I'm attempting to create a rule that raises an alert based on the following criteria:
Log Name Application Event ID 1 Event Level 2 Event Source (Match on any of these sources): * Report Server (PROD_RPT1) * Report Server (PROD_RPT2) * Report Server (PROD_RPT3) * Report Server (PROD_RPT4) Event Description "[Unique Job ID] SQLReportEngine::GetOutputStream(): Render format 'IMAGE' is not supported" >From past help provided here I understand using wildcard or regex on event >descriptions can be a performance killer. To mitigate that, I have been >reading about condition detections using expression filters. My plan is to use >Basic Event Detection's Event Provider type to first match solely on Event ID >and Event Level. >From there I'm not sure the best next step(s). There are multiple Event >Sources with the pattern "Report Server (PROD_RPT#)" [# will be 1, 2, 3, or 4]. >From a performance perspective, is it okay to use the 'MatchesWildcard' >operator on the Event Source and the Event Description in the same >ExpressionFilter? Or can you have multiple condition detections to further >filter the data being processed? Meaning, should the rule first look at Event >Source, then pass that condition down to the Event Description filter? Would >it matter at that point, or is the performance negligible? This is my first time looking at condition detections, so I appreciate any help. I'm attaching the framework of the rule (sanitized). I apologize if the syntax is incorrect, as I'm working my way through this as a first-timer. Thank you. Confidentiality Notice: This is a transmission from Montage Health. This message and any attached documents may be confidential and contain information protected by state and federal medical privacy statutes. They are intended only for the use of the addressee. If you are not the intended recipient, any disclosure, copying, or distribution of this information is strictly prohibited. If you received this transmission in error, please accept our apologies and notify the sender. Thank you.
<ManagementPackFragment SchemaVersion="2.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema";> <Monitoring> <Rules> <Rule ID="Contoso.Rule.Event.AppPrinting" ConfirmDelivery="true" DiscardLevel="100" Enabled="true" Priority="Normal" Remotable="false" Target="Contoso.App.ServerRole"> <Category>Alert</Category> <DataSources> <DataSource ID="BasicEventDetection" TypeID="Windows!Microsoft.Windows.EventProvider"> <ComputerName>$Target/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName> <LogName>Application</LogName> <Expression> <And> <Expression> <SimpleExpression> <ValueExpression> <XPathQuery>EventDisplayNumber</XPathQuery> </ValueExpression> <Operator>Equal</Operator> <ValueExpression> <Value>1</Value> </ValueExpression> </SimpleExpression> </Expression> <Expression> <SimpleExpression> <ValueExpression> <XPathQuery>EventLevel</XPathQuery> </ValueExpression> <Operator>Equal</Operator> <ValueExpression> <Value>2</Value> </ValueExpression> </SimpleExpression> </Expression> </And> </Expression> </DataSource> </DataSources> <ConditionDetection ID="FilterDescription" TypeID="System!System.ExpressionFilter"> <Expression> <And> <Expression> <RegExExpression> <ValueExpression> <XPathQuery>PublisherName</XPathQuery> </ValueExpression> <Operator>MatchesWildcard</Operator> <Pattern>Report Server (PROD_RPT*)</Pattern> </RegExExpression> </Expression> <Expression> <ValueExpression> <XPathQuery>EventDescription</XPathQuery> <Operator>MatchesWildcard</Operator> <Pattern>*SQLReportingEngine*</Pattern> </ValueExpression> </Expression> </And> </Expression> </ConditionDetection> <WriteActions> <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert"> <Priority>1</Priority> <Severity>2</Severity> <AlertMessageId>$MPElement[Name="Contoso.Rule.Event.AppPrinting.AlertMessage"]$</AlertMessageId> <AlertParameters /> <Suppression /> </WriteAction> </WriteActions> </Rule> </Rules> </Monitoring> </ManagementPackFragment>
