Menu Close

How to test fire ANY Windows Event on ANY server from ANY application

Anyone who works with events in the Windows Event log can benefit from this.

When creating management packs, or adding monitoring for specific events, it is very helpful to have tools to test fire these events.  In the past, we would use built in tools like EventCreate.  However, these have limitations in which event sources they can create events for, or limitations in the event ID numbers.

 

Microsoft released the System Center Operations Manager 2007 R2 Admin Resource Kit:  Download Here:  LINK

One of the tools is the MP Event AnalyzerDirect Download here

 

Install the resource kit to your desktop or tools machine, and then you can copy the MP Event Analyzer tool (two files) to any server where you want to test fire an application or OS based event.  You can also run the tool from a mapped drive or UNC path as well:

image

 

Open the MPEventAnalyzer.exe.  Select the Investigate Event Sources tab at the bottom:

image

 

In this example – I want to test a complex event log entry from SQL, so in the “Source” list I find my Event Source for my SQL instance – in this case “MSSQL$I01”:

image

 

Notice that ALL POSSIBLE events that COULD be fired under this event source show up on the right pane.  This is the power of this tool.  You could use this tool to investigate any application that writes to the event log under a given event source, and quickly write a management pack to alert on the most import events.

I my case, I am looking to test a very specific event ID – 3041 – which is a backup failure.  I find this event ID in the list, and place a check mark in the box next to it:

image

 

Then choose Action – Add marked events to Execution list:

image

 

Once the event shows up in the execution list – you can right click the event, and choose Parameters, and input any specific parameters into the event, if your event rule datasource is only alerting when specific text in present in specific params:

image

 

You can also edit the severity of the event to be generated.

When you are happy – press the green “Fire” button at the top:

image

 

You will see your event fired perfectly in the log:

image

 

And OpsMgr and the management pack fired the alert:

image

 

The huge benefit of this tool for testing, is while you are developing your custom MP’s for custom application events, or windows events, this tool can be used to test fire any event possible on the system just as it would be fired by a real issue, with no restrictions on event source, event ID, and you can input highly customized and specific event parameter data.

7 Comments

  1. Manoj

    I cannot get it to run as administrator. It always shows at the top “Does not run as administrator” on 2016 server. Is there a way?

  2. Dave

    I can’t seem to get it to fire security log events. Even when I run it as administrator. Is there special permissions needed to be granted somewhere to let it have access to the security log?

  3. Tobias Redelberger

    Sadly the “MP Event Analyzer” generating Test-Events – here e.g:

    Log Name: Microsoft-Windows-TerminalServices-SessionBroker/Admin
    Event ID: 804
    Level: Error
    Description: RD Connection Broker could not find an assigned Personal Virtual Desktop for user Domain\User. HRESULT = 0x80070005

    seems to misinterpret “InType – win:HexInt32” as “String” (converting it into 16bit ASCII hex code) because it would not generate the correct “OutType – win:ErrorCode” (here e.g.: “HRESULT = 0x80070005” [Access denied] would be expected/required) but:

    win:HexInt32 = 80070005 –> win:ErrorCode = 0x300038
    win:HexInt32 = 2147942405 –> win:ErrorCode = 0x310032
    win:HexInt32 = 83888000 –> win:ErrorCode = 0x330038
    win:HexInt32 = -2147024891 –> win:ErrorCode = 0x32002D
    win:HexInt32 = 0x80070005 –> win:ErrorCode = 0x780030

    win:HexInt32 = 0 –> win:ErrorCode = 0x30
    win:HexInt32 = 1 –> win:ErrorCode = 0x31
    win:HexInt32 = 2 –> win:ErrorCode = 0x32

    win:HexInt32 = 11 –> win:ErrorCode = 0x310031
    win:HexInt32 = 111 –> win:ErrorCode = 0x310031

    win:HexInt32 = A –> win:ErrorCode = 0x41
    win:HexInt32 = AA –> win:ErrorCode = 0x410041
    win:HexInt32 = AAA –> win:ErrorCode = 0x410041

    Any option to get this corrected in the MP Event Analyzer?

      • Tobias Redelberger

        Thanks Kevin for the quick feedback – appreciated 🙂

        I was already afraid of hearing that.. O:)

        Any alternate idea how to trigger above/any event anyways when:

        “InType – win:HexInt32” -> “OutType – win:ErrorCode”

Leave a Reply

Your email address will not be published.