Home » System Center Operations Manager 2007 » How to Create a Correlated Windows Event Unit Monitor

Contoso.se

Welcome to contoso.se! My name is Anders Bengtsson and this is my blog about Azure infrastructure and system management. I am a senior engineer in the FastTrack for Azure team, part of Azure Engineering, at Microsoft.  Contoso.se has two main purposes, first as a platform to share information with the community and the second as a notebook for myself.

Everything you read here is my own personal opinion and any code is provided "AS-IS" with no warranties.

Anders Bengtsson

MVP
MVP awarded 2007,2008,2009,2010

My Books
Service Manager Unleashed
Service Manager Unleashed
Orchestrator Unleashed
Orchestrator 2012 Unleashed
OMS
Inside the Microsoft Operations Management Suite

How to Create a Correlated Windows Event Unit Monitor

In this post I will show how to create a monitor that check for one event and if there is not another event within a specified timeframe minute from the first event, the monitor will generate an alert. I will reset the monitor with time, 3 minutes, but you can choose to reset the monitor with for example a third log event.

1. Start the console
2. Go to Authoring, expand management pack objects and click Monitors
3. Click Scope and select Windows Computer, click OK
4. Expand Windows Computers, expand Entity Health, right-click Availability and choose to create a new unit monitor
5. Create a unit monitor – Monitor Type: Choose Windows Events/Correlated Missing Event Detection/Timer Reset, click Next
6. Create a unit monitor – General: Input a name and a description, click Next
7. Create a unit monitor – Missing Event Log Name A: Input the event log name of the first event, click Next
8. Create a unit monitor – Build Missing Event Log Expression for A: Input event ID and event source, in my example it will be event id 1000 and event source EventCreate. Click Next
9. Create a unit monitor – Missing Event Log Name B: Input the event log name of the second event, click Next
10. Create a unit monitor – Build Missing Event Log Expression for B: Input event ID and event source, in my example it will be event id 2000 and event source EventCreate. Click Next
11. Create a unit monitor – Configure Correlation:
Correlation interval: 1 Minutes
Correlation Details: The last occurrence of A with the configured occurrence of B in chronological order
Click Next
12. Create a unit monitor – Auto Reset Timer: In my example I will specify 3 minutes, click Next
13. Create a unit monitor – Configure Health: Click Next
14. Create a unit monitor – Configure Alerts: Check “Generate alerts for this monitor” and then click Create

If I only get a event ID 2000 and no event ID 1000 there will be a alert. If I get event ID 2000 and event ID 1000 within 1 minute there will be no alert. You can change the correlation configuration in any way you want, for example in which order the events must be generated.