Saturday, February 18, 2012

Rules Template -- WOW

Okay, I know nothing can replace sex.

But, really,  having a template file that enables you to see around 20 of the most used Managementpack rules is pretty exciting, too.

Let's take a look at what's under the hood:


Okay, that's not very exciting as it looks without expanding one of these. So, let's take a look at the Microsoft.SystemCenter.RuleTemplates.Windows.EventAlert.


As you can see, if you have used this provider before, this template really does cover the bases.

So let's take a look at the mapping of the elements:

ID
Name
Enabled
Description
Target
Category
LocalId
ComputerName
LogName

While below is an example from the 2003 mp, it is also the best way to show you were all the attributes.

<Rule
ID="Microsoft.Windows.Server.2003.OperatingSystem.ServiceOrDriverFailedToStart.Alert" Enabled="false"
Target="Microsoft.Windows.Server.2003.OperatingSystem"
ConfirmDelivery="false"
Remotable="true"
Priority="Normal"
DiscardLevel="100"
>
       <Category>EventCollection</Category>

        <DataSources>
          <DataSource ID="EventDS" TypeID="Windows!Microsoft.Windows.EventProvider">
            <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
            <LogName>System</LogName>
          </DataSource>
        </DataSources>


Okay, so where does ConfirmDelivery, Remotable, Priority snd DiscardLevel Come from?

The rule properties:

            Dim rule as ManagementPackRule

            rule.ConfirmDelivery = True
            rule.DiscardLevel = "100" 
            rule.Priority = ManagementPackWorkflowPriority.Normal
            rule.Remotable = True

Also notice that the rule.Priority is not the same as the priority and severity used once the alert gets raised.

Typically, the DisplayName, Description, Alert Name, Alert Description are properties designed to create Display strings.  Of course, these strings not only make the mp easier to understand they also serve to explain why the alert occurred.

Now, how can we find out, if we didn't know what the Priority and Severity values come from?


By Going through each of the IncludeSchemaTypes, we find our answer in the System.Health.Library.mp:

<xsd:simpleType name="System.Health.AlertPriority">
<xsd:restriction base="xsd:string">
<xsd:enumeration value="Low" />
<xsd:enumeration value="Normal" />
<xsd:enumeration value="High" />       
</xsd:restriction>
</xsd:simpleType>

<xsd:simpleType name="System.Health.AlertSeverity">
<xsd:restriction base="xsd:string">
<xsd:enumeration value="Information" />
<xsd:enumeration value="Warning" />
<xsd:enumeration value="Error" />
<xsd:enumeration value="MatchMonitorHealth" />
</xsd:restriction>
</xsd:simpleType>

Now, let's take a look at the expression portion of the mp.  Below are the values used in the expression. There's a lot of  "OR" pairs which I've listed below.

PublisherName                Equal     Service Control Manager

EventDisplayNumber      Equal     7000
EventDisplayNumber      Equal     7001


EventDisplayNumber      Equal     7002
EventDisplayNumber      Equal     7003

EventDisplayNumber      Equal     7008
EventDisplayNumber      Equal     7013


EventDisplayNumber      Equal     7014
EventDisplayNumber      Equal     7022


EventDisplayNumber      Equal     7023
EventDisplayNumber      Equal     7025


EventDisplayNumber      Equal     7026
EventDisplayNumber      Equal     7038

To finish the rule up:

<WriteActions>
   <WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">
   <Priority>1</Priority>
   <Severity>1</Severity>
   <AlertMessageId>$MPElement[Name="Microsoft.Windows.Server.2003.OperatingSystem.ServiceOrDriverFailedToStart.Alert.AlertMessage"]$</AlertMessageId>
   <AlertParameters>
       <AlertParameter1>$Data/EventDescription$</AlertParameter1>
    </AlertParameters>
    <Suppression>
      <SuppressionValue />
    </Suppression>
  </WriteAction>
</WriteActions>


All of this combined creates this:

<Rule ID="Microsoft.Windows.Server.2003.OperatingSystem.ServiceOrDriverFailedToStart.Alert" Enabled="false" Target="Microsoft.Windows.Server.2003.OperatingSystem">
        <Category>EventCollection</Category>
        <DataSources>
          <DataSource ID="EventDS" TypeID="Windows!Microsoft.Windows.EventProvider">
            <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
            <LogName>System</LogName>
            <Expression>
              <And>
                <Expression>
                  <SimpleExpression>
                    <ValueExpression>
                      <XPathQuery>PublisherName</XPathQuery>
                    </ValueExpression>
                    <Operator>Equal</Operator>
                    <ValueExpression>
                      <Value>Service Control Manager</Value>
                    </ValueExpression>
                  </SimpleExpression>
                </Expression>
                <Expression>
                  <Or>
                    <Expression>
                      <Or>
                        <Expression>
                          <Or>
                            <Expression>
                              <Or>
                                <Expression>
                                  <SimpleExpression>
                                    <ValueExpression>
                                      <XPathQuery>EventDisplayNumber</XPathQuery>
                                    </ValueExpression>
                                    <Operator>Equal</Operator>
                                    <ValueExpression>
                                      <Value>7000</Value>
                                    </ValueExpression>
                                  </SimpleExpression>
                                </Expression>
                                <Expression>
                                  <SimpleExpression>
                                    <ValueExpression>
                                      <XPathQuery>EventDisplayNumber</XPathQuery>
                                    </ValueExpression>
                                    <Operator>Equal</Operator>
                                    <ValueExpression>
                                      <Value>7001</Value>
                                    </ValueExpression>
                                  </SimpleExpression>
                                </Expression>
                              </Or>
                            </Expression>
                            <Expression>
                              <Or>
                                <Expression>
                                  <SimpleExpression>
                                    <ValueExpression>
                                      <XPathQuery>EventDisplayNumber</XPathQuery>
                                    </ValueExpression>
                                    <Operator>Equal</Operator>
                                    <ValueExpression>
                                      <Value>7002</Value>
                                    </ValueExpression>
                                  </SimpleExpression>
                                </Expression>
                                <Expression>
                                  <SimpleExpression>
                                    <ValueExpression>
                                      <XPathQuery>EventDisplayNumber</XPathQuery>
                                    </ValueExpression>
                                    <Operator>Equal</Operator>
                                    <ValueExpression>
                                      <Value>7003</Value>
                                    </ValueExpression>
                                  </SimpleExpression>
                                </Expression>
                              </Or>
                            </Expression>
                          </Or>
                        </Expression>
                        <Expression>
                          <Or>
                            <Expression>
                              <Or>
                                <Expression>
                                  <SimpleExpression>
                                    <ValueExpression>
                                      <XPathQuery>EventDisplayNumber</XPathQuery>
                                    </ValueExpression>
                                    <Operator>Equal</Operator>
                                    <ValueExpression>
                                      <Value>7008</Value>
                                    </ValueExpression>
                                  </SimpleExpression>
                                </Expression>
                                <Expression>
                                  <SimpleExpression>
                                    <ValueExpression>
                                      <XPathQuery>EventDisplayNumber</XPathQuery>
                                    </ValueExpression>
                                    <Operator>Equal</Operator>
                                    <ValueExpression>
                                      <Value>7013</Value>
                                    </ValueExpression>
                                  </SimpleExpression>
                                </Expression>
                              </Or>
                            </Expression>
                            <Expression>
                              <Or>
                                <Expression>
                                  <SimpleExpression>
                                    <ValueExpression>
                                      <XPathQuery>EventDisplayNumber</XPathQuery>
                                    </ValueExpression>
                                    <Operator>Equal</Operator>
                                    <ValueExpression>
                                      <Value>7014</Value>
                                    </ValueExpression>
                                  </SimpleExpression>
                                </Expression>
                                <Expression>
                                  <SimpleExpression>
                                    <ValueExpression>
                                      <XPathQuery>EventDisplayNumber</XPathQuery>
                                    </ValueExpression>
                                    <Operator>Equal</Operator>
                                    <ValueExpression>
                                      <Value>7022</Value>
                                    </ValueExpression>
                                  </SimpleExpression>
                                </Expression>
                              </Or>
                            </Expression>
                          </Or>
                        </Expression>
                      </Or>
                    </Expression>
                    <Expression>
                      <Or>
                        <Expression>
                          <Or>
                            <Expression>
                              <SimpleExpression>
                                <ValueExpression>
                                  <XPathQuery>EventDisplayNumber</XPathQuery>
                                </ValueExpression>
                                <Operator>Equal</Operator>
                                <ValueExpression>
                                  <Value>7023</Value>
                                </ValueExpression>
                              </SimpleExpression>
                            </Expression>
                            <Expression>
                              <SimpleExpression>
                                <ValueExpression>
                                  <XPathQuery>EventDisplayNumber</XPathQuery>
                                </ValueExpression>
                                <Operator>Equal</Operator>
                                <ValueExpression>
                                  <Value>7025</Value>
                                </ValueExpression>
                              </SimpleExpression>
                            </Expression>
                          </Or>
                        </Expression>
                        <Expression>
                          <Or>
                            <Expression>
                              <SimpleExpression>
                                <ValueExpression>
                                  <XPathQuery>EventDisplayNumber</XPathQuery>
                                </ValueExpression>
                                <Operator>Equal</Operator>
                                <ValueExpression>
                                  <Value>7026</Value>
                                </ValueExpression>
                              </SimpleExpression>
                            </Expression>
                            <Expression>
                              <SimpleExpression>
                                <ValueExpression>
                                  <XPathQuery>EventDisplayNumber</XPathQuery>
                                </ValueExpression>
                                <Operator>Equal</Operator>
                                <ValueExpression>
                                  <Value>7038</Value>
                                </ValueExpression>
                              </SimpleExpression>
                            </Expression>
                          </Or>
                        </Expression>
                      </Or>
                    </Expression>
                  </Or>
                </Expression>
              </And>
            </Expression>
          </DataSource>
        </DataSources>
        <WriteActions>
          <WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">
            <Priority>1</Priority>
            <Severity>1</Severity>
            <AlertMessageId>$MPElement[Name="Microsoft.Windows.Server.2003.OperatingSystem.ServiceOrDriverFailedToStart.Alert.AlertMessage"]$</AlertMessageId>
            <AlertParameters>
              <AlertParameter1>$Data/EventDescription$</AlertParameter1>
            </AlertParameters>
            <Suppression>
              <SuppressionValue />
            </Suppression>
          </WriteAction>
        </WriteActions>
      </Rule>


Additional features of the templates are shown as below:


As you can see, the library references are listed as well as the layout of the rule, StringResource, and DisplayStrings.

No comments:

Post a Comment