Raising and Clearing Alerts from Event Log Entries
.gif)
If the original equipment manufacturer (OEM) includes a pre-existing application on the server appliance, it may be useful to map the event log entries of that application to server appliance alerts for display on the Web UI or the local display to bring important events to the attention of the server administrator when those events happen. You can do this using Event Filter provided by the Server Appliance Kit. Event Filter is a WMI event provider that receives a notification from WMI whenever a new Windows Server 2003 event is created. Event Filter determines whether the event is of interest and, if so, creates a corresponding Microsoft_SA_Alert WMI object. The administrator can specify whether a Windows Server 2003 event is of interest by setting registry key values in HKLM\Software\Microsoft\ServerAppliance\EventFilter\Events.
The table below describes the registry key and the values that comprise an event definition.
| Value | Type | Description | Example |
|---|---|---|---|
| UniqueID | Key | Unique string identifying an event. | Backup |
| AbsoluteEventId | DWORD | Optional subject to the following conditions:. The registry key must contain values either in AbsoluteEventId, or in both EventID and EventType. If both AbsoluteEventID and EventID are specified, AbsoluteEventID is used.
AbsoluteEventID is the 32-bit value which, along with the EventSource, uniquely identifies the event. In the absence of this value, EventID (the 16-bit value available in the Event Log) is used, but the value in the Event Log does not completely identify an event. |
0x1f40 |
| AddEventStrings | DWORD | When this value is set to 1, the strings from the specified event description are appended to the string specified by the ReplacementStrings of the IApplianceServices::RaiseAlert method that is used to raise the alert. | 1 |
| AlertID | DWORD | Required. Identifier of the Microsoft_SA_Alert object to be generated. | 0x1 |
| AlertLog | String | Required. Identifies the log of the alert. | Backup |
| AlertSource | String | Always Microsoft_SA_Resource. | Microsoft_SA_Resource |
| AlertType | String | Optional. AlertType can have the following values: Information, Error, and Warning. If AlertType is not specified, the EventType is used as the AlertType. | Information |
| ClearAlert | DWORD | Optional. Set to 1 to clear the alert specified by AlertID and AlertLog. Otherwise, omit or set to 0 to raise the alert. | 0 |
| EventId | DWORD | Optional, subject to the following conditions: The registry key must contain values either in AbsoluteEventId, or in both EventID and EventType. If both AbsoluteEventID and EventID are specified, then AbsoluteEventID is used.
EventID is the 16-bit identifier that appears in the Event Log viewer. If EventID is specified, the correct EventType of the event must also be specified. |
0x1f40 |
| EventSource | String | Required. Name of the process generating the event, which is used to uniquely identify the event. | ntbackup |
| EventType | String | Optional, subject to the following conditions: The registry key must contain values either in AbsoluteEventId, or in EventID and EventType. EventType specifies the type of the event and can be the following values: Information, Error, and Warning. | Information |
| TimeToLive | DWORD | Optional. The time, in milliseconds, that the alert will be displayed. The alert will not clear automatically if TimeToLive is not set. | 0x0001e25f |
For example, the following registry entries raise an alert when the UPS driver detects that system power has failed. This example uses AbsoluteEventID to identify the event.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerAppliance\EventFilter\Events\UPSPowerFailed]
"EventSource"="UPS"
"AlertID"=dword:00000001
"AlertLog"="UPS"
"AlertType"="Warning"
"AbsoluteEventID"=dword:00000c9e
"AddEventStrings"=dword:00000001
"TimeToLive"=dword:0001e25f
When an event occurs and an alert has been raised, the alert can be cleared when another event happens. To do this, create another registry key for the same alert, that is, **HKLM\Software\Microsoft\ServerAppliance\EventFilter\Events\**UniqueID. This key specifies the event that should occur to clear the alert, and it has the ClearEvent value set to 1.
For example, the following registry entries raise and clear an alert when a restore operation begins and ends, respectively. This example uses EventID and EventType to identify the events.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerAppliance\EventFilter\Events\Restore]
"AlertID"=dword:00000001
"AlertLog"="Restore"
"AlertSource"="Microsoft_SA_Resource"
"AlertType"="Information"
"EventID"=dword:00001f42
"EventSource"="ntbackup"
"EventType"="Information"
"TimeToLive"=dword:0001e25f
"ClearAlert"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerAppliance\EventFilter\Events\RestoreClear]
"AlertID"=dword:00000001
"AlertLog"="Restore"
"AlertSource"="Microsoft_SA_Resource"
"AlertType"="Information"
"EventID"=dword:00001f43
"EventSource"="ntbackup"
"EventType"="Information"
"TimeToLive"=dword:0001e25f
"ClearAlert"=dword:00000001
Note that the values in the two registry keys are identical except for the event identifiers and the value of ClearAlert.