-
Notifications
You must be signed in to change notification settings - Fork 11
Expand file tree
/
Copy pathRule.AlertGenerating.EventLog.EventIdExpression.mpx
More file actions
95 lines (91 loc) · 3.98 KB
/
Rule.AlertGenerating.EventLog.EventIdExpression.mpx
File metadata and controls
95 lines (91 loc) · 3.98 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
<ManagementPackFragment SchemaVersion="2.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<!--
%%
Description:
A RULE to ALERT on a specific EventID in a specific Windows Event Log
CompanyID - is a short abbreviation for your company with NO SPACES OR SPECIAL CHARACTERS ALLOWED
AppName - is a short name for your app with NO SPACES OR SPECIAL CHARACTERS ALLOWED
ClassID - is the targeted class such as your custom class or Windows!Microsoft.Windows.Server.OperatingSystem
LogName - is the Event Log Name (System, Application, Operations Manager, etc)
EventID - is a REGEX (Regular Expression) matching on one or more event IDs such as (101, 101|102, 101|102|103, 10[0-9], etc)
UniqueID - We need a Unique ID for this workflow to reuse the fragment. Create a short unique and descriptive ID for what this workflow does. (NO SPACES OR SPECIAL CHARACTERS ALLOWED)
Version: 1.0
LastModified: 25-July-2017
%%
In this fragment you need to replace:
##CompanyID##
##AppName##
##ClassID##
##LogName##
##EventID##
##UniqueID##
This fragment depends on references:
RequiredReference: Alias="Windows", ID="Microsoft.Windows.Library"
RequiredReference: Alias="Health", ID="System.Health.Library"
@@Author=Kevin Holman@@
-->
<Monitoring>
<Rules>
<Rule ID="##CompanyID##.##AppName##.##UniqueID##.Alert.Rule" Enabled="true" Target="##ClassID##" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>Alert</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>##LogName##</LogName>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>MatchesRegularExpression</Operator>
<Pattern>^(##EventID##)$</Pattern>
</RegExExpression>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
<Priority>1</Priority> <!-- 0=Low, 1=Medium, 2=High -->
<Severity>1</Severity> <!-- 0=Information, 1=Warning, 2=Critical -->
<AlertName />
<AlertDescription />
<AlertOwner />
<AlertMessageId>$MPElement[Name="##CompanyID##.##AppName##.##UniqueID##.Alert.Rule.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression />
<Custom1 />
<Custom2 />
<Custom3 />
<Custom4 />
<Custom5 />
<Custom6 />
<Custom7 />
<Custom8 />
<Custom9 />
<Custom10 />
</WriteAction>
</WriteActions>
</Rule>
</Rules>
</Monitoring>
<Presentation>
<StringResources>
<StringResource ID="##CompanyID##.##AppName##.##UniqueID##.Alert.Rule.AlertMessage" />
</StringResources>
</Presentation>
<LanguagePacks>
<LanguagePack ID="ENU" IsDefault="true">
<DisplayStrings>
<DisplayString ElementID="##CompanyID##.##AppName##.##UniqueID##.Alert.Rule">
<Name>##CompanyID## ##AppName## ##UniqueID## Alert Rule</Name>
</DisplayString>
<DisplayString ElementID="##CompanyID##.##AppName##.##UniqueID##.Alert.Rule.AlertMessage">
<Name>##CompanyID## ##AppName## ##UniqueID## Alert</Name>
<Description>Event Description: {0}</Description>
</DisplayString>
</DisplayStrings>
</LanguagePack>
</LanguagePacks>
</ManagementPackFragment>