This is Part 4 in a series of posts described here: https://kevinholman.com/2016/06/04/authoring-management-packs-the-fast-and-easy-way-using-visual-studio/
In our next example fragment – we will monitor the event log for a specific event, and generate an alert if it occurs.
Step 1: Download and extract the sample MP fragments. These are available here: https://github.com/thekevinholman/FragmentLibrary
I will update these often as I enhance and add new ones, so check back often for new versions.
Step 2: Open your newly created MP solution, and open Solution Explorer. This solution was created in Part 1, and the class was created in Part 2.
Step 3: Create a folder and add the fragment to it.
Create a folder called “Rules” in your MP:
Right click Rules, and Add > Existing item.
Find the fragment named “Rule.AlertGenerating.EventLog.EventIdEquals.SourceEquals.mpx” and add it.
Select Rule.AlertGenerating.EventLog.EventIdEquals.SourceEquals.mpx in solution explorer to display the XML.
Step 4: Find and Replace
Replace ##CompanyID## with our company ID which is “Fab”
Replace ##AppName## with our App ID, which is “DemoApp”
Replace ##ClassID## with the custom class we created in Step 2. This was “Fab.DemoApp.Server.Class” from our previous class fragment.
Replace ##LogName## with the event log you want to monitor. I will use “Application”
Replace ##EventID## with an event. I will use “100”
Replace ##EventSource## with a valid Event Source for our event, I will use “TEST”
Replace ##UniqueID## with something descriptive for what this rule is looking to alert on, with NO SPACES OR SPECIAL CHARACTERS. I will use “TestEvent”
That took all of 2 minutes. Take another few minutes to review the XML we have in this fragment. It is a simple rule definition, that will generate an alert when the event is seen in the log. There are also display strings which can be modified for the rule display name, alert name, and alert description.
Step 5: Save and Build the MP. BUILD > Build Solution.
Step 6: Import or Deploy the management pack.
Step 7: Test the MP.
We need to wait for the agent to get the new MP version. You can watch for this in the agents OperationsManager event log.
We will see a 1200, 1201, then 1210 event sequence:
Once you get the 1210 – you can test the MP.
I will use EVENTCREATE to test this rule. At an elevated command prompt, run:
eventcreate /T ERROR /ID 100 /L APPLICATION /SO TEST /D “This is a Test event 100”
Verify you get the event:
Verify you got the alert:
All done! Time to hit the easy button.
If using this specific fragment, how can you do MULTIPLE different monitors? For example, if you wanted to alert on both changes to the Domain Admin group, and another alert for if accounts in this group get locked out?
Can you add multiple copies of the same fragment? Change the name of each fragment? or change the fragment code?
Great question Doug!
This is why I added the “UniqueID” replacement tag to all my fragments. This is necessary to be able to reuse the same fragment multiple times in the same MP. This lets you give something unique to the ID of the workflows that the fragment adds, to all the fragment to be reusable multiple times in the same MP.
If the penny has dropped correctly, that means that you just copy / paste the – lines for each event that you wish to monitor, keeping them all in the same .mpx fragment?
Then update the UniqueID Tag in the Rule ID line so that it is unique for each Rule.
Changing
Rule ID=”##CompanyID##.##AppName##.##UniqueID##.Alert.Rule”
…..
Rule ID=”##CompanyID##.##AppName##.##UniqueID##.Alert.Rule1″
…
No – not at all. You should be REPLACING anything with ##text## in it, as the blog example shows.
Rule ID=”##CompanyID##.##AppName##.##UniqueID##.Alert.Rule”
Becomes:
Rule ID=”ABC.MyAppName.Event101.Alert.Rule”
Use it again for:
Rule ID=”ABC.MyAppName.Event102.Alert.Rule”
Etc..etc… You can put any unique text in the UniqueID tag.
I think there’s still some clarity that has to be made.
Let’s say I wanted to monitor for events 100 (as in the example) and event 101. I can’t just add another instance of Rule.AlertGenerating.EventLog.EventIdEquals.SourceEquals.mpx to my project. So, to monitor another EventID, would I copy the contents and create another section, but change the ID from the original Rule ID=”ABC.MyAppName.Event101.Alert.Rule” to Rule ID=”ABC.MyAppName.Event102.Alert.Rule” in the new copy I created?
Then I would do the same for and , changing the ID and ElementId to match the new Rule ID I created above?
These fragments are not designed to accommodate any authoring scenario. They are designed to very quickly cover the most common scenarios. I’d expect that an MP author using fragments would develop their own additional frags to accommodate their specific repeatable needs. It would be pretty easy to make a new frag with a regex for event ID’s.
I think there’s still some clarity that has to be made.
My formatting got messed up in the last question…
Let’s say I wanted to monitor for events 100 (as in the example) and event 101. I can’t just add another instance of Rule.AlertGenerating.EventLog.EventIdEquals.SourceEquals.mpx. So, to monitor another EventID, would I copy the “Rule” section contents and create another “Rule” section, but change the ID from the original Rule ID=”ABC.MyAppName.Event101.Alert.Rule” to Rule ID=”ABC.MyAppName.Event102.Alert.Rule” in the new copy I created?
Then I would do the same for “StringResources” and “DisplayStrings” sections, changing the ID and ElementId to match the new Rule ID I created above?