I originally created a rule (Rule.xml attached) that fulfilled the original
requestor's desire of raising an alert when a certain entry is written to a log
file. However, now the requestor asked for a 60min reset on the alert. My
understanding is a monitor would be the better option since Rules do not affect
health state. I attempted to port the original rule to a new monitor (see
Monitor.xml), but it's failing to replace the parameters (LogFileDirectory,
LogFileName). Now I understand different Module Types
(GenericCSVLog.FilteredEventProvider versus
GenericCSVLog.SingleEventTimer2StateMonitorType) may not share the same
structure. On the Rule, I can input the following Alert Parameters and the
appropriate values are inserted in the Alert Description:
<AlertParameter1>$Data/EventData/DataItem/LogFileDirectory$</AlertParameter1>
<AlertParameter2>$Data/EventData/DataItem/LogFileName$</AlertParameter2>
However, on the Monitor those values do not get replaced. I found this on MSDN
as it relates to a GenericCSVLogReader Module Type:
[cid:[email protected]]
I can't find the equivalent on MSDN for 2-State-Monitor GenericCSVLog Module
Type.
* Does anyone know what the format should be for the Monitor.xml to
properly replace the Alert Parameters specifically for LogDirectory and
LogFileName?
* How/Where do you find such information? MSDN has the OpsMgr MP
Development Kit (https://msdn.microsoft.com/en-us/library/jj130093.aspx) which
helps in some cases. And perhaps what I'm looking for is readily available in
MSDN, I'm just having issues finding it. I don't want to come across as if I
just throw my problems to this group to have them resolved for me. If there are
resources the more advanced authors among us are using I'd love to have them in
my tool bag, too. If it's simply trial-and-error + experience + maintaining
really good notes/documentation for future reference, I can work towards that.
Just seems there is not as much readily available info with examples that help
connect the dots in my brain when I run into these sorts of walls.
Thanks in advance!
-Geoff
Confidentiality Notice: This is a transmission from Community Hospital of the
Monterey Peninsula. This message and any attached documents may be confidential
and contain information protected by state and federal medical privacy
statutes. They are intended only for the use of the addressee. If you are not
the intended recipient, any disclosure, copying, or distribution of this
information is strictly prohibited. If you received this transmission in error,
please accept our apologies and notify the sender. Thank you.
<ManagementPackFragment SchemaVersion="2.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema";>
<Monitoring>
<Rules>
<Rule ID="Acme.App.Rule.ADLogonFailures" Target="Acme.App.OutputServer" Enabled="false" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>Alert</Category>
<DataSources>
<DataSource ID="DS" TypeID="AppLog!System.ApplicationLog.GenericCSVLog.FilteredEventProvider">
<LogFileDirectory>D:\AppFolder\</LogFileDirectory>
<LogFilePattern>LogName.log</LogFilePattern>
<LogIsUTF8>false</LogIsUTF8>
<Separator>"|"</Separator>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="String">Params/Param[6]</XPathQuery>
</ValueExpression>
<Operator>ContainsSubstring</Operator>
<Pattern>javax.naming.CommunicationException</Pattern>
</RegExExpression>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>2</Severity>
<AlertMessageId>$MPElement[Name="Acme.App.Rule.ADLogonFailures.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventData/DataItem/LogFileDirectory$</AlertParameter1>
<AlertParameter2>$Data/EventData/DataItem/LogFileName$</AlertParameter2>
<AlertParameter3>$Data/EventData/DataItem/Params/Param[6]$</AlertParameter3>
<AlertParameter4>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</AlertParameter4>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/LoggingComputer$</SuppressionValue>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>
</Rules>
<Monitors>
</Monitors>
</Monitoring>
<Presentation>
<StringResources>
<StringResource ID="Acme.App.Rule.ADLogonFailures.AlertMessage" />
</StringResources>
</Presentation>
<LanguagePacks>
<LanguagePack ID="ENU" IsDefault="true">
<DisplayStrings>
<DisplayString ElementID="Acme.App.Rule.ADLogonFailures">
<Name>Log Monitor: AD Logon Failures</Name>
<Description>Parses 'LogName.log' file in "D:\AppFolder" on <Host>.</Description>
</DisplayString>
<DisplayString ElementID="Acme.App.Rule.ADLogonFailures.AlertMessage">
<Name>AD Logon Failures Detected</Name>
<Description>
'CommunicationException' failure detected in 'LogName.log' on {3}. App logins may be failing.
Additional Information
Host: {3}
Logfile: {1}
String Detected: {2}
</Description>
</DisplayString>
</DisplayStrings>
</LanguagePack>
</LanguagePacks>
</ManagementPackFragment><ManagementPackFragment SchemaVersion="2.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema";>
<Monitoring>
<Monitors>
<UnitMonitor ID="ACME.App.Monitor.ADAuth.Failures" Accessibility="Public" Enabled="false" Target="ACME.App.OutputServer" ParentMonitorID="Health!System.Health.AvailabilityState" Remotable="true" Priority="Normal" TypeID="AppLog!System.ApplicationLog.GenericCSVLog.SingleEventTimer2StateMonitorType" ConfirmDelivery="true">
<Category>AvailabilityHealth</Category>
<AlertSettings AlertMessage="ACME.App.Monitor.ADAuth.Failures.AlertMessage">
<AlertOnState>Error</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>Normal</AlertPriority>
<AlertSeverity>MatchMonitorHealth</AlertSeverity>
<AlertParameters>
<AlertParameter1>$Data/EventData/DataItem/LogFileDirectory$</AlertParameter1>
<AlertParameter2>$Data/EventData/DataItem/LogFileName$</AlertParameter2>
<AlertParameter3>$Data/EventData/DataItem/Params/Param[6]$</AlertParameter3>
<AlertParameter4>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</AlertParameter4>
</AlertParameters>
</AlertSettings>
<OperationalStates>
<OperationalState ID="ACME.App.Monitor.ADAuth.Failures.EventRaised" MonitorTypeStateID="EventRaised" HealthState="Error" />
<OperationalState ID="ACME.App.Monitor.ADAuth.Failures.TimerEventReset" MonitorTypeStateID="TimerEventRaised" HealthState="Success" />
</OperationalStates>
<Configuration>
<LogFileDirectory>D:\AppFolder</LogFileDirectory>
<LogFilePattern>LogName.log</LogFilePattern>
<LogIsUTF8>false</LogIsUTF8>
<Separator>"|"</Separator>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="String">Params/Param[6]</XPathQuery>
</ValueExpression>
<Operator>ContainsSubstring</Operator>
<Pattern>javax.naming.CommunicationException</Pattern>
</RegExExpression>
</Expression>
<TimerWaitInSeconds>3600</TimerWaitInSeconds>
</Configuration>
</UnitMonitor>
</Monitors>
</Monitoring>
<Presentation>
<StringResources>
<StringResource ID="ACME.App.Monitor.ADAuth.Failures.AlertMessage" />
</StringResources>
</Presentation>
<LanguagePacks>
<LanguagePack ID="ENU" IsDefault="true">
<DisplayStrings>
<DisplayString ElementID="ACME.App.Monitor.ADAuth.Failures">
<Name>Log Monitor: Workstation AD Logon Failures</Name>
<Description></Description>
</DisplayString>
<DisplayString ElementID="ACME.App.Monitor.ADAuth.Failures.AlertMessage">
<Name>Workstation AD Logon Failures Detected</Name>
<Description>
'CommunicationException' failure detected in 'LogName.log' on {3}. Workstation logins may be failing.
Additional Information
Host: {3}
Logfile: {1}
String Detected: {2}
</Description>
</DisplayString>
<DisplayString ElementID="ACME.App.Monitor.ADAuth.Failures" SubElementID="ACME.App.Monitor.ADAuth.Failures.EventRaised">
<Name>Event Raised</Name>
</DisplayString>
<DisplayString ElementID="ACME.App.Monitor.ADAuth.Failures" SubElementID="ACME.App.Monitor.ADAuth.Failures.TimerEventReset">
<Name>Timer Event Reset</Name>
</DisplayString>
</DisplayStrings>
</LanguagePack>
</LanguagePacks>
</ManagementPackFragment>
