Microsoft.Windows.EventProvider
Applies To: System Center 2012 - Operations Manager, System Center 2012 R2 Operations Manager, System Center 2012 SP1 - Operations Manager
The Microsoft.Windows.EventProvider data source module type provides filtered Windows event data of type Microsoft.Windows.EventData from any event log on a Windows-based computer.
Usage
Use this module in rules that collect events or alert on events from the Windows event logs.
Type Definition
<DataSourceModuleType ID="Microsoft.Windows.EventProvider" Accessibility="Public">
<Configuration>
<IncludeSchemaTypes>
<SchemaType>System!System.ExpressionEvaluatorSchema</SchemaType>
<SchemaType>Microsoft.Windows.ComputerNameSchema</SchemaType>
</IncludeSchemaTypes>
<xsd:element name="ComputerName" type="ComputerNameType" minOccurs="0" maxOccurs="1" />
<xsd:element name="LogName" type="xsd:string" />
<xsd:element name="AllowProxying" type="xsd:boolean" minOccurs="0" maxOccurs="1" />
<xsd:element name="Expression" type="ExpressionType" />
</Configuration>
<ModuleImplementation>
<Composite>
<MemberModules>
<DataSource TypeID="Microsoft.Windows.BaseEventProvider" ID="Provider">
<ComputerName>$Config/ComputerName$</ComputerName>
<LogName>$Config/LogName$</LogName>
<AllowProxying>$Config/AllowProxying$</AllowProxying>
</DataSource>
<ConditionDetection TypeID="System!System.ExpressionFilter" ID="Filter">
<Expression>$Config/Expression$</Expression>
</ConditionDetection>
</MemberModules>
<Composition>
<Node ID="Filter">
<Node ID="Provider" />
</Node>
</Composition>
</Composite>
</ModuleImplementation>
<OutputType>Microsoft.Windows.EventData</OutputType>
</DataSourceModuleType>
Parameters
The Microsoft.Windows.EventProvider module supports the following configuration parameters:
Parameter | Type | Description |
---|---|---|
ComputerName |
Optional. Specifies the name of the computer to receive events from. |
|
LogName |
String |
Contains the name of the Windows event log to receive events from. |
AllowProxying |
Boolean |
Optional. Specifies whether the module should collect events that do not originate from the computer that is specified in the ComputerName parameter. The default value is false if this parameter is not specified. |
Expression |
Contains the filter expression to apply to the events from the event log. |
ComputerName
The ComputerName parameter is most commonly passed to the module by using the $Target notation, although it can be specified as any string. This module attempts to connect either to the local computer’s event log or to a remove event log, depending on the configuration passed.
For a workflow that is targeted at Windows Computer, the ComputerName element is specified as shown in the following code:
<ComputerName>$Target/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
If the target is a class hosted by computer hosting, references are added as required. For example:
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
The ComputerName parameter is optional, but as a best practice, it should be specified.
The ComputerName parameter must be specified if the workflow that is being used is run for agentless computers or for virtual computers running on a Windows cluster. If the parameter is not specified, the module runs against the local event log of the computer that is executing the workflow; this works for agent monitoring scenarios but not for agentless monitoring scenarios.
If you omit this parameter, ensure that the rule or monitor has the Remotable attribute marked as false to prevent agentless execution, because the incorrect event log is used if the computer name is not specified. Omitting this parameter also prevents running against a virtual computer that is running on a Windows cluster.
LogName
The LogName is the name of the event log to read event from. A single instance of the module can read only from a single event log, although if required it can be combined with other modules to read and correlate between multiple event logs. An example configuration is:
<LogName>Application</LogName>
AllowProxying
By default, the event provider module reads only events that are generated by the computer that is being monitored. It is possible for another computer to log an event to the monitored computer’s event log; in this case, the event is logged using the name of the computer logging the event.
If AllowProxying is set to true, events generated from computers other than the computer being monitored are generated by the module. If AllowProxying is set to false, only locally generated events are collected.
Unless there is a specific reason to enable this for your specific monitoring scenario, it is recommended that you set AllowProxyingto false or omit this setting.
The following code is an example configuration:
<AllowProxying>True</AllowProxying>
For more information about the Expression configuration parameter, see ExpressionType
Composition
The Microsoft.Windows.WmiProvider.EventProvider module is a composite module that contains the following member modules:
Workflow Run Order | Module Type | Usage |
---|---|---|
1 |
Microsoft.Windows.BaseEventProvider |
Native data source module that retrieves windows event data of type Microsoft.Windows.EventData from any event log on a Windows-based computer. |
2 |
Filters the incoming Microsoft.Windows.EventData with the specified expression. |
Related Modules
Module Type | Usage |
---|---|
Microsoft.Windows.EventCollector |
Provides the same functionality as the Microsoft.Windows.EventProvider module type except it defines the AllowProxying parameter as overrideable. Use for event collection when you want to allow the user to be able to override AllowProxying. |
External Module References
None.
Sample
The following code shows an example of an event collection rule using the Microsoft.Windows.EventProvider module type. In this example, the rule looks for an event from the EventCreate source with an event ID of 101 and with a specific instance property in parameter 1. This event is then written to the Operations database and the data warehouse.
<Rule ID="Microsoft.Samples.CollectEvent101" Target="Microsoft.Samples.ApplicationX">
<Category>AvailabilityHealth</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Application</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">EventCreate</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">101</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">Params/Param[1]</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">$Target/Property[Type="Microsoft.Samples.ApplicationX"]/ServiceName$</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>
<WriteAction ID="WriteToDW" TypeID="SCDW!Microsoft.SystemCenter.DataWarehouse.PublishEventData"/>
</WriteActions>
</Rule>
Information
Module Type |
|
Input Type |
None |
Output Type |
|
Implementation |
Composite |
Library |
Microsoft.Windows.Library |