I post this after one of my customers requirement. He asked me to create a rule that raises an alert if a service in automatic startup mode is stopped.Here is how i did:
- Go to the Authoring pane and create a new rule.
- Select Alert Generating Rules -> Event Based -> WMI Event (Alert). Store the new rule in a specific Management Pack (not Default one).
- Give a name to your rule and select Windows Server as rule target.
- Enter root\cimv2 for the WMI Namespace and the following query: select * from __InstanceOperationEvent within 60 where TargetInstance isa 'Win32_Service' and TargetInstance.StartMode = 'Auto' and TargetInstance.State = 'Stopped'. This query will catch wmi events raised each time a windows service in automatic startup mode enters the stopped state. Enter 60 seconds as the Poll Interval. More info about such WMI queries here
- Leave the default setings for the alert configuration for the moment.
- As a test let's stop the Automatic Updates service on the RMS. We can see alert is raised but nothing in this alert tells us which service has stopped.
- To see which parameters can be inserted in the alert we have to look inside the alert in the database. Open SQL Management Studio, open the OperationsManager database and open the dbo.Alert table. Find our alert using the TimeRaised column and copy the content of the Context field.
- Paste that content into a XML editor. By expanding the XML tree we can see that the caption of the stopped service is there inside tags EventData -> DataItem -> Collection Name="TargetInstance" -> Property Name="Caption".
- To get this value inside our alert description, open the rule we created and open the alert properties. By doing some logic comparison with the built-in parameters available for alert description I established that the following text would return our service's caption: $Data/EventData/DataItem/Collection[@Name="TargetInstance"]/Property[@Name="Caption"]$.
- A much efficient alert is now raised.
No comments:
Post a Comment