Is your MOM to sensitive?

Is your MOM to sensitive and sending you alerts in early stage? As you presumably know you can change thresholds and modify all rules to suite your environment better. I will show one way to do that in this post. In this example I will collect event ID 2 from the Application log and when there has been two alerts with event ID 2 within one minute I will generate an alert.

Start by create one rule to consolidate similar events with the following settings

  • Data Provider – Provider Name: Application
  • Data Provider – Provider type: Windows NT Event Log
  • Criteria – with event id 2
  • Schedule – Always process data
  • Consolidate – Choose Event number, Source Name, and input set that events must occur within 60 seconds
  • Knowledge Base: Input a suitable text
  • General: Input a suitable name and verify that the rule is enabled
  • Data Provider – Provider Name: Application
  • Data Provider – Provider type: Windows NT Event Log
  • Criteria – event ID 2 and repeat count is at least 2 (Advanced criteria)
  • Schedule – Always process data
  • Alert – Check the box to generate alert
  • Alert Suppression – leave default settings
  • Responses – add suitable if needed
  • Knowledge Base: Input a suitable text
  • General: Input a suitable name and verify that the rule is enabled

That’s it. After two events with event ID 2 and the same source name you will get an alert.

About

Microsoft

2 thoughts on “Is your MOM to sensitive?

Comments are closed.