0

Hi I created a monitor on SCOM 2012 to generate an alert for removable devices using event ID 4656, 4663. When usb is plugged and something's copied out from usb, it picks up event ID 4656/4663 on event viewer of Win server 2012 but scom monitor doesn't generate an alert at all. Can anyone advise me what could be the problem of this? Thanks in advance

Here's exported XML of monitor.

-<Monitoring>

-<Monitors>

-<UnitMonitor ConfirmDelivery="true" TypeID="MicrosoftWindowsLibrary7585010!Microsoft.Windows.SingleEventLogManualReset2StateMonitorType" Priority="Normal" Remotable="true" ParentMonitorID="Health!System.Health.SecurityState" Target="MicrosoftWindowsLibrary7585010!Microsoft.Windows.Server.Computer" Enabled="true" Accessibility="Public" ID="UIGeneratedMonitor31432af1c0314b2ea7696791d7dac049">

<Category>Custom</Category>

-<AlertSettings AlertMessage="UIGeneratedMonitor31432af1c0314b2ea7696791d7dac049_AlertMessageResourceID">

<AlertOnState>Warning</AlertOnState>

<AutoResolve>true</AutoResolve>

<AlertPriority>High</AlertPriority>

<AlertSeverity>Warning</AlertSeverity>

-<AlertParameters>

<AlertParameter1>$Data[Default='']/Context/EventDescription$</AlertParameter1>

</AlertParameters>

</AlertSettings>

-<OperationalStates>

<OperationalState ID="UIGeneratedOpStateId58a8f14c9fe94927a4984dbec28a7e29" HealthState="Success" MonitorTypeStateID="ManualResetEventRaised"/>

<OperationalState ID="UIGeneratedOpStateIdb4815f99eb2248ff95a7b428c1dc702f" HealthState="Warning" MonitorTypeStateID="EventRaised"/>

</OperationalStates>

-<Configuration>

<ComputerName>$Target/Property[Type="MicrosoftWindowsLibrary7585010!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

<LogName>Security</LogName>

-<Expression>

-<Or>

-<Expression>

-<SimpleExpression>

-<ValueExpression>

<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

</ValueExpression>

<Operator>Equal</Operator>

-<ValueExpression>

<Value Type="UnsignedInteger">4656</Value>

</ValueExpression>

</SimpleExpression>

</Expression>

-<Expression>

-<SimpleExpression>

-<ValueExpression>

<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

</ValueExpression>

<Operator>Equal</Operator>

-<ValueExpression>

<Value Type="UnsignedInteger">4663</Value>

</ValueExpression>

</SimpleExpression>

</Expression>

</Or>

</Expression>

</Configuration>

</UnitMonitor>

</Monitors>

</Monitoring>

Max
  • 273
  • 1
  • 6
  • 15
  • Can you check the ops manager event log on the target computer and see if there are any errors related to this – LiamG May 19 '16 at 17:47

1 Answers1

1
  1. An event must be identified not only by ID but also by Log/Channel. Please, check that event appears in the same log/channel as you are detecting in your MP.
  2. You said that you can't see an alert, but can you see that monitor changed the state? To make monitor generate alert you need to specify it explicitly.

For a better advice, please post here a source code of your monitor.

Thank you, Roman.

Roman Yuferev
  • 71
  • 2
  • Hi thanks for reply. Event appears in the Security log and I chose security for parent monitor when I created it. It does not change the state as well, looks like SCOM cannot detect an event id at all when I can see it on agent's event viewer. – Max May 18 '16 at 04:03
  • 1
    Your monitor XML looks correct, so the issue is definitely not about the monitor itself. Please, check if SCOM agent works fine on that server, check if there are any SCOM-related alerts in "All Alerts" view that may be related to that computer and I agree with Liam, that you need to review the Operations Manager event log on that server to check it for the Agent-related errors.There might be a case when your updated MP was not correctly deployed to that server. – Roman Yuferev May 19 '16 at 19:25