Alert Severity and Priority use with override

  • Article

Some of you may know already that with Operations Manager SP1 RC we allow for overriding alert severity and priority. What is little unfortunate is inconsistency between creating alert generating rule and overriding especially as first uses string describing severity or priority used, while later simply expects integer value. Mapping between string and integer is what this post will try to explain.

Mapping:

Alert Severity – Its corresponding integer value

Critical – 2
Warning - 1
Information – 0

Alert Priority – Its corresponding integer value

High – 2
Medium – 1
Low – 0

Let’s assume we have following alert with severity CRITICAL:

Alert rule with severity CRITICAL

Let’s override severity. As we can see effective value used for severity is 2 and priority is 1.

Alert rule effective values used for severity and priority

We can now override severity. Let’s pick incorrect value outside of allowed range to demonstrate the ability of runtime to adjust and generate corrected alert.

Incorrect severity value used for override

After such override was applied and configuration reloaded new values are used when alert should be raised. Following is sample of such alert.

Raised alert with adjusted severity to INFORMATION

We can see that new alert is raised with severity INFORMATION. Value of information as per mapping above is 0. So runtime had to adjust and used closest value to -1 which we used while overriding severity. In order to help with recognition of incorrect value used for severity or priority override, Operations Manager 2007 SP1 introduced new events (5404, 5405) to inform the user when runtime was unable to recognize used value and had to adjust to closest allowed one. There is also alert raised to allow OpsMgr2007 operator to recognize this problem without inspecting event log.

Sample alert:

Alert raised for incorrect override values

Sample event (this raised alert above):

Event Type: Warning
Event Source: HealthService
Event Category: Health Service
Event ID: 5405
Date: 12/17/2007
Time: 11:16:25 AM
User: N/A
Computer: CUPIDDP13D

Description:

Invalid value for alert severity used with configuration of the rule. It was outside of allowed range and had to be adjusted to closest valid value.

Alert: F2732EEA-A871-27EA-1639-143269DE3CEF
Workflow: MomUIGeneratedRule34de90f776f541db8ccb625bf338af58
Instance: OpsMgr Health Service
Instance ID: {4140A3FC-F165-F0BC-E036-4B2FFB93C622}
Management Group: marius

Used severity value: -1

How to troubleshoot:

There are a couple of options. Operator may remember the alert for which he used value “ -1” in override and he needs to go back and use correct value from range as discussed in this post. In the case override was done long ago, or by someone, following steps could help to locate what the name and target for particular alert are and use that information to fix alert override thru authoring section of UI.

In the case of sample event used above one should run:

1.    Open Windows Power Shell

2.    Get and store monitoring object

$mo = Get-MonitoringObject –Id “4140A3FC-F165-F0BC-E036-4B2FFB93C622”

3.    Get an alert rule to recognize where to change

$rule = Get-Alert -MonitoringObject $mo -Criteria "Id='f0ccb13e-22f1-47de-ba98-2c54975089dc'"

4. Retrieve name and target to adjust value for particular overridden alert property later

$rule.Name

$rule.MonitoringObjectFullName