Getting Operations Manager Event Parameters via PowerShell

This blog article is about how to obtain Event Parameters for use in SCOM rules and monitors when you do not have access to the Log Parser tool.

First, a little background. When attempting to read an event from the event log to create a custom rule or monitor, it can be tempting to look at the text in the Event Description and use a wildcard match on the description field. For example, consider the following alert

If this alert is going to occur for multiple databases, the only differentiation appears to be in the text (database “JonathanTest”) and so we could use the following condition on our rule or monitor.

However, wildcard matches are almost always less efficient than “Equals” conditions, and so when Kevin Holman shows you how to specify the Event Description field in one of his excellent blog articles (http://blogs.technet.com/b/kevinholman/archive/2008/04/22/using-event-description-as-criteria-for-a-rule.aspx) he goes on to stress that you should use an Event Parameter rather than the EventDescription and links to an article by Stefan Stranger (http://blogs.technet.com/b/stefan_stranger/archive/2008/05/13/opsmgr-2007-parameters-explained.aspx) on how to use the LogParser tool on how to obtain these parameters so you know which number parameter is used where. Parameters are not necessarily in the order you see them in the text.

This is all excellent and I have been using this technique for several years, but I recently had a problem where I was at a client site and needed to get the parameters for an event, but I did not have access to the Log Parser tool. Fortunately I have discovered that you can find this information out just by using Powershell now.

Firstly, you need to capture the Event. This can be obtained using the Get-EventLog cmdlet. I did hit the problem that I could not work out how to specify the Event ID, but you can normally play around with the available parameters until you get what you want. In my case the following gave me the event I wanted. If you do find the way to specify the Event ID, please let me know!

$event = get-eventlog -log “Operations Manager” -source “Health Service Modules” -after 07:54:39 –before 07:55:00

Once you have selected your event, simply call the ResourceStrings parameter with the following command

$event.ReplacementStrings

This will give the following output of the Event Parameters in order.

Once you have got this, you can use this in your rule/monitor event condition as follows.

You can also use these parameters in the text of the alert to provide for a more user friendly error message.

This little PowerShell command will hopefully help you identify which Event Parameter is which and how you can specify them in Operations Manager.

Advertisements
This entry was posted in Operations Manager, System Center and tagged , . Bookmark the permalink.

10 Responses to Getting Operations Manager Event Parameters via PowerShell

  1. Pingback: Event Parameters refresher | System Center Operations Manager 2012

  2. Pingback: Event Parameters refresher - SysManBlog

  3. Nice article, to get Event by EventID you could do like this:
    Get-EventLog -LogName Application -Source Outlook -EntryType Information -ErrorAction SilentlyContinue | Where-Object {$_.EventId -eq 26}

  4. And another nice one is to use Newest 1 to get only the latest event:
    $Event = Get-EventLog -LogName Application -Source Outlook -EntryType Information -Newest 1 -ErrorAction SilentlyContinue | Where-Object {$_.EventId -eq 26}

  5. Come to think of it, the -Newest would be wrong here as it could be multiple events with different EventIDs so it would be better to:
    Get-EventLog -LogName Application -Source Outlook -EntryType Information -ErrorAction SilentlyContinue | Where-Object {$_.EventId -eq 26} | select -First 1

  6. Many thanks for filling in that missing method for selecting by Event ID.

  7. Charles McCabe says:

    I’m not saying it’s right, but using -InstanceID to get the event ID for account lockouts has been working here for years:

    Get-EventLog -LogName “Security” -InstanceID 4740 -Newest 1

    Doesn’t work everywhere:

    PS C:\Windows\system32> get-eventlog -log application -newest 10 | ft instanceid,eventid

    InstanceId EventID
    ———- ——-
    1530 1530
    1530 1530
    1073750833 9009
    2147483712 64
    1073741830 6
    3260678157 13
    1073742727 903
    1073758208 16384
    1073742726 902
    1073742827 1003

    PS C:\Windows\system32> get-eventlog -log system -newest 10 | ft instanceid,eventid

    InstanceId EventID
    ———- ——-
    1073748864 7040
    1073748860 7036
    1073748860 7036
    1073748860 7036
    1073748860 7036
    1073748860 7036
    1073748860 7036
    1073748860 7036
    1073748860 7036
    1073748860 7036

    PS C:\Windows\system32> get-eventlog -log security -newest 10 | ft instanceid,eventid

    InstanceId EventID
    ———- ——-
    4688 4688
    4688 4688
    4634 4634
    4624 4624
    4672 4672
    4634 4634
    4624 4624
    4672 4672
    4634 4634
    4624 4624

  8. Alex says:

    So how did you find out “JonathanTest” suppose to be “Parameter 3′? $event.ReplacementStrings does not show “JonathanTest” ??

    • The powershell screenshot is from a different example of the same error message to the other screenshots. In most of the screenshots the message is ‘Cannot open database “Jonathan Test” ‘ but in the PowerShell it is ‘Cannot open database “OperationsManagerDW” ‘. Sorry for any confusion.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s