Partager via

Managing Event Alerts in Your Reports - An SBS Monitoring Feature Enhancement

  • Article

[Today's post comes to us courtesy of Damian Leibaschoff and Justin Crosby from Commercial Technical Support]

One of the most requested features for the SBS Monitoring component of Windows SBS 2008 and Windows SBS 2011 Standard is the ability to control and filter unwanted errors from the event logs section of the reports.

There are a number of known events that can be safely ignored. Also depending on the particular environment you might have your own list of events you want to ignore. You cannot accomplish this with the built-in, out-of-box, functionality.

This, as-is solution, was built by engineers from the SBS support team and is aimed at improving the functionality and effectiveness of the SBS Monitoring reports.

The relevant portion of a detailed report from SBS 2011 standard before installing the new functionality:

clip_image002

The same report with the feature installed using the default exclusions:

clip_image004

Notice how the critical event count went from 12 to 5, and unimportant DCOM and WinRM events have been hidden.

How it works

This solution configures a database table with a number of source:event combinations (known as exclusions) that need not be collected from the event logs, for example: DCOM 10016. Upon installing the solution a default set of exclusions are added depending on the version of SBS and the existing instances that have already been collected are removed. The same is true when a new exclusion is added manually, existing source:events instances will be deleted.

Upon removing an exclusion or uninstalling the solution, the process of collecting all events will resume and only after the event is experienced again it will then be collected and will appear on the report.

Installation and Usage

  1. Download and extract the SBSAlertsCleanup package which is hosted on the SBS Support Team’s SkyDrive.
  2. Open the location of the extracted files and then the properties of SBSAlertsCleanup.ps1 file .
  3. Unblock the file if the option is shown. Note: you do not need to do this to the .sql files.
  4. Launch an elevated PowerShell prompt.
  5. From PowerShell, browse to the folder where you extracted the files.
  6. From PowerShell, run:
    .\SBSAlertsCleanup.ps1 –Action install [enter]

You will see “Changed database context to ‘SBSMonitoring’

Listing current Exclusions

.\SBSAlertsCleanup.ps1 –Action ListExclusions

ID Event Source
-- ----- ------
1 129 WinRM
2 142 WinRM
3 4107 Microsoft-Windows-CAPI2
4 10016 DCOM
5 10009 DCOM
6 5586 SharePoint Foundation
7 6772 SharePoint Foundation
8 6398 SharePoint Foundation
9 8 MSExchange CmdletLogs
10 6 MSExchange CmdletLogs

Removing an Exclusion

This is a 2 part process, first you have to list the current exclusions, and then we can pick which one to remove.

.\SBSAlertsCleanup.ps1 –Action ListExclusions

ID Event Source
-- ----- ------
1 129 WinRM
2 142 WinRM
3 4107 Microsoft-Windows-CAPI2
4 10016 DCOM
5 10009 DCOM
6 5586 SharePoint Foundation
7 6772 SharePoint Foundation
8 6398 SharePoint Foundation
9 8 MSExchange CmdletLogs
10 6 MSExchange CmdletLogs

.\SBSAlertsCleanup.ps1 –Action RemoveExclusion –ID 1
Removing Exclusion for Source: WinRM, EventID: 129

To confirm:

.\SBSAlertsCleanup.ps1 –Action ListExclusions

ID Event Source
-- ----- ------
2 142 WinRM
3 4107 Microsoft-Windows-CAPI2
4 10016 DCOM
5 10009 DCOM
6 5586 SharePoint Foundation
7 6772 SharePoint Foundation
8 6398 SharePoint Foundation
9 8 MSExchange CmdletLogs
10 6 MSExchange CmdletLogs

Adding an Exclusion

This is a 2 part process, first you have to list the available instances of events that have already been collected, and then we can pick which one to exclude.

.\SBSAlertsCleanup.ps1 –Action ListEvents

ID Event Source
-- ----- ------
346141 11 Disk
349778 13 Server Infrastructure Licensing
349779 14 Server Infrastructure Licensing
349781 15 Server Infrastructure Licensing
349552 25 WindowsUpdateClient
349832 54 MSExchange OWA
349827 135 WinRM
349795 502 Windows Small Business Server 2011 Standard
349809 1000 Application Error
343153 1016 DhcpServer
342822 2002 ESENT
348341 2007 ESE
342823 2007 ESENT

Let’s say that the administrator was been receiving several events for WindowsUpdateClient 25 on a regular basis. The admin has investigated this event and determined that it is not cause for concern on their network and they would no longer like to be notified about this event. The admin can do the following to exclude this event from the report:

.\SBSAlertsCleanup.ps1 –Action AddExclusion –ID 349552

Adding Exclusion for Source: WindowsUpdateClient, EventID: 25

To confirm:

.\SBSAlertsCleanup.ps1 –Action ListExclusions

ID Event Source
-- ----- ------
2 142 WinRM
3 4107 Microsoft-Windows-CAPI2
4 10016 DCOM
5 10009 DCOM
6 5586 SharePoint Foundation
7 6772 SharePoint Foundation
8 6398 SharePoint Foundation
9 8 MSExchange CmdletLogs
10 6 MSExchange CmdletLogs
11 25 WindowsUpdateClient

Uninstalling

Upon removing an exclusion or uninstalling the product, the process of collecting all events will resume and only after the event is experienced again it will then be collected and will appear on the report.

.\SBSAlertsCleanup.ps1 –Action Uninstall

Default set of exclusions

We install a set of common exclusions for known events that are generally considered as ignorable. This may not be the case for each and every server so you might have to tweak the list of exclusions, removing and adding as needed as to make your reports show relevant errors that could be of interest for someone administering the health of the server.

SBS 2008

  • 10016 DCOM
  • 10009 DCOM

SBS 2011 Standard

  • 129 WinRM
  • 142 WinRM
  • 4107 Microsoft-Windows-CAPI2
  • 10016 DCOM
  • 10009 DCOM
  • 5586 SharePoint Foundation
  • 6772 SharePoint Foundation
  • 6398 SharePoint Foundation
  • 8 MSExchange CmdletLogs
  • 6 MSExchange CmdletLogs

Hopefully, this simple enhancement can help you regain control of the reports and fine tune them to your needs.

Comments

  • Anonymous
    January 01, 2003
    Thanks!  All set now, files were all in the same folder but I had to change to that folder before running the command, it didn't like my syntax of the command when I ran it as c:tempSBSAlertsCleanup.ps1 –Action install Worked much better when sticking to the orginal directions, my bad.

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    I just shouted Hallelujah! Finally! This will save us dozens of hours explaining customers why they should ignore "severe" errors! Many, many thanks!

  • Anonymous
    January 01, 2003
    Hi Henri C, If you are seeing the event in the server event logs section of your SBS reports, then it should show when you run .SBSAlertsCleanup.ps1 –Action ListEvents If the event hasn't happened in the last 30 days (90 in RTM SBS 2008)  then it might not be in the DB and cannot be excluded until it happens again and gets recorded.

  • Anonymous
    January 01, 2003
    Ok, seems quite helpful.  However, we are recording errors that we want to exclude but the LIST command does not list them, so we don;t know what ID to use to exclude them.  Am I missing anything? Henri

  • Anonymous
    January 01, 2003
    Hi Rich, The default list of exclusions we are using and are document in the post, are based on support.microsoft.com/.../2483007 and general product experience. If you are looking for community feedback as to which exclusions to set and why, you may have better luck taking your question to the SBS Forums social.technet.microsoft.com/.../threads

  • Anonymous
    January 01, 2003
    @MrFaize: It is only being removed from the reports. The SBS Console will try to query any machines in Active Directory in either the Domain Controllers, SBSComputers or SBSServers, so make sure it is not on one of the OUs. However, the SBSMonitoring service will try to query any machine no matter where they are in AD every 30 minutes. We are evaluating if there any options we can implement to provide such exclude funtionality.

  • Anonymous
    January 01, 2003
    Active IT Design, you need to make sure that all the files in the package are extracted to the same folder. On your install it is not finding the .SQL files that are part of the package.

  • Anonymous
    January 01, 2003
    Jared R., The existing alerts should be pruned and new ones skipped, so they should not be showing in your daily report (as a count) or the weekly report as shown in the example in the post. If you are seeing events that match the source:event id in your new reports, then the script either didn't make the needed changes or the report is showing stale data. You could try uninstalling this feature and reinstalling, or even performing the steps in blogs.technet.com/.../how-to-recreate-the-sbsmonitoring-database.aspx to start with a brand new Monitoring DB (you will lose your old reports).

  • Anonymous
    January 16, 2012
    Awesome bit! Thanks for that. :)

  • Anonymous
    January 16, 2012
    Thanks for the great work!!! Finally I can show clients "true" reports without bogus errors causing them unnecessary alarm

  • Anonymous
    January 16, 2012
    Fantastic!!! Thanks for the work, looking forward to the clean system reports. Cheers

  • Anonymous
    January 16, 2012
    This is going to be a HUGE help in clearing up the reports that get sent to our customers running SBS. This will significantly help cut down on the number of calls and e/mails from customers saying "hey, I see these errors in the reports, what's wrong on the server and can you fix it?" Trying to explain to customers that some of these errors are "normal" and "don't mean anything" does not go over well. This will save oodles of time. Please be sure this gets included in the next UR for the current SBS products and is included by default in v.next...

  • Anonymous
    January 17, 2012
    Fantastic - Several clients and I have been waiting for something like this, it's been causing 'confidence' issues in Small Business Server as a 'simple to manage' solution for more than 3 years. Congratulations to the team who finally put their mind to this ongoing issue. Now I no longer need to respond to 'benign' issues.

  • Anonymous
    January 17, 2012
    This update finally completes SBS, congrats on releasing this.

  • Anonymous
    January 18, 2012
    OK, now the 64k question.... WHICH alerts are you actually EXCLUDING and WHY?

  • Anonymous
    January 20, 2012
    Duh! I am not religious, but I have to shout Hallelujah!!! These error are killing me!

  • Anonymous
    January 20, 2012
    nice workaround! and a job well done and very appreciated, one of my students gave me the link and i must admit it is quite a good one (thanks RP). i'm going to test it right away on my SBS2011, and hopefully pass the link around to all new sessions about SBS in the near future :) best regards from Aix-en-Provence, France. Pierre.

  • Anonymous
    January 22, 2012
    Thanks for this, SBS Team!. Perhaps someone in the community will do a GUI version :-).

  • Les.