Home » System Center Operations Manager 2007 (Page 4)

Category Archives: System Center Operations Manager 2007

Contoso.se

Welcome to contoso.se! My name is Anders Bengtsson and this is my blog about Azure infrastructure and system management. I am a senior engineer in the FastTrack for Azure team, part of Azure Engineering, at Microsoft.  Contoso.se has two main purposes, first as a platform to share information with the community and the second as a notebook for myself.

Everything you read here is my own personal opinion and any code is provided "AS-IS" with no warranties.

Anders Bengtsson

MVP
MVP awarded 2007,2008,2009,2010

My Books
Service Manager Unleashed
Service Manager Unleashed
Orchestrator Unleashed
Orchestrator 2012 Unleashed
OMS
Inside the Microsoft Operations Management Suite

Check last successful full backup of Exchange 2007

I found a nice script from Scott that reports on last successful full backup of Exchange 2007. If you want to do that from Operations Manager 2007 you could modify the power shell script a bit.. The power shell script below checks when last full backup was made, it checks for the presence of storage groups and databases within them. You could store the script at your Exchange mailbox servers, in for example C:\temp\LastBackupReport.ps1, and then call it from a monitor with a vbscript.

$iNomHours = “1” #Enter number of hours since last backup that requires attention

if (-not (Get-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin -ErrorAction SilentlyContinue))
 {Add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin}

function BackupStatus
 {
 param($db)
 $sBackupRunning = “”
 $sCMStatus = $sCheckMark
 #Note if backup is currently running
 If ($db.BackupInProgress -eq $true)
  {$sBackupRunning = “(Backup In Progress)”}
 #Determine if backup has ever completed
 If ($db.LastFullBackup -ne $null)
  {
  $sBackupDay = $db.LastFullBackup.get_DayofWeek()
  $sBackupDateTime = $db.LastFullBackup.ToString(“g”)
  #Flag if last completed backup started over 1 hours ago
  If (($date – $db.LastFullBackup).TotalHours -gt $iNomHours)
   {
   $sLastBackup = “Last Backup Started: ” + $sBackupDay + “, ” + $sBackupDateTime
   $sCMStatus = “”
   $script:bAlert = $true
   }
  Else
   {
   $sLastBackup = “Last Backup Started: ” + $sBackupDay + “, ” + $sBackupDateTime
   }
  }
 Else
  {
  $sLastBackup = “No full backup has completed yet”
  $sCMStatus = “”
  $script:bAlert = $true
  }
 $script:sOutput += “” + $sSpace + $sSpace + $db.Name + ” ” + `
  $sLastBackup + “” + $sCMStatus + ” ” + $sBackupRunning + “”
 }

$date = Get-Date
$sSpace = ” ”
$sOutput = “indicates that no backup started within the configured timeframe, which is ” + $iNomHours + ” hours.”

#Retrieve Exchange servers with mailbox role
$ExServer = Get-ExchangeServer | where {$_.IsMailboxServer -eq $True} | Sort-Object Name
Foreach ($server in $ExServer)
 {
 $sOutput += $server
 #Retrieve storage groups for a given server
 $StorageGroup = $server | Get-StorageGroup | Sort-Object Name
 #Check for absence of any storage groups
 If (($StorageGroup | Measure-Object Name).Count -eq $null)
  {
  $sOutput += $sSpace + “No storage groups present.”
  }
 Else
  {
  Foreach ($sg in $StorageGroup)
   {
   $sOutput += $sSpace + $sg.Name
   #Retrieve mailbox databases for a given storage group
   $MailboxDatabase = $sg | Get-MailboxDatabase -Status | Sort-Object Name
   $PFDatabase = $sg | Get-PublicFolderDatabase -Status
   #Check for absence of any databases in storage group
   $bMdbExist = ($MailboxDatabase | Measure-Object Name).Count -ne $null
   $bPFExist = ($PFDatabase | Measure-Object Name).Count -ne $null
   If ((!$bMdbExist) -and (!$bPFExist))
    {
    $sOutput += $sSpace + $sSpace + “No databases in storage group.”
    }
   Else
    {
    if ($bMdbExist)
     {
      Foreach ($mdb in $MailboxDatabase)
      {
      BackupStatus $mdb
      }
     }
    if ($bPFExist)
     {
     BackupStatus $PFDatabase
     }
    }
   }
  }
 }
$sOutput += “”
If ($bAlert -eq $true)
 {
 Write-host “Attention Required”
 Write-Host $bAlert
 Write-host $sOutput
 }
Else
 {
 Write-host “All ok”
 }
 
 

The VB script below is used in a timed script two state monitor

pscommand = “C:\temp\LastBackupReport.ps1”
cmd = “powershell.exe ” & pscommand
Set shell = createObject(“Wscript.Shell”)
Set executor = shell.exec(cmd)
executor.StdIn.Close
varPSResult = executor.StdOut.ReadAll
varString = InStr(varPSResult, “True”)
Dim oAPI, oBag
Set oAPI = CreateObject(“MOM.ScriptAPI”)
Set oBag = oAPI.CreatePropertyBag()
Call oBag.AddValue(“varPSResult”,varPSResult)
If varString > 1 Then
Call oBag.AddValue(“Backup”,”Error”)
Call oAPI.Return(oBag)
Else
Call oBag.AddValue(“Backup”,”Ok”)
Call oAPI.Return(oBag)
End If

Settings for the monitor (Timed Script Two State Monitor)

  • General. Monitor target: Exchange 2007 Standalone Mailbox Role
  • Schedule. Run every X hours
  • Script. File Name: ExchangeBackup.vbs
  • Script. Timeout: 2 Minutes
  • Script. Paste the script in
  • Unhealthy Expression: Property[@Name=’Backup’] Does not equal Ok
  • Healthy Expression: Property[@Name=’Backup’] Equal Ok
  • Alerting. check Generate alerts for this monitor
  • Alerting. Alert description: $Data/Context/Property[@Name’varPSResult’]$ No backup for the last X hours

Query a database from a task

I have seen a number of questions where Operations Manager operators would like to have more info about windows machines in the console. You could include info in the console with a new management pack, but if you already have it in another database, it would be easier to query that database direct. I have written a script that will take a machine name (prinicipal name) and query a database for more information it.

querydb

 
The script

‘## Get parameter (computer name) into the script
set oArgs=wscript.Arguments
‘## Query the database for info
Const adOpenStatic = 3
Const adLockOptimistic = 3

Set oAPI = CreateObject(“MOM.ScriptAPI”)
Set oBag = oAPI.CreatePropertyBag()

Set objConnection = CreateObject(“ADODB.Connection”)
Set objRecordSet = CreateObject(“ADODB.Recordset”)

objConnection.Open _
“Provider=SQLOLEDB;Data Source=hq-opsmgr28;” & _
“Trusted_Connection=Yes;Initial Catalog=databasename_here;” & _
“User ID=domai\username;Password=Password_here;”

objRecordSet.Open “SELECT * FROM machines WHERE FQDN LIKE ‘%” & oArgs(0) & “%'”, _
objConnection, adOpenStatic, adLockOptimistic

varNo = objRecordSet.RecordCount

Do Until objRecordSet.EOF
    Wscript.Echo “**********************************************”
    Wscript.Echo “*                                            *”
    Wscript.Echo “*          Contoso Machine Database       *” 
    Wscript.Echo “*                                            *”
    Wscript.Echo “**********************************************”
    Wscript.Echo ” ”
    Wscript.Echo ” ”
    Wscript.Echo “Hostname: ” & objRecordSet.Fields.Item(“Hostname”)
    Wscript.Echo “FQDN: ” & objRecordSet.Fields.Item(“FQDN”)
    Wscript.Echo “SLA level: ” & objRecordSet.Fields.Item(“SLAlevel”)
    Wscript.Echo “Owner: ” & objRecordSet.Fields.Item(“Owner”)
    Wscript.Echo “Role: ” & objRecordSet.Fields.Item(“Role”)
    Wscript.Echo “Location: ” & objRecordSet.Fields.Item(“Location”)
    Wscript.Echo “Service: ” & objRecordSet.Fields.Item(“Service”)
    Wscript.Echo “Note: ” & objRecordSet.Fields.Item(“Note”)
    Wscript.Echo ” ”
    Wscript.Echo ” ”
    Wscript.Echo “**********************************************”
    objRecordSet.MoveNext
Loop

I store this script local (C:\scripts\querySQL.vbs) on the machine running the console, and call it from a task. The settings of the task are the following

  • Task Name: Contoso – query db
  • Task target: Windows Computer
  • Application: C:\windows\system32\cmd.exe
  • Parameters: /C cscript.exe C:\scripts\querySQL.vbs $Target/Property[Type=”Windows!Microsoft.Windows.Computer”]/PrincipalName$
  • Working directory: C:\Windows\system32

Override Management Pack

In Operations Manager 2007 R2 there is a new view in the auhtoring workspace called Overrides. You can use the override view to edit/view/add overrides. You can also use it to show what overrides you have in which management pack. Click on the Override view and then right-click in the result pane, select personalize view, then select to group items by Override Management Pack. That will give you a list of all overrides, groups by the management pack that stores the override.

OverrideView01

System Center operations Manager Cross Platform management packs(s) are imported in this management group. Please delete these management packs(s) before upgrading to System Center Operations Manager R2

I did a Ops Mgr 2007 SP1 upgrade to Ops Mgr R2 upgrade this week too. The RMS was installed on a cluster. There was no problem upgrading the first RMS cluster node. The important thing is to make sure that the Ops Mgr service (SDK, health and config) cant fail over to the second node during the upgrade. That upgrade took around 20 minutes. Then we moved over to the second RMS cluster node, the upgrade was interrupted with the following error:

System Center operations Manager Cross Platform management packs(s) are imported in this management group. Please delete these management packs(s) before upgrading to System Center Operations Manager R2

This management group have never run a beta version of X plat. The only UNIX MPs we had was the default management packs:

  • UNIX LogFile Template Library
  • UNIX View Library
  • UNIX Service Template Library
  • Unix Core Library

We deleted them and tried to upgrade the second RMS cluster node again. But without luck. We then figure that maybe the cluster resources must be owned by the second node (found that later in the upgrade guide too) so we moved the cluster over to node 2. The installation was running a little bit longer but was “interrupted before success”. In the logfile we found:

Error:Unable To Connect to SDK To Retrieve MP: Error: The sdk service is either not running or not yet initialized.
Error:StackTrace:    at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.HandleIndigoExceptions(Exception ex)
   at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.CreateChannel(TieredManagementGroupConnectionSettings managementGroupTier)
   at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer..ctor(DuplexChannelFactory`1 channelFactory, TieredManagementGroupConnectionSettings managementGroupTier, IClientDataAccess callback, CacheMode cacheMode)
   at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.CreateEndpoint(ManagementGroupConnectionSettings connectionSettings, IClientDataAccess clientCallback)
   at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.Connect(ManagementGroupConnectionSettings connectionSettings)
   at Microsoft.EnterpriseManagement.ManagementGroup..ctor(String serverName)
   at Microsoft.EnterpriseManagement.ManagementGroup.Connect(String serverName)
   at Microsoft.MOMv3.Setup.MOMv3ManagedCAs.DetectXPlatMPs(Session session)
Action ended 11:00:38: _CheckXplatBetaMPPresent.540EA3C0_A5E9_41EA_A585_822C09EA2650. Return value 1.
MSI (s) (FC:94) [11:00:38:424]: Doing action: _AbortXPlatMPFound.540EA3C0_A5E9_41EA_A585_822C09EA2650
Action 11:00:38: _AbortXPlatMPFound.540EA3C0_A5E9_41EA_A585_822C09EA2650.
Action start 11:00:38: _AbortXPlatMPFound.540EA3C0_A5E9_41EA_A585_822C09EA2650.
System Center Operations Manager Cross Platform management pack(s) are imported in this management group. Please delete these management packs(s) before upgrading to System Center Operations Manager R2.
MSI (s) (FC:94) [11:02:09:347]: Product: System Center Operations Manager 2007 R2 — System Center Operations Manager Cross Platform management pack(s) are imported in this management group. Please delete these management packs(s) before upgrading to System Center Operations Manager R2.

We realized that during the upgrade of the Ops Mgr services the node stops the services and they fail over to the first node. So we removed the first node from “available nodes” in the cluster administrator console. That step, “locking” the cluster resources on the node that you upgrade is not really in the upgrade guide. After that the installation was interrupted again, and in the logfile we found

Error: ImportUnixDataItemTransforms: Error: Cannot insert the value NULL into column ‘DatatypeID’, table ‘dbOpsMgr.dbo.UIDatatypeTransform’; column does not allow nulls. INSERT fails.
The statement has been terminated.

So we imported all four default UNIX management packs again, and tried again and it finally worked. Upgrade of the other components of the management group was really easy and fast.

Summary: If you see a error saying that you have cross platform management packs installed and they have to be removed before upgrade, make sure the SDK service is running and it is running on the machine you are trying to upgrade. In some phase of the upgrade you will run the RMS role on the not-yet-upgraded RMS cluster node together with a upgraded ops mgr db. The Ops Mgr db was upgraded together with the first RMS node.

New connect site for the OpsMgr community

Yesterday the product group launched a new connect portal that will allow you to provide feedback to the OM team as well as participate in surveys that have been traditionally reserved for TAP programs. All you need to do is be registered on connect and you’ll be able to participate. Check it out here.

Notification based on a distributed application in R2

In Operations Manager 2007 Sp1 when you created a distributed application there was also a group created, including all objects in the distributed application. I cant find a corresponding group in Ops Mgr R2. I used that group for notification, notification for everything in a distributed application. If you want to do the same thing in R2, get notification for all new alerts for all objects in a distributed application, you can

1. Create a distributed application
2. Create a new group with the following forumla “( Object is Contoso - Distributed Application - Spoolers AND ( Display Name Matches wildcard * ) AND True ) “. “Contoso – Distributed Application – Spoolers”  is the name of my distributed application. To build the forumla select your distributed application as class and then “Display Name Matches wildcard *” as expression. Remember to add the forumla under dynamic members.
3. Create a new subscription with the following subscription critiera
Notify on all alerts
raised by any instance in a Contoso - Group - Print Spooler DA group
and with New (0) resolution state

“Contoso – Group – Print Spooler DA” is the name of my group.

Notification and reporting for maintenance mode

When a monitored object, such as a computer or distributed application, goes offline for maintenance, Operations Manager 2007 detects that no agent heartbeat is being received and, as a result, might generate numerous alerts and notifications. To prevent alerts and notifications, place the monitored object into maintenance mode. In maintenance mode, alerts, notifications, rules, monitors, automatic responses, state changes, and new alerts are suppressed at the agent.
More info about maintenance mode here (source).

Boris Yanushpolsk wrote a power shell script to use to see what is actually in maintenance mode. You run the script in Operations Manager command shell. If you want to publish this information to a web page, for example to share it between colleagues, you can use this modified version of the script. You could also schedule the script to make sure you have an updated web page all the time.

mm01

 

mm02

If you want to get notified when a new maintenance window starts you could use the following script to get a notification. This script will send you an e-mail with information regarding new maintenance windows. It will also log the information to a logfile that you later can use to generate reports for maintenance windows within your environment. Read this post about generating reports based on logfiles. Download the script here. Remember to rename the file to .ps1 and run it from Operations Manager command shell. The following picture shows a notification e-mail from the script.

mm03

With default settings the script will look for maintenance windows created in “now-72 hours”. You can change this with the $seconds, $hours and $hours variable. For example if you schedule the script to run every two minute you want to change it to $minutes=2. If you want the script to generate a logfile you will need to change $log to $true. If you want to get notified with e-mail you need to specify $e-mail=$true and then smtphost, from, to and subject.

Big thanks to Marco Shaw (power shell MVP), read his blog here.

Look for new databases (…with a pinch of DPM)

With SQL Server Audit, SQL Server 2008 introduces an important new feature that provides a true auditing solution for enterprise customers. While SQL Trace can be used to satisfy many auditing needs, SQL Server Audit offers a number of attractive advantages that may help DBAs more easily achieve their goals such as meeting regulatory compliance requirements. These include the ability to provide centralized storage of audit logs and integration with System Center, as well as noticeably better performance. Perhaps most significantly, SQL Server Audit permits fine-grained auditing whereby an audit can be targeted to specific actions by a principal against a particular object. This paper provides a comprehensive description of the new feature along with usage guidance and then provides some practical examples. Source MSDN

If you want to get an alert when a new database is created in SQL 2008 you will first need to configure auditing on SQL side, and then a rule in Operations Manager to generate an alert. Configure a new audit with audit destination equals Application log or security log. If you select security log you might need to configure some extra security permissions. Create a new server audit policy, configure audit action type equals DATABASE_CHANGE_GROUP.

sqlAudit01

Next step is to create the rule that will pickup the SQL event and generate an alert. Create a new event based rule, target it to for example SQL Servers, to monitor all your SQL machines. Configure the rule to look for event ID 33205 including CREATE and DATABASE in the event description.

sqlAudit02

In the expression of the rule, we use “.” to tell Operations Manager “any character before, around or after the two keywords, CREATE and DATABASE.

sqlAudit03

 

Another step that you might want to do is to verify that you backup the new SQL database. I modified a power shell script and the result is that it will connect to your DPM server and a SQL box, it will then ask you if you want to add any of the unprotected databases on that server to a protection group in DPM. 

param([string] $ProductionServer, [string] $PGName)
if(!$ProductionServer)
{
$ProductionServer = read-host "Enter the production server name (a SQL server protected by DPM)"
}
if(!$PGName)
{
$PGName = read-host "Enter the name of your existing SQL protection group name"
}

$dpmservername = read-host “Enter the name of your DPM server”

connect-dpmserver $dpmservername
$dpmservername

$PGList = @(Get-ProtectionGroup $dpmservername)

foreach ($PG in $PGList)
{
if($PG.FriendlyName -eq $PGName)
{
write-host “Found protection group $PGName”
$MPG = Get-ModifiableProtectionGroup $PG
$PGFound=$true
}
}

if(!$PGfound)
{
write-host “Protection Group $PGName does not exist”
exit 1
}

$PSList=@(Get-ProductionServer $dpmservername)
$DsList = @()

foreach ($PS in $PSList)
{
if($PS.NetBiosName -eq $ProductionServer)
{
write-host “Running Inquiry on” $PS.NetbiosName
$DSlist += Get-Datasource -ProductionServer $PS -Inquire
$PSFound=$true
}
}

if(!$PSfound)
{
“Production Server $PS does not exist”
exit 1
}

$protectedDsList = @()
foreach ($ds in $dslist)
{
if($ds.ToString(“T”, $null) -match “SQL” -and !$ds.Protected)
{
$toadd = read-host “Do you want to protect the” $ds.Name “database? (y/n)?”
If ($toadd -eq “y”)
{
$protectedDsList += $ds
Add-ChildDatasource -ProtectionGroup $MPG -ChildDatasource $ds
$x=Get-DatasourceDiskAllocation -Datasource $ds
Set-DatasourceDiskAllocation -Datasource $x -ProtectionGroup $MPG
}
}
}

Set-ReplicaCreationMethod -ProtectionGroup $MPG -Now

if($protectedDsList.Length)
{
write-host “Adding new SQL DBs to” $MPG.FriendlyName
Set-protectiongroup $MPG
}

disconnect-dpmserver $dpmservername
“Exiting from script”

sqlAudit04

(tested in a sandbox, so I am aware that the ops mgr databases are not protected and all the test databases) If you want to integrate the script into Ops Mgr you should read this post from David Allen.

2007 R2 Universal Connector

If you have not seen it yet, Microsoft has now released a number of connectors for Ops Mgr 2007 R2. The System Center Operations Manager 2007 R2 Connectors provide System Center Operations Manager 2007 R2 alert forwarding to remote systems, such as an Enterprise Management System (EMS) or service desk system. One of the connectors that Microsoft has released is the universal connector, a connector that can be installed and configured for potentially any remote system that is hosted on a Windows system or on a supported UNIX system. More info and download here.

Each deployed Operations Manager 2007 R2 Connector has the following components:

  • Interop Provider – This service is installed on a Windows or UNIX server in a supported remote system environment and is automatically started at install. The Interop Provider receives alerts from the Connector Service in the Operations Manager 2007 R2 environment and forwards them to the supported remote system through APIs of that system. The Interop Provider also sends updates on those events back to the Connector Service.
  • Connector Service – This service is installed on a server in the Operations Manager 2007 R2 environment and is automatically started after configuration is completed. The Connector Service gathers alerts from the Operations Manager 2007 R2 RMS and sends them to the Interop Provider that is installed on a remote system server. The Connector Service also receives updates from that Interop Provider for remote system events that were created from Operations Manager alerts.
  • Connector Configuration UI – This configuration dialog box is installed on a server on which an Operations Manager 2007 R2 console is installed, and it becomes an integrated component in that console. Use the Connector Configuration dialog box to configure communications for Operations Manager 2007 R2 servers with remote system servers. Tabs on the Connector Configuration dialog box also provide for mapping Operations Manager alert properties to properties of the remote system’s events and for configuring the High Availability feature.
  • The installation was pretty simple, the manual explain the different steps in a good way. You install the “Interop Provider” and the connector service. The connector configuration UI needs to be installed on a machine with the Ops Mgr R2 console as there is a integration between the two. It is not possible to upgrade any pre-RTM version of the connector, so if you have been running a pre-RTM version make sure you uninstall it before you tries to install the RTM version. When the installation is complete you will see a new connector in the console

     

    Connector02

    Connector01

    Connector03

    Connector04

    Connector05

    Connector06

    On the Ops Mgr Universal Connector you can configure where your EMS server is, how ofter to synchronize, where your Ops Mgr server is and of course which alert fields to synchronize. You will also see a new connector under Internal Connectors. This is where you can configure which alerts that will be forwarded to the EMS server. With default settings all alerts are forwarded.

    When a new alert is generated a XML file will be generated on the EMS server side. In this example I generate an alert for a event in the event viewer.

    connector07

    As you can see below, the alert has ID 8f474850-7308-41f8-ba40-0fb27b72084e, and there are XML files generated for the alert. The filesname is <AlertID>. <sequence number>.XML. The sequence number starting at 1, is added so that if an alert is forwarded and not processed in a timely manner of if an alert is updated multiple times in a short time period, the files are not overwritten. Overwritting the files could result in lose updates. It is important that the EMS system process the file with the lower numbers first so that the sequence of activities is not lost. Note that if you get two alerts at the same time they will be named <AlertID001>.1.XML and <AlertID002>.2.XML, the .X. number is common for the management group, and not a sequence number of each alert ID.

    Connect08

    The next step is that the remote system needs to acknowledge (event type = 2) the alert back to Ops Mgr. This is done with a new XML file. Dont forget to delete the first XML file, so you dont process it again.

    Connector09

     

    If you then want to update (event type = 1) the alert you generate a new XML file, in the following example the resolution state is set to 100. You can use the same XML code to update the resolution state to 255, in other words close an alert.

    Connector10

     

    There are a couple of different event types you can use with the universal connector

    • <EventType>0</EventType> = New Ops Mgr alert being forwarded
    • <EventType>1</EventType> = Update to an Ops Mgr alert being forwarded to the remote system or update to the event/ticket on a remote system being forwarded to Ops Mgr
    • <EventType>2</EventType> = Remote system acknowledgement of a new alert
    • <EventType>3</EventType> = Remote system acknowledgement of an alert update

    Summary: You can use the Universal connector to forward alert in XML or EVT format to remote systems. Remote systems can then generate files that the connector picks up and process in Operations Manager, for example update resolution state of an alert. You can run the connector against both Microsoft and non-Microsoft systems.

    Monitor multiple events in a logfile within X minutes

    This is a example how you can configure a monitor to generate an alert if a log file contains a word more then X times during Y minutes. In the following example I have configure a monitor to generate a critical alert if the logfile contains “error” more then four times during a minute. The following example look in any file named logfile*.log in the C:\logfiles folder. It the application writes a “success” to the logfile, the monitor will be reset back to healthy.

    1. Go to the Authoring workspace and create a new monitor, Log Files/Text Log/Repeated Event Detection/Event Reset

    2. General
    Name: Contoso – Logfile – Repeated Event w event reset
    Monitor Target: for example Windows Server 2008 Computer (more about targeting here and here)
    …next

    3. Single Generic Log
    Directory: C:\logfiles
    Pattern: logfile*.log
    …next

    4. Single Event Expression
    Parameter Name: Params/Param[1]
    Operator: Contains
    Value: success
    …next

    5. Repeated Generic Log
    Directory: C:\logfiles
    Pattern: logfile*.log
    …next

    6. Repeated Event Expression
    Parameter Name: Params/Param[1]
    Operator: Contains
    Value: error
    …next

    7. Repeated Event Description
    Counting mode: Trigger on count
    Compare Count: 4
    Based on items occurrence within a time interval: 1 Minutes
    …next

     

    8. Health
    Event Raised: Healthy
    Repeated Event Raised: Critical
    …next

    9. Alerting
    Check “Generate alerts for this monitor”
    Input a suitable alert description, also try include a couple of the data parameters
    …create

    If any file named logfile*.log in the C:\logfiles folder now writes four “error” within one minute an critical alert will generated. Then, if a “success” is any file the monitor will be set back to healthy state. Step 3 and 4 configure the event that will set the monitor back to healthy.

    (click on a picture twice to enlarge it)