
      Kevin,I'm attempting to follow your steps, any reason you can think of why I can't create a rule in Health Model Pane? I'm an admin and running in admin mode. Only action available is refresh.
      • Anonymous
        December 09, 2016
        did you create a new empty Management Pack first?
        • Anonymous
          January 12, 2017
          Sorry I'm taking so long to respond, but yes that was my problem. Here is a dumb question though: I did all this, saved and imported it. Now, won't I need to create a new rule that references this new management pack?
          • Anonymous
            January 12, 2017
            Cancel that last response, I answered my own question. Thanks for this great article Kevin.
  • Anonymous
    January 01, 2003
    I had similar issues that you have with the reset conditions of repeated event monitors. I made a monitor type that uses the missing event Condition Detection as the reset condition.http://blogs.technet.com/b/omx/archive/2013/01/21/repeated-event-monitors-with-a-missing-event-reset.aspx
  • Anonymous
    December 19, 2014
    Another great post Kevin. I wonder if one could you create the same type of alert rule with the Silect MP Author tool? It has an option to schedule an event log rule by minutes.
  • Anonymous
    January 01, 2015
    Good one
    I need help in troubleshooting an rule which is already configured.

    A rule for rightfax servers for eventid 3314 was configured for Windows computer group. though it is overwridden it is affecting the entire MG and all the agents including RMS,MS are in warning.
    Due to this SDK service keeps stopping. and here is the error.

    I have already diabled this perticular Rule. which is affecting but no use
    help will be appriciated.

    The Windows Event Log Provider was unable to open the Application event log on computer "server name" for reading. The provider will retry opening the log every 30 seconds. Most recent error details: The RPC server is unavailable. One or more workflows were affected by this. Workflow name: MSExchangeMonitoringCorrelationConnectivityToRMS Instance name: Correlation Engine - sdwpcfs712a (Correlation Engine) - C-SDW Instance ID: {A9528C38-6A1E-9A5F-1B23-C8FE49941B59} Management group:
  • Anonymous
    January 09, 2015
    Very nice - I always look for this under rules, then remember it's only under monitors. It's nice that the only addition is the condition detection - should make for easy XML editing if someone wanted to do it that way, or create a script to add the counter to an existing rule.
  • Anonymous
    April 15, 2015
    I have a problem monitoring SQL job failures. The default monitor which comes with the SQL MP doesn't count job failures before firing the alert.
    I need to create a rule/monitor that can generate alert after X sql job failures with the option to choose the X counter depending on the job.
    But I also need a way to clear the counter by using a different event ID than the SQL job failure event ID (Event 208 on application log).

    So basically i need to create a configurable monitor/rule for sql job failure which can be customized for X failures for each job and also be able to clear the X counter with another event ID.

    For example I have a job called "test" which is configured to generate alert after 3 consecutive job failures.
    But if the job failed twice and then succeeded and then failed one more time the alert shouldn't be generated.

    I'll be happy to receive some help with that.
    Thx in advance.
  • Anonymous
    August 04, 2015
    I didn't see any reason why this shouldn't work for creating a rule for SCOM 2012 R2, so I went ahead and did that, updated the version numbers in the XML, and imported the MP. The MP is showing up in Administration --> Management Packs, but it is not in the MP list when selecting the Scope in Authoring --> Management Pack Objects --> Rules, and the rule is not showing up when I select all MPs and search for it.

    Is this normal, or should it be showing up?

    Thanks,

    -Evan
  • Anonymous
    October 27, 2015
    I had a customer looking for an example of how SCOM can monitor a server for multiple reboots in a period
  • Anonymous
    October 13, 2017
    I hope this is still being followed..I'm trying to use this methodology in 2012 R2 to create a rule that generates a simple alert if more than 5 event id 4625's are detected in the security log in under a minute, and it doesn't seem to work. Any ideas? I started with an empty management pack, and pointed at the security log rather than the application log, and selected event id 4625 instead of the below, and that's the only real difference, but no alerts are generated when the condition is violated. Later I would want to scope the source of course to the same server.