Last week I received a e-mail around tracking logon and logoff activities Service Manager with Operations Manager. It can be solved with a event collection rule and the default custom event report.
- In Operations Manager console, navigate to the Authoring work space and Rules
- Create a new rule of type Collection Rules/Event Based/NT Event Log
- Select a suitable management pack or create a new management pack, Next
- Input a rule name, for example Contoso – Service Manager – Logon and Logoff
- Select a rule target. If you have the Service Manager management pack imported you can use the SCSM 2012 Management Server class as target. Logon and Logoff events will be generated on your Service Manager management servers. Next
- Event Log Type, select or input Operations Manager, Next
- Build Event Expression like in the figure below, then save the new rule. In the example I exclude all events about my service accounts, all service accounts starts with svc. Event ID 26328 is logon and event id 26329 is logoff.
Once the rule is created and deployed to your Service Manager management servers they will start report back events as soon as someone logon or logoff Service Manager. You can create a event view in the same management pack and configure the event view to show events generated by your new rule.
To show this data in a report you can use the default Reporting, Microsoft Generic Report Library, Custom Event report. The following figure show configuration of the Custom Event report
and the result of the report
If you want to look at the events in the Operations Manager data warehouse database you can use the following SQL query
select * from Event.vEvent ev
inner join Event.vEventDetail evd on ev.eventoriginid = evd.eventoriginid
inner join Event.vEventParameter evp on ev.eventoriginid = evp.eventoriginid
where eventdisplaynumber = ‘26329’ OR eventdisplaynumber = ‘26328’
If you want to build your own report you can use SQL Report Builder. I have a example of that here.