How to author an Alerting Event rule, correlating on a missing event

<!--[if lt IE 9]>

<![endif]-->

Comments

• Anonymous
  September 25, 2015
  Good article Kevin!! A new learning for us.
• Anonymous
  September 26, 2015
  Very very helpful post. Thanks for the information.
  
  Can we define "healthy" and "bad" based on the contents of the text included in the log event?
• Anonymous
  November 18, 2015
  Hi Kevin,
  
  I want to monitor an back-up application on missing events.
  
  I create alert rules for these events: (this works fine)
  
  Event ID 5000 - Successful Backup event
  Event ID 5002 - Failed Backup event
  Event ID 5003 - Successful Restore event
  Event ID 5004 - Failed Restore event
  Event ID 5005 - Successful Offsite Copy event
  Event ID 5007 - Failed Offsite Copy event
  
  When the back-up timed –out there is no event.
  I want to get an alert when there is no Event.
  
  Al the events are created on one HyperV server.
  
  Like this:
  
  Guest VM Name: SVR-FILE01 Backup Result: Successful Backup - Backed 3.91 GB (compressed to 1.47 GB). (Duration: 4h 45m) Backup operation started at: Yesterday at 20:58
  
  I try to create a missing event monitor. But there are more events with the same Id in the back-up window.
  Only when I configure one server it works fine.
  
  Here an example from the monitor with multiple servers in it.
  
  ( ( ( Event ID Equals 5000 ) AND ( EventDescription Contains Guest VM Name: SVR-APP06 ) ) AND ( ( Event ID Equals 5000 ) AND ( EventDescription Contains Guest VM Name: SVR-APP07 ) ) AND ( Event ID Equals 5000 ) AND ( EventDescription Contains Guest VM Name: SVR-APP03 ) )
  
  Do you have an solution how scom can create an alert from missing event in our backup window?
  
  Greetings
  
  Iwan