Condividi tramite


OpsMgr Event IDs Spreadsheet

I work in support (mostly with System Center Operations Manager, as you know), and I work with event logs every day. The following are typical situations:

  1. I get a colleague or a customer telling me “I am having a problem and the SCOM agent is showing 21037 events and 20002 events.  What’s wrong with it?”   
  2. I want to tune an OpsMgr environment and reduce load on the database by turning off a few event collections, as my friend Kevin Holman suggests here https://blogs.technet.com/kevinholman/archive/2009/11/25/tuning-tip-turning-off-some-over-collection-of-events.aspx .
  3. I am analyzing, sorting and grouping Events with Powershell like I have written on my blog lately https://www.muscetta.com/2009/12/16/opsmgr-eventlog-analysis-with-powershell/ but I can’t read those long descriptions properly.
  4. I exported an EVT from a customer environment and I load it on a machine that does not have OpsMgr message DLLs installed – all I see are EventIDs and type (Warning, Error) – but no real description – and I still want to figure out what those events are trying to tell me.

Getting to the point: I, like everyone – don’t have every OpsMgr event memorized.

This is why I thought of building this spreadsheet, and I hope it might come in handy to more people.

The spreadsheet contains an “AllEvents” list – and then the same events are broken down by event source as well:

clip_image002

When you want to search for an events (in one of the situations described above) just open up the spreadsheet, go to the “AllEvents” tab, hit CTRL+F (“Find”) and type in the Event ID you are searching for:

clip_image004

And this will take you to the row containing the event, so you can look up its description:

clip_image006

The description shows the event standard text (which is in the message DLL, therefore is the part you will not see if opening an EVT on another machine that does not have OpsMgr installed), and where the event parameters are (%1, %2, etc – which will be the strings you see in the EVT anyway).

That way you can get an understanding of what the original message would have looked like on the original machine.

This is just one possible usage pattern of this reference. It can also be useful to just read/study the events, learning about new ones you have never encountered, or remembering those you HAVE seen in the past but did not quite remember. And of course you can also find other creative ways to use it.

You can get it from here .

 

A few last words to give due credit: this spreadsheet has been compiled by using Eventlog Explorer (https://blogs.technet.com/momteam/archive/2008/04/02/eventlog-explorer.aspx ) to extract the event information out of the message DLLs on a OpsMgr2007 R2 installation. That info has been then copied and pasted in Excel in order to have an “offline” reference. Also I would like to thank Kevin Holman for pointing me to Eventlog Explorer first, and then for insisting I should not keep this spreadsheet in my drawer, as it could be useful to more people!

Comments

  • Anonymous
    July 13, 2010
    Good Work Daniele Muscetta..but the link(cid-aaf797a1484e6150.office.live.com/.../OpsMgr%5E_EventIDs.xlsx) seems to be not working. Please provide the correct link. Thanks in advance.

  • Anonymous
    September 05, 2010
    Not sure what is wrong... it works for me, and I have had feedback from other people that they could open it just fine. It is on SkyDrive, tho - which means you probably have to log in with a valid Passport/LiveID in order to view it.

  • Anonymous
    February 14, 2013
    Great doc to have. However there is no event for the following: 18930 Thanks for your help

  • Anonymous
    February 15, 2013
    Mayson - I compiled this list 3 years ago... I know it does not include several event sources, like the cross-platform ones. Also, new event ID's and sources have probably been added or could have changed with cumulative updates or add-ons, connectors and what not. Surely many of these are also different in OpsMgr 2012. I am not sure what event you are looking for: just an EventID without an EventSource/Publisher tells me very little, and I don't have access to 2007R2 systems anymore to go and dig more recent info out.... I would encourage you to use EventLog Explorer yourself - it's linked in the post.

  • Anonymous
    May 18, 2015
    Hi Daniel, The link tells me that the service is unavailable. can you send the excel spread sheet to me please. Donald.vantil@t-systems.co.za

  • Anonymous
    May 18, 2015
    It seems that onedrive has changed their URLs at some point. I updated the link, but beware this was composed in OM 2007, I never updated this for 2012 or newer...