But, really, having a template file that enables you to see around 20 of the most used Managementpack rules is pretty exciting, too.
Let's take a look at what's under the hood:
Okay, that's not very exciting as it looks without expanding one of these. So, let's take a look at the Microsoft.SystemCenter.RuleTemplates.Windows.EventAlert.
As you can see, if you have used this provider before, this template really does cover the bases.
So let's take a look at the mapping of the elements:
ID
Name
Enabled
Description
Target
Category
LocalId
ComputerName
LogName
While below is an example from the 2003 mp, it is also the best way to show you were all the attributes.
<Rule
ID="Microsoft.Windows.Server.2003.OperatingSystem.ServiceOrDriverFailedToStart.Alert" Enabled="false"
Target="Microsoft.Windows.Server.2003.OperatingSystem"
ConfirmDelivery="false"
Remotable="true"
Priority="Normal"
DiscardLevel="100"
>
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="EventDS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>System</LogName>
</DataSource>
</DataSources>
Okay, so where does ConfirmDelivery, Remotable, Priority snd DiscardLevel Come from?
The rule properties:
Dim rule as ManagementPackRule
rule.ConfirmDelivery = True
rule.DiscardLevel = "100"
rule.Priority = ManagementPackWorkflowPriority.Normal
rule.Remotable = True
Also notice that the rule.Priority is not the same as the priority and severity used once the alert gets raised.
Typically, the DisplayName, Description, Alert Name, Alert Description are properties designed to create Display strings. Of course, these strings not only make the mp easier to understand they also serve to explain why the alert occurred.
Now, how can we find out, if we didn't know what the Priority and Severity values come from?
By Going through each of the IncludeSchemaTypes, we find our answer in the System.Health.Library.mp:
<xsd:simpleType name="System.Health.AlertPriority">
<xsd:restriction base="xsd:string">
<xsd:enumeration value="Low" />
<xsd:enumeration value="Normal" />
<xsd:enumeration value="High" />
</xsd:restriction>
</xsd:simpleType>
<xsd:simpleType name="System.Health.AlertSeverity">
<xsd:restriction base="xsd:string">
<xsd:enumeration value="Information" />
<xsd:enumeration value="Warning" />
<xsd:enumeration value="Error" />
<xsd:enumeration value="MatchMonitorHealth" />
</xsd:restriction>
</xsd:simpleType>
Now, let's take a look at the expression portion of the mp. Below are the values used in the expression. There's a lot of "OR" pairs which I've listed below.
PublisherName Equal Service Control Manager
EventDisplayNumber Equal 7000
EventDisplayNumber Equal 7001
EventDisplayNumber Equal 7002
EventDisplayNumber Equal 7003
EventDisplayNumber Equal 7008
EventDisplayNumber Equal 7013
EventDisplayNumber Equal 7014
EventDisplayNumber Equal 7022
EventDisplayNumber Equal 7023
EventDisplayNumber Equal 7025
EventDisplayNumber Equal 7026
EventDisplayNumber Equal 7038
To finish the rule up:
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>1</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.Windows.Server.2003.OperatingSystem.ServiceOrDriverFailedToStart.Alert.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue />
</Suppression>
</WriteAction>
</WriteActions>
All of this combined creates this:
<Rule ID="Microsoft.Windows.Server.2003.OperatingSystem.ServiceOrDriverFailedToStart.Alert" Enabled="false" Target="Microsoft.Windows.Server.2003.OperatingSystem">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="EventDS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>System</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>Service Control Manager</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<Or>
<Expression>
<Or>
<Expression>
<Or>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7000</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7001</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</Or>
</Expression>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7002</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7003</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</Or>
</Expression>
</Or>
</Expression>
<Expression>
<Or>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7008</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7013</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</Or>
</Expression>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7014</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7022</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</Or>
</Expression>
</Or>
</Expression>
</Or>
</Expression>
<Expression>
<Or>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7023</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7025</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</Or>
</Expression>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7026</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7038</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</Or>
</Expression>
</Or>
</Expression>
</Or>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>1</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.Windows.Server.2003.OperatingSystem.ServiceOrDriverFailedToStart.Alert.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue />
</Suppression>
</WriteAction>
</WriteActions>
</Rule>
Additional features of the templates are shown as below:
As you can see, the library references are listed as well as the layout of the rule, StringResource, and DisplayStrings.
No comments:
Post a Comment