This blog article is about how to obtain Event Parameters for use in SCOM rules and monitors when you do not have access to the Log Parser tool.
First, a little background. When attempting to read an event from the event log to create a custom rule or monitor, it can be tempting to look at the text in the Event Description and use a wildcard match on the description field. For example, consider the following alert
If this alert is going to occur for multiple databases, the only differentiation appears to be in the text (database “JonathanTest”) and so we could use the following condition on our rule or monitor.
However, wildcard matches are almost always less efficient than “Equals” conditions, and so when Kevin Holman shows you how to specify the Event Description field in one of his excellent blog articles (http://blogs.technet.com/b/kevinholman/archive/2008/04/22/using-event-description-as-criteria-for-a-rule.aspx) he goes on to stress that you should use an Event Parameter rather than the EventDescription and links to an article by Stefan Stranger (http://blogs.technet.com/b/stefan_stranger/archive/2008/05/13/opsmgr-2007-parameters-explained.aspx) on how to use the LogParser tool on how to obtain these parameters so you know which number parameter is used where. Parameters are not necessarily in the order you see them in the text.
This is all excellent and I have been using this technique for several years, but I recently had a problem where I was at a client site and needed to get the parameters for an event, but I did not have access to the Log Parser tool. Fortunately I have discovered that you can find this information out just by using Powershell now.
Firstly, you need to capture the Event. This can be obtained using the Get-EventLog cmdlet. I did hit the problem that I could not work out how to specify the Event ID, but you can normally play around with the available parameters until you get what you want. In my case the following gave me the event I wanted. If you do find the way to specify the Event ID, please let me know!
$event = get-eventlog -log “Operations Manager” -source “Health Service Modules” -after 07:54:39 –before 07:55:00
Once you have selected your event, simply call the ResourceStrings parameter with the following command
$event.ReplacementStrings
This will give the following output of the Event Parameters in order.
Once you have got this, you can use this in your rule/monitor event condition as follows.
You can also use these parameters in the text of the alert to provide for a more user friendly error message.
This little PowerShell command will hopefully help you identify which Event Parameter is which and how you can specify them in Operations Manager.
Pingback: Event Parameters refresher | System Center Operations Manager 2012
Pingback: Event Parameters refresher - SysManBlog
Nice article, to get Event by EventID you could do like this:
Get-EventLog -LogName Application -Source Outlook -EntryType Information -ErrorAction SilentlyContinue | Where-Object {$_.EventId -eq 26}
And another nice one is to use Newest 1 to get only the latest event:
$Event = Get-EventLog -LogName Application -Source Outlook -EntryType Information -Newest 1 -ErrorAction SilentlyContinue | Where-Object {$_.EventId -eq 26}
Come to think of it, the -Newest would be wrong here as it could be multiple events with different EventIDs so it would be better to:
Get-EventLog -LogName Application -Source Outlook -EntryType Information -ErrorAction SilentlyContinue | Where-Object {$_.EventId -eq 26} | select -First 1
Many thanks for filling in that missing method for selecting by Event ID.
I’m not saying it’s right, but using -InstanceID to get the event ID for account lockouts has been working here for years:
Get-EventLog -LogName “Security” -InstanceID 4740 -Newest 1
Doesn’t work everywhere:
PS C:\Windows\system32> get-eventlog -log application -newest 10 | ft instanceid,eventid
InstanceId EventID
———- ——-
1530 1530
1530 1530
1073750833 9009
2147483712 64
1073741830 6
3260678157 13
1073742727 903
1073758208 16384
1073742726 902
1073742827 1003
PS C:\Windows\system32> get-eventlog -log system -newest 10 | ft instanceid,eventid
InstanceId EventID
———- ——-
1073748864 7040
1073748860 7036
1073748860 7036
1073748860 7036
1073748860 7036
1073748860 7036
1073748860 7036
1073748860 7036
1073748860 7036
1073748860 7036
PS C:\Windows\system32> get-eventlog -log security -newest 10 | ft instanceid,eventid
InstanceId EventID
———- ——-
4688 4688
4688 4688
4634 4634
4624 4624
4672 4672
4634 4634
4624 4624
4672 4672
4634 4634
4624 4624
Hi there,
Instance ID is not the same as Event ID, but is similar in many circumstances. There is lots of discussion around this, but it appears that Instance ID more uniquely identifies an event please see https://msdn.microsoft.com/en-us/library/system.diagnostics.eventlogentry.instanceid.aspx
Cheers
Jonathan
So how did you find out “JonathanTest” suppose to be “Parameter 3′? $event.ReplacementStrings does not show “JonathanTest” ??
The powershell screenshot is from a different example of the same error message to the other screenshots. In most of the screenshots the message is ‘Cannot open database “Jonathan Test” ‘ but in the PowerShell it is ‘Cannot open database “OperationsManagerDW” ‘. Sorry for any confusion.