Monday, January 30, 2012

Monitoring Custom Event Log using SCOM 2007 R2

I am going to configure SCOM to send email alerts whenever an event gets logged in a custom log "Applications and Services Logs"

From the Operations Console go to Authoring tab -> Rules (under Management Pack Objects)

Choose "NT Event Log (Alert)" for the rule type

Provide a name and optionally a description for the rule and click Select next to Rule target.
Make sure you UNCHECK "Rule is enabled" before you proceed!

Find a generic class under which all your objects to be monitored will fall, most likely "Windows Computer" will do.

Specifiy the name of the event log to be monitored. You can browse to a computer then select the log name.

Add the expressions to filter out the desired event.

Alert description will be in the email body. You need to mention the XPath query for all the properties you want to read. In my case I put the Computer, Event Source and Description. Find more queries here

After you create the query, configure an override that enables it for the servers you want to monitor.

Finally configure a subscription for the rule alerts
From the Administrations tab -> Subscriptions -> New

Choose for the cirteria: created by specific rules or monitors (e.g., sources) and click specific to choose your rule

Add the subscriber or create if you haven't done yet.

Add your email channel or create one if you haven't done yet.

Finish the wizard and you're done


  1. Your alert description variables (xpath query) don't work for SCOM 2007 R2 when creating an event log alerting rule.

    Can you clarify the proper variables for EventID, EventSource, and EventDescription?

  2. How can I target many servers but exclude a specific server via event description?