Share via

SCOM: Monitor a specific Windows Event

  • Article

Applies to

This guide applies to System Center Operations Manager 2016, 1801, 1807, 2019

Introduction

SCOM is a vaguely used monitoring software in both smaller and big enterprises. Many bigger software companies create their own Management Packs for SCOM, to make monitoring easier.

We will have to manually create monitoring objects in SCOM for any software that does not provide its own management pack.

This step-by-step guide will shows how to easily monitor a Windows event based on the event ID.

In this example, we have a software called Veritas Enterprise Vault* ***and we want to monitor whenever a specific Windows event ID appears in the Veritas Enterprise Vault event log.

Problem description

The event log that we want to monitor is called Veritas Enterprise Vault.

https://thesystemcenterblog.com/wp-content/uploads/2018/05/Veritas_EV_pic1.png

The Windows event that we want to raise an alert for has the event ID 7028 within the Veritas Enterprise Vault log.

https://thesystemcenterblog.com/wp-content/uploads/2018/05/Veritas_EV_pic2.png

Solution

We will need:

  • A monitor.
  • A subscription.

Create a Monitor

    1. Open the Operations Manager console and head to the Authoring pane.

      https://thesystemcenterblog.com/wp-content/uploads/2018/05/SCOM_authoring.png

    2. Then select Monitors, right click Monitors and choose Unit Monitor.

      https://thesystemcenterblog.com/wp-content/uploads/2018/05/SCOM_monitors.png

    3. Next go to Windows Events, expand it and then select **Simple Event Detection **and now choose either Manual Reset or Timer Reset, in this guide I will go with Timer Reset.

      https://thesystemcenterblog.com/wp-content/uploads/2018/05/Veritas_EV_pic4.png

      Manual Reset

      With manual reset, the monitor never returns to a healthy state automatically. The user must determine whether the problem was corrected and then select the monitor in the Health Explorer and select Reset Health.

      Timer Reset

      A timer reset acts the same as a manual reset except that if the user does not manually reset the monitor after a specified time, it will reset automatically.

      Windows Event Reset

      With event reset, the monitor is reset when a single occurrence of a specific event is detected. The event must be the same type as the event used for detecting the error condition.

    4. Select the destination management pack we want this monitor to be saved to and then press Next to continue.

      https://thesystemcenterblog.com/wp-content/uploads/2018/05/Veritas_EV_pic3.png

    5. Assign a name for the new monitor, in my case I've named it "Partition rollover has occurred" and write a short description, after that select the monitor target, in my case the Veritas Enterprise Vault software is installed on Windows Server 2012 servers so I will choose Windows Server 2012 Full Computer, then press Next to continue.

      https://thesystemcenterblog.com/wp-content/uploads/2018/05/Veritas_EV_pic5.png

    6. In the following step we will choose the** event log name** where our software writes events, in my case it's Veritas Enterprise Vault's own event log called "Enterprise Vault".

      https://thesystemcenterblog.com/wp-content/uploads/2018/05/Veritas_EV_pic6.png

      If we cannot find the event log we can click on the radio button and write down the name of the server where the software is installed and then look for the event log.

      https://thesystemcenterblog.com/wp-content/uploads/2018/05/Veritas_EV_pic7.png

    7. In the expression builder provide the Event ID we want to monitor, I would also recommend providing the Event Source to make sure we get the right event, press Next to continue.

      https://thesystemcenterblog.com/wp-content/uploads/2018/05/Veritas_EV_pic8.png

    8. Now we will set a timer when the alarms should be reset, check if this monitoring should follow any SLA, press Next to continue.

      https://thesystemcenterblog.com/wp-content/uploads/2018/05/Veritas_EV_pic9.png

    9. Next up we will set the health conditions for this alert, you can choose the severity for this alert, by default when an Event is Raised then the status is **Warning https://thesystemcenterblog.com/wp-content/uploads/2018/05/SCOM_Warning.png **otherwise the status will be **Healthy **https://thesystemcenterblog.com/wp-content/uploads/2018/05/SCOM_healthy.png,  to continue click Next.

      https://thesystemcenterblog.com/wp-content/uploads/2018/05/Veritas_EV_pic10.png

    10. In the last step we will need to activate the alerting whenever an event is created, check the box for Generate Alerts for this Monitor and then finish up by clicking Create.

      https://thesystemcenterblog.com/wp-content/uploads/2018/05/Veritas_EV_pic11.png

Create a Subscription

If we don't already have a subscription, create one or create a separate subscription just for this alert.

  1. Open the Operations Manager console and head to the **Administration **pane.

    https://thesystemcenterblog.com/wp-content/uploads/2018/05/Veritas_EV_Pic12.png

  2. Select Notifications, right click Subscriptions and choose New subscription...

    https://thesystemcenterblog.com/wp-content/uploads/2018/05/Veritas_EV_pic13.png

  3. Give the new subscription a name and a description, press Next to continue.

    https://thesystemcenterblog.com/wp-content/uploads/2018/05/Veritas_EVPic14.png

  4. Next in the Conditions choose Created by Specific rules or Monitors and below in the Criteria description click on specific which will open up a new window where we will need to search for the monitor we created previously and Add it, continue by pressing OK.

    https://thesystemcenterblog.com/wp-content/uploads/2018/05/Veritas_EV_pic15.png

  5. Our criteria window should now look similar to the image below, press Next to continue.

    https://thesystemcenterblog.com/wp-content/uploads/2018/05/Veritas_EV_pic16.png

  6. Now we are going to add who is going to receive these alerts, if we haven't created any recipients click New... if we already have the recipients then click Add....
    In my guide, I will add an e-mail recipient by clicking Add...
    **
    **

  7. A new window will open and we can then click Search to find all our available recipients, then finally select the ones we want.

    https://thesystemcenterblog.com/wp-content/uploads/2018/05/Veritas_EV_pic17.png
    **
    **

  8. Our wizard should now look similar to the image below, continue by clicking Next.

    https://thesystemcenterblog.com/wp-content/uploads/2018/05/Veritas_EV_pic18.png

  9. In the next step, we will need to choose what channel type we want to use for sending the alerts (E-mail / SMS / IM / Command).

  10. If we don't have any subscriber channels we can create a new one by clicking New... if we already have one click **Add... **In this guide, I will add one.

  11. Click Add... to add a subscriber channel, a new window will open and we can click Search to find all our subscriber channels, choose the subscriber channel we want and add it by clicking Add and then finish by clicking OK.

    https://thesystemcenterblog.com/wp-content/uploads/2018/05/Veritas_EV_pic120.png

  12. Our wizard should now look something similar to the image below, to continue click Next.

    https://thesystemcenterblog.com/wp-content/uploads/2018/05/Veritas_EV_pic19.png

  13. Now we should see a summary of our subscription, if we want this subscription to be activated leave the Enable this notification subscription checkbox checked, finish up by clicking Finish.
    **
    **https://thesystemcenterblog.com/wp-content/uploads/2018/05/Veritas_EV_pic122.png

You have now successfully created a monitor and a subscription!

Now if an event with the event ID that you configured in the monitor appears in the Windows event log of a Windows Server that you are monitoring, your subscriber recipient(s) should receive an alarm notification.

See Also