In this post I will show how to create a monitor that check for one event and if there is not another event within a specified timeframe minute from the first event, the monitor will generate an alert. I will reset the monitor with time, 3 minutes, but you can choose to reset the monitor with for example a third log event.
1. Start the console
2. Go to Authoring, expand management pack objects and click Monitors
3. Click Scope and select Windows Computer, click OK
4. Expand Windows Computers, expand Entity Health, right-click Availability and choose to create a new unit monitor
5. Create a unit monitor – Monitor Type: Choose Windows Events/Correlated Missing Event Detection/Timer Reset, click Next
6. Create a unit monitor – General: Input a name and a description, click Next
7. Create a unit monitor – Missing Event Log Name A: Input the event log name of the first event, click Next
8. Create a unit monitor – Build Missing Event Log Expression for A: Input event ID and event source, in my example it will be event id 1000 and event source EventCreate. Click Next
9. Create a unit monitor - Missing Event Log Name B: Input the event log name of the second event, click Next
10. Create a unit monitor – Build Missing Event Log Expression for B: Input event ID and event source, in my example it will be event id 2000 and event source EventCreate. Click Next
11. Create a unit monitor – Configure Correlation:
Correlation interval: 1 Minutes
Correlation Details: The last occurrence of A with the configured occurrence of B in chronological order
Click Next
12. Create a unit monitor – Auto Reset Timer: In my example I will specify 3 minutes, click Next
13. Create a unit monitor – Configure Health: Click Next
14. Create a unit monitor – Configure Alerts: Check “Generate alerts for this monitor” and then click Create
If I only get a event ID 2000 and no event ID 1000 there will be a alert. If I get event ID 2000 and event ID 1000 within 1 minute there will be no alert. You can change the correlation configuration in any way you want, for example in which order the events must be generated.
Recent Comments