Share via

OpsMgr 2007: Parameters Explained

  • Article

Some time ago I showed you can use PowerShell to create Events for OpsMgr 2007. And according to the comments quite some people have questions about Event parameters. After creating the first version of the PowerShell Create Events for OpsMgr 2007 script, Ken added some functionality and one was modifying the question to not only add a EventLog Description but also a EventLog Parameter.

I found some info on MOM 2005 parameters on Rory McCaw’s weblog, but except that article I could not find much info on Event Log parameters. So hopefully this will explain what parameters are and how they can be used in OpsMgr 2007.

EventLog Parameters in the Events

Every Windows event has description text that is filled in by the values of different parameters. You can find the Eventlog parameters of an event by using the Log Parser. (if you know an easier way on Windows 2003 Servers let me know). Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows® operating system such as the Event Log, the Registry, the file system, and Active Directory®.

Example of EventLog Parameters in an Eventlog:

C:\Program Files\Log Parser 2.2>LogParser.exe "SELECT Top1 Strings AS Parameters FROM Application WHERE EventID=301"

Result:
image_thumb

So in this example you can use four parameters in your OpsMgr Rules or Monitor.

Event Parameters in OpsMgr 2007

Eventlog Parameters can be used in OpsMgr Rules and Monitors. An example where you can find EventLog Parameters used is the Windows Activation State Monitor in the Windows Server 2003 MP. This is a 3 State Event Log Monitor and this monitor looks for EventLog Parameters and the values found in the Eventlog change the state of the monitor.

Healthy:    Look for EventId 1006 in Application Log of Source Windows Product Activation
Warning: Look for EventId 1005 in Application Log of Source Windows Product Activation and Params/Param[1] > 6 =< 15
Critical:   Look for EventId 1005 in Application Log of Source Windows Product Activation and Params/Param[1] =< 6

image_thumb10

You can use the PowerShell Create Events script from Ken to test your monitors or rules with with one EventLog parameter. So it won’t work if you need to test a Rule or Monitor which uses more than one parameter in the Eventlog.

So if you want to test the Windows Activation State Monitor and want to Change the State to Critical, you need to create an Event with the next values:

EventID 1005
Source Windows Product Activation
Type Error
Description Your Windows product has not been activated with Microsoft yet. Please use the Product Activation Wizard within <number> days.

More info about this event can be found on EventID.Net

image

Comments

  • Anonymous
    January 01, 2003
    When we write rules and monitors to look at events in the event log.... typically the most common criteria

  • Anonymous
    January 01, 2003
    PingBack from http://windows.wawblog.info/?p=30477

  • Anonymous
    January 01, 2003
    Hi Michael, I'm not the logparser developer but I'm guessing you are right;-) There are some empty eventlog parameters in your example. Regards, Stefan

  • Anonymous
    January 01, 2003
    Hi Stefan, nice blog. Tks a lot. Do these paramerts work fine for consolidations and alert supression too? I'm converting rules from MOM to SCOM that have lots of suppression and my concern is about the Domain parameter in MOM, which is no available in SCOM. Should be parameter4 for security events, but I wonder if I have to test for each event and if the localtion of the Domain parameter is going to change from on event to another. Thank you, Jose Fehse

  • Anonymous
    January 01, 2003
    If you want to use Logparser in Windows 2008 there is a workaround. You could enter the path to the physical location of the eventlog files. Example: logparser.exe -i:EVT "Select Count() from c:windowssystem32winevtlogsMicrosoft-Windows-Kernel-Power%4Thermal-Operational.evtx But there is a problem with 64-bit OSes. These use the 'File System Redirector for WOW64' feature. But here is also a solution for: logparser.exe -i:EVT "Select Count() from c:windowssysnativewinevtlogsMicrosoft-Windows-Kernel-Power%4Thermal-Operational.evtx More info on SysNative: http://msdn.microsoft.com/en-us/library/aa384187(VS.85).aspx

  • Anonymous
    September 24, 2010
    Hi Stefan Cool blog, i am already using it a lot. I have a question though, regarding the following string (this is event 8957 from Application on a SQL server) |CHECKDB|StoreDataCleansing||||domainusername|0|1|2|3|...... Checkdb is param1, StoreDataCleansing is 2, but are the next a parameter even though there are no data between the pipes? Thanks a lot!

  • Anonymous
    March 21, 2011
    The comment has been removed

  • Anonymous
    July 27, 2015
    Hi Stefan,

    Can I use EventDescription filter in Condition detection module? In this the first filter will be applied in the DataSource module for event ID & level and if this passes the module moves to the next condition detection module which will then filter the event description with regular expression

    Could you please advise on this approach