How do I: Create an Event View that excludes a particular Event ID

I had a large enterprise customer recently who was monitoring ADFS with the default management pack. They liked being able to glance at the event view which gave them a single place where they could look at the ADFS events occurring across their environment. They were using this event data as part of their correlation and tuning process to determine if there were additional actionable events that were being missed for their unique infrastructure. The eventual goal being to stop collecting the events altogether and only have alert generating rules/monitors in place for patterns of events that they cared about.

01

They quickly found that at least for their environment some of the events being collected were essentially noise, and they asked how to adjust the view so it would exclude one particular event.

This is one of those sounds really easy and of course the product should do this out of box questions that SCOM has never really had a great answer for.

If we take a look at the view it is populated by the following criteria:

02

And if we dig into the corresponding rule that collects the events we find a wildcard regex-style collection rule targeted at the ADFS log:

03

04

05

Since the collection rule is part of a sealed MP the best we could do at the rule level is to shut off this collection rule, and create a new collection rule with a modified wildcard expression such that it would collect everything the old rule did with the exception of the event ID the customer doesn’t like.

The problem with this solution is it isn’t particularly efficient/self-service friendly. If next week the customer realizes there is an additional event they want excluded the AD team has to contact the SCOM team and request further modifications.

In an ideal world the exclusion would be possible at the View level, but if you ever dig into modifying the classic OpsMgr views you will find that while you can use WildCards for some fields like Event Source to perform exclusions:

06

The same is not true for event ID’s, where wildcard exclusions are not allowed:

07

I briefly toyed with the idea of making modifications to the MP at the XML level to allow exclusions as I have occasionally done in the past to hack a subscription into meeting a customer need, but in this case such a solution doesn’t really fit. The customer needed something that was easy for them to change as they gradually winnow down the list of events they see to only the ones they care about.

They needed something that was extremely easy to edit.

Enter PowerShell and the SCOM SDK.

The first solution I put together for them to test was the following:

PowerShell Grid Widget

08

with a where-object {$_.Number -ne 31552 -and $_.PublisherName -eq “Health Service Modules” } I used a SCOM publishername since I didn’t have any ADFS events in my test environment and I wanted to use something that I could confirm that the exclusion was working as expected: 

11

Everything looked good the event I wanted excluded was dealt with properly  (Description dataObject is commented out in the code for this screenshot to make it easier to view. With Description uncommented each event takes up more lines of screen real-estate. I recommend creating two views, one with description commented out, and one where it is uncommented so customers can easily toggle between views.)

12

And if we remove the -ne $_.Number 31152 I get results as below with the event present:

10

In theory this should be all we needed, but when my customer tested out the script nothing happened. After a little bit of head scratching it became apparent what the problem was.

We were calling Get-SCOMEvent | Where-Object

which means we were telling the OpsMgr SDK to please go retrieve every single event in the OpsDB, and then once you are done with that we are going to pipe the results to a Where-Object and tell you what we really need.

In my relatively small test environment this wasn’t that big of an ask and the results returned quickly.

In my customer’s environment with thousands of servers and friendly event generating MP’s like the Exchange 2010 MP, getting every event in the OpsDB was basically a great way to enter an endless loop of dashboard timeouts with nothing ever being displayed.

So we needed to filter things down a bit up front, before piping to the Where-Object.

If you search the blogs you will find that Stefan Stranger has a nice post describing how to deal with this issue when calling the Get-SCOMAlert cmdlet with a Where-Object. Basically you use Get-SCOMAlert -criteria and then pipe to a Where-Object if still needed.

Unfortunately, Get-SCOMEvent doesn’t have a -criteria parameter because that would make things too easy and intuitive.

It does, however, have a -rule parameter which looked promising:

13

First I tried passing it a rule Name, followed by a second try with a rule GUID for an event collection rule I was interested in. In both cases I got a nice red error message:

14

While a little a cryptic it is saying that I am passing a parameter of the type string, and it wants a special SCOM specific rule type.

To give it what it wants we need to first retrieve the -rule parameter using the get-scomrule cmdlet and then pass it to get-scomevent as a variable:

$rule = get-scomrule -DisplayName “Operations Manager Data Access Service Event Collector Rule”

15

$rule = get-scomrule -DisplayName “Operations Manager Data Access Service Event Collector Rule”

get-scomevent -rule $rule

16

So our final script would look something like this: (I have added some additional filtering to be able to allow if you just want events from the past hour. *Keep in mind this date/time filtering doesn’t increase the efficiency of the script since it occurs after the Where-Object, the only thing making this script more efficient is that we are first only pulling back events collected from a specific rule*)

$rule = get-scomrule -DisplayName “Operations Manager Data Access Service Event Collector Rule”

$DateNow = date

#Modify the .AddMinutes below to determine how far back to pull events

$DateAgo = $DateNow.AddMinutes(-60)

#$_.Number -ne(not equals) is used to indicate the event number that you want to exclude from the view

$eventView = Get-scomevent -rule $rule |where-object {$_.Number -ne 17 -and $_.TimeGenerated -ge $DateAgo -And $_.TimeGenerated -le $DateNow}|Select Id, MonitoringObjectDisplayName,  Number, TimeGenerated, PublisherName, Description| sort-object TimeRaised -descending

foreach ($object in $eventView){

     $dataObject = $ScriptContext.CreateInstance(“xsd://OpsConfig!sample/dashboard”)

     $dataObject[“Id”] = [String]($object.Id)

     $dataObject[“Event Number”] = [Int]($object.Number)

     $dataObject[“Source”] = [String]($object.MonitoringObjectDisplayName)

     $dataObject[“Time Created”] = [String]($object.TimeGenerated)

     $dataObject[“Event Source”] = [String]($object.PublisherName)

     $dataObject[“Description”] = [String]($object.Description)

     $ScriptContext.ReturnCollection.Add($dataObject)

}

And then the ADFS code would look like this, though event 17 was not the event they wanted to exclude:

$rule = get-scomrule -DisplayName “Federation server events collection”

$DateNow = date

#Modify the .AddMinutes below to determine how far back to pull events

$DateAgo = $DateNow.AddMinutes(-60)

#$_.Number -ne(not equals) is used to indicate the event number that you want to exclude from the view

$eventView = Get-scomevent -rule $rule |where-object {$_.Number -ne 17 -and $_.TimeGenerated -ge $DateAgo -And $_.TimeGenerated -le $DateNow}|Select Id, MonitoringObjectDisplayName,  Number, TimeGenerated, PublisherName, Description| sort-object TimeRaised -descending

foreach ($object in $eventView){

     $dataObject = $ScriptContext.CreateInstance(“xsd://OpsConfig!sample/dashboard”)

     $dataObject[“Id”] = [String]($object.Id)

     $dataObject[“Event Number”] = [Int]($object.Number)

     $dataObject[“Source”] = [String]($object.MonitoringObjectDisplayName)

     $dataObject[“Time Created”] = [String]($object.TimeGenerated)

     $dataObject[“Event Source”] = [String]($object.PublisherName)

     $dataObject[“Description”] = [String]($object.Description)

     $ScriptContext.ReturnCollection.Add($dataObject)

Hopefully this helps save a little bit of time for anyone else who comes across a question like this one.

Tagged , , , , , ,

Comic Relief: RSA-2048

497

Comic Credit: Abstruse Goose

Happy Friday!

Tagged

How do I: Change the default behavior of the DB Mirror Status Monitor

MP Authoring Series (For an explanation of this series read this post first.)

Real World Issue: Customer is seeing a lot of Critical alerts for Mirrored Databases in a Disconnected state, but only Warning alerts for Mirrored Databases in Suspended state. In this customer’s environment brief disconnects are common and not necessarily indicative of a Critical issue, whereas a mirrored database in a Suspended state is always Critical for this customer. The customer wants to swap the default states such that Disconnected will now be Warning and Suspended will be Critical.

There are three Mirrored Database Mirror Status Monitors

01 02

When we dig into the properties

2.5

We see the three states as well as the corresponding Statuses that map to those states.

03

When we check Overrides we find there is nothing we can override to meet the customer needs:

04

So to accommodate this request we need to do a little custom authoring in Visual Studio + VSAE.

The process isn’t too complex, however, it is much easier to absorb via video than the many page article that would result if I tried to document the steps by hand:

Once you have your final successful build you will find your files in the bin–Debug folder of your project:

05

Once you import your custom MP into SCOM you will have a cloned monitor with your modified behavior:

06

 

Tagged , , ,

SCOM Management Pack Authoring Training: A different approach (Part I)

It would be wrong to start off any discussion of SCOM authoring without pointing out some of the great resources that do exist on this topic:

-The MSDN Operations Manager Development Kit  (Excellent for those of the developer persuasion, but less friendly for those whom PowerShell is much more comfortable than C#)

-Steve Wilson’s classic  AuthorMP blog posts. (A bit dated, but they remain a source of some the most insightful posts on various aspects of OpsMgr)

-Jonathan Almquist’s posts both in his old, and new home

-Brian Wren has put together great video content + some awesome posts over the years

-Graham Davies and the Manageability Guys in the UK have some awesome posts: 1, 2 , 3,  4, 5, 6, 7, 8

-If you happen to be a Microsoft Premier customer there is a great workshop on SCOM Authoring with Visual Studio that came out last year

-And countless members of the community like Tao Yang &  Raphael Burri who have written high quality MPs that can serve as a primer to those who want to dig in and start authoring. (Since I started writing this post awhile back I believe Tao has hosted some MP authoring training, haven’t gotten a chance to look at it yet, but once I do I will add a link.)

-There are of course many other worthwhile posts throughout the SCOM community both inside and outside of Microsoft, but that is what Bing, Google, and DuckDuckGo are for.

But despite all that great content out there. Management Pack authoring can be an extremely difficult skill to acquire. At least from my own perspective – starting out in MP Authoring was really hard. Even after having read the vast majority of the published info on MP authoring, and watching all the videos that are out there I can’t say that I felt particularly confident to wade into Visual Studio and start writing management packs. I understood the basic mechanics, but I lacked the ability to fill in the inevitable gaps of knowledge to be able to author custom MPs that met real enterprise level business needs.

Unfortunately, a lot of the best how-to examples and step-by-step tutorials tend to be a little generic. I suspect this is done intentionally to minimize complexity as much as possible. The hope being that a budding MP author can learn the fundamentals and then extrapolate from the excellent guide on “how to author a custom MP that no one would ever import into their real environment”, and later apply this knowledge to some real-world problem.

My brain tends to not work that way. It is easily distracted by shiny objects and Wikipedia. To learn I need concrete real-world examples, problems, deadlines.  For me the most valuable training in MP authoring came not from all the guides and links referenced above, but from a single one hour Lync call with a senior colleague at Microsoft. I had a specific question that I didn’t know how to solve and step-by-step over the course of an hour he walked me through how to build an MP that addressed that request.

I really wish there were a ton of Authoring videos like that call out there following the simple formula:

Real-world enterprise monitoring problem that is not currently addressed by a Management Pack + Screen capture video that walks through the process every step of the way.

Sadly as fun as it would be to simply complain, I think there might be some small value in me adding what little I know about MP authoring to the general ether following the format above.

I had toyed with the idea of doing Livecoding.tv or live Twitch.tv sessions, but my home internet connection these days is DSL so the upload streaming experience is lacking, so these will be pre-recorded sessions with some light editing.

The first installment can be found here:

MP Authoring 001

I have about 10 videos planned so far and if the first few are of any use to the community I will shoot for publishing a new video every two weeks until I run out of ideas.

Tagged , , ,

How Do I: Access SCOM Properties Programmatically

For some background. The question that led to this post was in regard to being able to access properties that SCOM was discovering in order to detect config drift in some networking hardware. Normally when I get a question like this my first answer is don’t use SCOM for this–use OMS, SCCM, or some other tool designed specifically for this purpose. With that said, they had a specific use case that made sense, and SCOM was already collecting all the properties they cared about as part of a 3rd party Management Pack so the primary goal became giving the customer a better picture of where this data gets stored and the easiest way to access it.

First way of getting at discovered property data is via the OperastionsManager Database (The usual caveats about directly querying the OpsDB not being recommended or supported apply.)

There are tables called Dbo.MT which contain the various properties associated with a certain class of object.

prop01

If I look at something like SQL 2014 Databases I find the following: (There are more properties, but they get truncated off screen)

Select * from dbo.MT_Microsoft$SQLServer$2014$Database

prop02

To make this a little more meaningful we need to pick which tables we are interested in and join FullName from BaseManagedEntityID so we can understand which systems these databases are associated with. For this I wrote the following query:

SELECT

BME.FullName,

MT.DatabaseName_3AD1AB73_FD77_E630_3CDE_2CA224473213 As ‘DB Name’,

MT.DisplayName,

MT.DatabaseAutogrow_E32D36C4_7E11_62BE_D5B4_B77C841DCCA1 As ‘DB Autogrow’,

MT.RecoveryModel_772240AD_E512_377C_8986_E4F8369BDC21 As ‘DB RecoveryModel’,

MT.LogAutogrow_75D233F6_0569_DB26_0207_8894057F498C As ‘LogAutogrow’,

MT.Collation_4BC5C384_34F3_4C3F_A398_2298DBA85BCD As ‘Collation’,

MT.BaseManagedEntityId

FROM dbo.MT_Microsoft$SQLServer$2014$Database MT

JOIN dbo.BaseManagedEntity BME On BME.BaseManagedEntityID  = MT.BaseManagedEntityId

Which gives this output:

prop03

You could also get at similar data through the SDK via PowerShell (This would technically be the officially supported technique, though sometimes not as flexible as SQL). To do this you would use something like:

Import-Module OperationsManager

$WindowsServerClass= Get-SCOMClass -Name Microsoft.SQLServer.2014.Database

$ServerObjects = Get-SCOMClassInstance -Class $WindowsServerClass | Select Fullname, *.DatabaseName,*.RecoveryModel,*.DatabaseAutogrow,*.LogAutogrow,*.Collation

$ServerObjects

This will give you results that look as follows: (I just arbitrarily picked a few properties, there are more available that you can look at with either I get-member or | Select *

prop04

From there we can make things a little more readable with the following:

Import-Module OperationsManager

$WindowsServerClass= Get-SCOMClass -Name Microsoft.SQLServer.2014.Database

$ServerObjects = Get-SCOMClassInstance -Class $WindowsServerClass

$ServerObjectsB = $ServerObjects | Select *.DatabaseName, *.RecoveryModel, *.DatabaseAutogrow, *.LogAutogrow, *.Updateability, *.UserAccess, *.Collation, *.Owner, *.ResourcePool | FT

prop05

From there we started playing around with ways to quickly identify differences:

prop06

This is still a work in progress, but I figured I would share in case this can be of use to anyone.

Tagged ,

How do I: Send SMS Text Message Notifications for Heartbeat Failures

Continuing in my series of interesting questions from last year and my answers here is one on Sending SMS Notifications for Heartbeat Failures for a subset of mission critical servers. The added wrinkle to this question was they also needed to be certain (due to the security requirements of their environment) that no information regarding servername, IP address, or other info of that nature which might be part of a typical alert description make it into the text alerts.

Text Alert on Heartbeat failures without Confidential information/Server names

SCOM Heartbeat Failure Chain of events:

01SMS

Above Diagram pilfered with attribution from TechNet.

First you need to setup a new E-Mail Notification Channel

Select Administration

02SMS

Channels:

03SMS

New

04SMS

Select E-Mail (SMTP)

05SMS

Enter a Channel Name:

06SMS

Enter a SMTP Server and a Return address (You will likely need an exception that will allow the SMTP server to send messages outside your domain)

07SMS

Modify the Subject and Message as follows:

E-mail subject:

Alert: $Data[Default=’Not Present’]/Context/DataItem/AlertName$ Resolution state: $Data[Default=’Not Present’]/Context/DataItem/ResolutionStateName$

E-mail Message:

Alert: $Data[Default=’Not Present’]/Context/DataItem/AlertName$

Last modified by: $Data[Default=’Not Present’]/Context/DataItem/LastModifiedBy$

Last modified time: $Data[Default=’Not Present’]/Context/DataItem/LastModifiedLocal$

(Ultimately you could add additional text here as well, the key is that we are pulling out the variables from the Channel that would normally populate the server name when there is a heartbeat failure)

08SMS

Click Finish

09SMS

Create a new Subscription

10SMS

Created by specific rules or monitors — Health Service Heartbeat Failure

With a specific resolution state–New

11SMS

Add subscribers (If you want it to send text messages you can create new unique subscriber and have an address that consists of the appropriate cell number + service provider combination:

Sprint

cellnumber@messaging.sprintpcs.com 

Verizon

cellnumber@vtext.com

T-Mobile

cellnumber@tmomail.net

AT&T

cellnumber@txt.att.net

For my example I am just using an internal account in my environment.

12SMS

Select your newly created notification channel. You may want to delay notifications by 15 minutes.  That way if the server is down for less than 15 minutes you won’t get a text message at 3 AM.

13SMS

Click Finish

14SMS

Now if a server goes offline the console will still generate an alert as before with the server name:

15SMS

But the e-mail or text message will be generic without any confidential information:

16SMS

For alerts other than heartbeat you might have to check and craft a slightly modified channel to insure no info you don’t want texted is sent out.

A quick example to illustrate this:

Ultimately $Data/Context/DataItem/AlertName$ will map to a different value for each type of alert. So for the alert below:

17SMS

That variable maps to:

18SMS

So Alert Name by itself will not map to anything proprietary like IP Address/domain/computername etc unless you have created a custom alert which contains any of this info in the Alert Name field. Though with that said it may still map to info about specific technologies. So one might be able to use the Alert Name to determine what types of applications you are running which could in some cases be a security concern. To get a sense of the type of values that typically show up in your environment the quick and easy method is to just look at your Monitoring Pane – Active Alerts  Name column:

19SMS

So for my environment you could learn from this info what apps I am running (SharePoint, SQL, ACS), in the case of the Page Life Expectancy you are able to find out the version of SQL etc. If this kind of info isn’t a security concern for your business you could just pass the Alert Name field from any alerts that meet a certain Severity/Priority Criteria. If this type of info is a concern then you need to determine which alerts are ok to pass alert name like Health Service Heartbeat failure and which need to be withheld and then filter your notification subscription criteria accordingly.

If you want a slighter better view of this info you could use PowerShell:

Import-Module OperationsManager

Get-SCOMAlert 

20SMS

Get-SCOMAlert | Select Name

This will give you possible values that could populate that variable. (Keep in mind this will only pull back values that are currently in the OpsDB so this will be all alerts in that DB based on your grooming/retention settings.)

 

Tagged , , ,

How do I: Add Exclusion Criteria to SCOM Notification Subscriptions

By default all filtering criteria in MP Notification subscriptions are specific to inclusion. There is no native ability via the GUI to indicate that the subscription should pick up every alert related by a certain criteria with the exception of a specific subset of alerts. The only way to accomplish this via the GUI is if your inclusion criteria specifically enumerates every other alert instance with the exception of the alerts you want to exclude.

01

An example where this would cause problems is if you want to have one notification subscription that notifies for every Alert of a Severity of Critical with the exception of alerts from a specific monitor.

02

The first part is easy with the above config, but the second part (the excluding one specific monitor alert) is not possible. This type of scenario becomes important when you want to have two subscriptions:

 

  1. One that sends all critical alerts immediately with the exception of one specific monitor alert that has a recovery.
  2. And a second subscription that is on a 5 minute delay and gives the monitor a chance to recover and only sends an alert if post recovery running and health recalc the monitor still shows an unhealthy condition.

So to accomplish this we need to do a little custom work at the XML level.

First please note that according to the following TechNet article

https://technet.microsoft.com/en-us/library/hh212805.aspx

03

This is of course in reference to what you can and cannot do at the GUI level, but keep in mind that what you are doing is not officially supported and that you need to test carefully because it is very easy to accidentally break your subscription. (Also note that modifying a subscription in this way will require you to change your procedure for future modifications made to the GUI due to the fact that future changes in the GUI will blow away your manual XML changes so if you need to tweak the subscription at the GUI level at a later date you need to remember that you will have to run through the process below again to re-establish the exclusion.)

So to Add an Exclusion to a Notification Subscription

Administration Pane

04

Management Packs

05

Export Notifications Internal Library MP

06

Make a backup copy of this MP XML for safekeeping

Open non backup exported XML in text editor of choice. I am using Visual Studio, but anything including notepad will work.

The Channel Subscription and Subscriber info is all defined within this pack. You need to find the section of XML that corresponds to the subscription you are interested in.

In the case of my environment the Subscription is called Test Subscription:

08

If I scroll to the end of the Management Pack XML I will hit the <DisplayStrings></DisplayStrings> section where I can find the corresponding ID that will allow me to find the my subscription. (If you only have a few subscriptions you may be able to figure this out without the ID, but just to be safe it can be helpful to make sure you are editing the right subscription.

I Find my Test Subscription and see that it has a unique Element ID of: Subscription7adf1953_5ea7_4f20_85c9_67271662212a

09

If I then search the XML for references to this Element ID I will find the relevant portion of XML that we are going to want edit.

10

 

The important part that we will need to modify is contained within the <AlertChangedSubscription></AlertChangedSubscription>

 

In the case of this particular notification subscription we will change:

 

<AlertChangedSubscription Property=”Any”>

<Criteria>

<Expression>

<SimpleExpression xmlns:xsd=”http://www.w3.org/2001/XMLSchema” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance“>

<ValueExpression>

<Property>Severity</Property>

</ValueExpression>

<Operator>Equal</Operator>

<ValueExpression>

<Value>2</Value>

</ValueExpression>

</SimpleExpression>

</Expression>

</Criteria>

<ExpirationStartTime>12/11/2015 22:12:44</ExpirationStartTime>

<PollingIntervalMinutes>1</PollingIntervalMinutes>

<UserSid>S-1-5-21-2573163049-3319608367-1007842708-1106</UserSid>

<LanguageCode>ENU</LanguageCode>

<ExcludeNonNullConnectorIds>false</ExcludeNonNullConnectorIds>

<RuleId>$MPElement$</RuleId>

<TargetBaseManagedEntityId>$Target/Id$</TargetBaseManagedEntityId>

<TimeZone>E001000000000000C4FFFFFF00000B0000000100020000000000000000000300000002000200000000000000|Pacific Standard Time</TimeZone>

</AlertChangedSubscription>

To:

<AlertChangedSubscription Property=”Any”>

<Criteria>

<Expression>

<And xmlns:xsd=”http://www.w3.org/2001/XMLSchema” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance“>

<Expression>

<SimpleExpression>

<ValueExpression>

<Property>ProblemId</Property>

</ValueExpression>

<Operator>NotEqual</Operator>

<ValueExpression>

<Value>b59f78ce-c42a-8995-f099-e705dbb34fd4 </Value>

</ValueExpression>

</SimpleExpression>

</Expression>

<Expression>

<SimpleExpression>

<ValueExpression>

<Property>Severity</Property>

</ValueExpression>

<Operator>Equal</Operator>

<ValueExpression>

<Value>2</Value>

</ValueExpression>

</SimpleExpression>

</Expression>

</And>

</Expression>

</Criteria>

<ExpirationStartTime>12/11/2015 19:50:38</ExpirationStartTime>

<PollingIntervalMinutes>1</PollingIntervalMinutes>

<UserSid>S-1-5-21-2573163049-3319608367-1007842708-1106</UserSid>

<LanguageCode>ENU</LanguageCode>

<ExcludeNonNullConnectorIds>false</ExcludeNonNullConnectorIds>

<RuleId>$MPElement$</RuleId>

<TargetBaseManagedEntityId>$Target/Id$</TargetBaseManagedEntityId>

<TimeZone>E001000000000000C4FFFFFF00000B0000000100020000000000000000000300000002000200000000000000|Pacific Standard Time</TimeZone>

</AlertChangedSubscription>

This is going to vary depending on the complexity of your existing subscription you have to be careful to take into account existing <And> and <Or> tags when present.

<Value>b59f78ce-c42a-8995-f099-e705dbb34fd4</Value> Needs to be set to the appropriate ID for the alert you want to exclude.

For my example I am using the HealthService Heartbeat failure alert from my environment.

To determine the ID that is associated with a specfic rule/monitor generated alert that is currently present in the console you can use the following PowerShell from a Management server. Keep in mind if testing between a test and prod environment that ID values on custom monitors may be different. Run the PowerShell in both environments to be sure before implementing in prod.

11 12

For my test I will exclude any Health Service Heartbeat failure alerts which have the following ID:

13

If you don’t have an alert in the console to find the ID you could use the following query which will give you the ID of every Monitor in SCOM:

get-SCOMMonitor | select-object @{Name=”MP”;Expression={ foreach-object {$_.GetSCOMManagementPack().DisplayName }}},DisplayName, Priority, Enabled, Id | Out-GridView

 

14

15

You can use the Add criteria button to filter things down further:

16

Once the modifications to the management pack are complete you can reimport the newly updated management pack.

*WARNING* Keep in mind that the this UNSEALED MP will replace the existing MP on import so if there is an error in your code you could potentially break all subscriptions in your environment. This is why having a backup copy is extremely important. It is also why you need to test this procedure in a test environment before trying it in prod *WARNING* Again keep in mind that future changes to this notification subscription via the GUI will break your exclusion criteria and require you to manually modify the subscription again.

17

Click Install

18 19

Once imported generate one of the alerts that correspond with the exclude ID to see if it is properly excluded from the notification. Also test generate alerts that should be picked up by the subscription to confirm they are still being sent and that the subscription is not broken. Also Watch the console for any notification subscription specific alerts. If there are any errors in your syntax it can create a situation where you break all notifications.

Now when I have Critical Alerts The Health Service Heartbeat failures will be excluded from my subscription, but all other alerts including those made by monitors that are created in the future with a severity of critical will get picked up:

20

21

Again keep in mind the one caveat to modifying subscription XML in this way is that you lose the ability to edit that subscription via the GUI in the future. If I modify the subscription further during the GUI after making manual XML changes it will blow away the exclusion/Not Equal XML that was added. If you need to edit the subscription via the GUI just remember you need to go through the process above again to manual edit the XML.

 

Tagged , , ,

Talks: Jeffrey Snover – The Cultural Battle To Remove Windows from Windows Server

Fascinating talk from Jeffrey Snover on the road from the Monad Manifesto to PowerShell to Nano Server.

 

Tagged , , ,