Welcome to! My name is Anders Bengtsson and this is my blog about Azure infrastructure and system management. I am a senior engineer in the FastTrack for Azure team, part of Azure Engineering, at Microsoft. has two main purposes, first as a platform to share information with the community and the second as a notebook for myself.

Everything you read here is my own personal opinion and any code is provided "AS-IS" with no warranties.

Anders Bengtsson

MVP awarded 2007,2008,2009,2010

My Books
Service Manager Unleashed
Service Manager Unleashed
Orchestrator Unleashed
Orchestrator 2012 Unleashed
Inside the Microsoft Operations Management Suite

Collecting Events

I have received a number of questions lately regarding event collection. In this post I will show you how you can collect events and review them both in reports and in the console.

Start by creating a new rule, authoring/rules/create a rule/collection rule/NT event log. The collection rule will only collect, not generate any alerts. In my example I use Windows Server 2008 Computer as target. I will create the rule disable as default. Then override and enable it for a group including a couple of windows server 2008 computer objects.
When you have created the new rule you can create a new event view in the monitoring workspace. Remember to create the new view in the same MP as the collection rule is stored.

The next step is to create a report. You can use the generic Custom Event report to create a linked report showing all the events. Run the Custom Event report and select a couple of windows server 2008 computers as objects, filter the report for example in my example Event ID equals 666. Note that you have to check its checkbox for every report field you want to include. If you check any checkboxes you will get a empty report.

If you don’t like the default event report you can author a new in Visual Studio. You can read my guide about that here and use the following query when building the data set in Visual Studio

vEventPublisher.EventPublisherName as ‘EventSource’,
vEventLoggingComputer.ComputerName as ‘Computer’,
vEventLevel.EventLevelTitle as ‘Type’,
vEvent.EventDisplayNumber as ‘EventID’,
vEventDetail.RenderedDescription as ‘EventDescription’
vEventUserName ON vEvent.UserNameRowId =
vEventUserName.EventUserNameRowId LEFT OUTER JOIN
vEventCategory ON vEvent.EventCategoryRowId =
vEventCategory.EventCategoryRowId LEFT OUTER JOIN
vEventPublisher ON vEvent.EventPublisherRowId =
vEventPublisher.EventPublisherRowId LEFT OUTER JOIN
vEventLoggingComputer ON vEvent.LoggingComputerRowId =
vEventLoggingComputer.EventLoggingComputerRowId LEFT OUTER JOIN
vEventLevel ON vEvent.EventLevelId = vEventLevel.EventLevelId LEFT OUTER JOIN
vEventChannel ON vEvent.EventChannelRowId =
vEventChannel.EventChannelRowId LEFT OUTER JOIN
Event.vEventDetail ON vEvent.EventOriginId = vEventDetail.EventOriginId
WHERE vEventLevel.EventLevelTitle = ‘Error’
ORDER BY vEvent.DateTime, vEventLoggingComputer.ComputerName

To generate test events you can use eventcreate, which is built-in into Windows 2003 and 2008. For example run “Eventcreate /L Application /D “test” /T ERROR /ID 666” .To generate an event in the application log with event ID 666 and “test” as event description.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.