Including the event info in the alert description

When creating a Event Log unit monitor, you might want to include in the alert description the event information. Here are the expression that you can use in order to include the event information in the alert description:

  1. Publisher Name                   - $Data/Context/PublisherName$
  2. Event Number                      - $Data/Context/EventNumber$
  3. User Name                          - $Data/Context/UseName$
  4. Event Description                 - $Data/Context/EventDescription$

Comments (8)
  1. Rem-8 says:

    And if I want to match Event Description in monitor, what should I use? There’s no such field to choose from drop down in monitor wizard.

  2. Many of you know already that alert’s description can contain value of any of the properties of the data

  3. Many of you know already that alert’s description can contain value of any of the properties of the data

  4. bajum says:

    Use the textbox selection and type in EventDescription (no space).

  5. Craig Edmunds says:

    Is there any way of retrieving the detailed event information that my application has written to the event log; i’m using message & category dlls in the windows event log to decode the parameters i log, for example:

    Authentication failed [%1, %2].%r%rUserName=%13%r%rHTTP_USER_AGENT : %3%rHTTP_ACCEPT_ENCODING : %4%rREQUEST_METHOD : %5%rPATH_INFO : %6%rQUERY_STRING : %7%rHTTP_REFERER : %8%rREMOTE_HOST : %9%rREMOTE_PORT : %10%rHTTP_X_FORWARDED_FOR : %11%r%rASP.NET_SessionId=%12

    Produces the following message in the windows event log, & SCOM:

    Authentication failed [-20, Invalid username/password combination supplied.].


    HTTP_USER_AGENT : Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)

    HTTP_ACCEPT_ENCODING : gzip, deflate


    PATH_INFO : /maintenance/login.aspx




    REMOTE_PORT : 1305



    But what i’d really like is for (for example) the username parameter (%13) to be written to the custom field of an alert that reacts to this  event being raised.  I assume for this the data would need to be stored within the event somewhere in SCOM, is that possible?  Any help would be really appreciated.

  6. In our MOM 2005 environment, we called a script in response to an event being found in the application log. It would read the event description and pull certain parts out for the alert msg to keep it short and simple.  how is that performed in Ops Mgr?

    In MOM 2005,  we started out with


    ‘ Get Event Description contents


    Set objSourceEvent = ScriptContext.Event

    strMsg = objSourceEvent.Message

    The parse through the strMsg information to get what we wanted and make the alert.

  7. Curtis Perry says:

    I want to filter logon/logoff events by TYPE, looking for Interactive (Type 2) and RemmoteInteractive (Type 10) events.  Can anyone tell me what this field is called so that I can filter for it using "Select an Event Property" => "Use parameter name not specified above"?

    To that end, does anybody have a list of fields possible to use here?


Comments are closed.

Skip to main content