In this post I will show how to\u00c2\u00a0create a monitor that check for one event and if there is not another event within a specified timeframe minute from the first event, the monitor will generate an alert. I will reset the monitor with time, 3 minutes, but you can choose to reset the monitor with for example a third log event.<\/p>\n
1. Start the console
\n2. Go to Authoring, expand management pack objects and click Monitors
\n3. Click Scope and\u00c2\u00a0select Windows Computer,\u00c2\u00a0click OK
\n4. Expand Windows Computers, expand Entity Health, right-click Availability and choose to create a new unit monitor
\n5. Create a unit monitor – Monitor Type: Choose Windows Events\/Correlated Missing Event Detection\/Timer Reset, click Next
\n6. Create a unit monitor – General: Input a name and a description, click Next
\n7. Create a unit monitor – Missing Event Log Name A: Input the event log name of the first event, click Next
\n8. Create a unit monitor – Build Missing Event Log Expression for A: Input event ID and event source, in my example it will be event id 1000 and event source EventCreate. Click Next
\n9. Create a unit monitor -\u00c2\u00a0Missing Event Log Name\u00c2\u00a0B: Input the event log name of the second event, click Next
\n10. Create a unit monitor – Build Missing Event Log Expression for B: Input event ID and event source, in my example it will be event id 2000 and event source EventCreate. Click Next
\n11. Create a unit monitor – Configure Correlation:
\nCorrelation interval: 1 Minutes
\nCorrelation Details: The last occurrence of A with the configured occurrence of B in chronological order
\nClick Next
\n12. Create a unit monitor – Auto Reset Timer: In my example I will specify 3 minutes, click Next
\n13. Create a unit monitor – Configure Health: Click Next
\n14. Create a unit monitor – Configure Alerts: Check “Generate alerts for this monitor” and then click Create<\/p>\n
If I only get a event ID 2000 and no event ID 1000 there will be a alert. If I get event ID 2000 and event ID 1000 within 1 minute there will be no alert. You can change the correlation configuration in any way you want, for example in which order the events must be generated.<\/p>\n","protected":false},"excerpt":{"rendered":"
In this post I will show how to\u00c2\u00a0create a monitor that check for one event and if there is not another event within a specified timeframe minute from the first event, the monitor will generate an alert. I will reset the monitor with time, 3 minutes, but you can choose to reset the monitor with … Continue reading