Creating Event Based Alerting Rules in SCOM 2012 with PowerShell

  • Article

This is a continuation of a Data Center Automation series of posts that I have been working on with Anders Bengtsson. Here are the first two posts in this series:

Creating Management Packs in SCOM 2012 with PowerShell
Creating Performance Collection Rules in SCOM 2012 with PowerShell

This script is also included as an activity in the Operations Manager Admin Integration Pack.

Syntax:

.\CreateEventBasedAlertingRule.ps1 –ManagementServer ‘om01.contoso.com’ –ManagementPackID ‘custom.example.test’ –RuleID ‘custom.example.test.rule.Event9999’ –RuleName ‘My Test Event 9999 Alerting Rule’ –RuleDescription ‘Test Rule’ –RuleTarget ‘Microsoft.Windows.Computer’ –ComputerName ‘$Target/Property[Type=”Windows!Microsoft.Windows.Computer”]/PrincipalName$’ –EventLogName ‘Operations Manager’ –EventID 9999 –EventSource ‘Health Service Script’ –AlertName ‘My Test Event 9999 Alert’ –AlertPriority 1 –AlertSeverity 1 –SuppressOnEventID true –Enabled true

Parameters:

Name Description
ManagementServer Name of MS to connect to
ManagementPackID ID of the MP you want to put the new rule in (it will create one if it doesn’t exist)
RuleID ID of the rule you want to create
RuleName Friendly name of the rule you want to create
RuleDescription Description of the rule
RuleTarget Class that you want to target the rule at
ComputerName Variable for the computer name. This will vary depending on your target.
EventLogName Name of the event log to look in
EventID Event ID of the event
EventSource Source of the event
AlertName Name of the alert
AlertPriority Priority of the alert: Critical (2), Warning (1), Information (0)
AlertSeverity Severity of the alert: High (2), Medium (1), Low (0)
SuppressOnEventID Choose true of false depending on whether or not you want to suppress repeat alerts
Enabled true of false depending on if you want it enabled by default 
   1 Param(            
  2     [parameter(Mandatory=$true)]            
  3     $ManagementServer,            
  4     [parameter(Mandatory=$true)]            
  5     $ManagementPackID,            
  6     [parameter(Mandatory=$true)]            
  7     $RuleID,
  8     [parameter(Mandatory=$true)]
  9     $RuleName,
 10     [parameter(Mandatory=$true)]
 11     $RuleDescription,
 12     [parameter(Mandatory=$true)]
 13     $RuleTarget,
 14     [parameter(Mandatory=$true)]
 15     $ComputerName,
 16     [parameter(Mandatory=$true)]
 17     $EventLogName,
 18     [parameter(Mandatory=$true)]
 19     $EventID,
 20     [parameter(Mandatory=$true)]
 21     $EventSource,
 22     [parameter(Mandatory=$true)]
 23     $AlertName,
 24     [parameter(Mandatory=$true)]
 25     $AlertPriority,
 26     [parameter(Mandatory=$true)]
 27     $AlertSeverity,
 28     [parameter(Mandatory=$true)]
 29     $SuppressOnEventID,
 30     [parameter(Mandatory=$true)]
 31     $Enabled
 32     )
 33 
 34 Write-Host "ManagementServer: "$ManagementServer
 35 Write-Host "ManagementPackID: "$ManagementPackID
 36 Write-Host "RuleID: "$RuleID
 37 Write-Host "RuleName: "$RuleName
 38 Write-Host "RuleDescription: "$RuleDescription
 39 Write-Host "RuleTarget: "$RuleTarget
 40 Write-Host "ComputerName: "$ComputerName
 41 Write-Host "EventLogName: "$EventLogName
 42 Write-Host "EventID: "$EventID
 43 Write-Host "EventSource: "$EventSource
 44 Write-Host "AlertName: "$AlertName
 45 Write-Host "AlertPriority: "$AlertPriority
 46 Write-Host "AlertSeverity: "$AlertSeverity
 47 Write-Host "SuppressOnEventID: "$SuppressOnEventID
 48 Write-Host "Enabled: "$Enabled
 49 
 50 function CreateManagementPack
 51 {
 52   param([object]$MG, [string]$ManagementPackID)
 53   $MPStore = New-Object Microsoft.EnterpriseManagement.Configuration.IO.ManagementPackFileStore
 54   $MP = New-Object Microsoft.EnterpriseManagement.Configuration.ManagementPack($ManagementPackID, $ManagementPackID, (New-Object Version(1, 0, 0)), $MPStore)
 55   $MG.ImportManagementPack($MP)
 56 }
 57 
 58 function CreateWindowsMicrosoftWindowsEventProviderModule
 59 {
 60   param([object]$Rule, [object]$MG, [string]$ComputerName, [string]$EventLogName, [string]$EventSource, [int]$EventID)
 61   $DSModuleType = $MG.GetMonitoringModuleTypes("Microsoft.Windows.EventProvider")[0]
 62   $DSModule = New-Object Microsoft.EnterpriseManagement.Configuration.ManagementPackDataSourceModule($Rule, "DS")
 63   $DSModule.TypeID = [Microsoft.EnterpriseManagement.Configuration.ManagementPackDataSourceModuleType]$DSModuleType
 64   $DSModule.Configuration = CreateWindowsMicrosoftWindowsEventProviderModuleConfig $ComputerName $EventLogName $EventSource $EventID
 65   $Rule.DataSourceCollection.Add($DSModule)
 66 }
 67 
 68 function CreateWindowsMicrosoftWindowsEventProviderModuleConfig
 69 {
 70   param([string]$ComputerName, [string]$EventLogName, [string]$EventSource, [int]$EventID)
 71   $oBuilder = New-Object System.Text.StringBuilder
 72   [void]$oBuilder.AppendFormat("<ComputerName>{0}</ComputerName>", $ComputerName)
 73   [void]$oBuilder.AppendFormat("<LogName>{0}</LogName>", $EventLogName)
 74   [void]$oBuilder.Append("<Expression>")
 75   [void]$oBuilder.Append("<And>")
 76   [void]$oBuilder.Append("<Expression>")
 77   [void]$oBuilder.Append("<SimpleExpression>")
 78   [void]$oBuilder.Append("<ValueExpression>")
 79   [void]$oBuilder.Append("<XPathQuery>EventSourceName</XPathQuery>")
 80   [void]$oBuilder.Append("</ValueExpression>")
 81   [void]$oBuilder.Append("<Operator>Equal</Operator>")
 82   [void]$oBuilder.Append("<ValueExpression>")
 83   [void]$oBuilder.AppendFormat("<Value>{0}</Value>", $EventSource)
 84   [void]$oBuilder.Append("</ValueExpression>")
 85   [void]$oBuilder.Append("</SimpleExpression>")
 86   [void]$oBuilder.Append("</Expression>")
 87   [void]$oBuilder.Append("<Expression>")
 88   [void]$oBuilder.Append("<SimpleExpression>")
 89   [void]$oBuilder.Append("<ValueExpression>")
 90   [void]$oBuilder.Append("<XPathQuery>EventDisplayNumber</XPathQuery>")
 91   [void]$oBuilder.Append("</ValueExpression>")
 92   [void]$oBuilder.Append("<Operator>Equal</Operator>")
 93   [void]$oBuilder.Append("<ValueExpression>")
 94   [void]$oBuilder.AppendFormat("<Value>{0}</Value>", $EventID)
 95   [void]$oBuilder.Append("</ValueExpression>")
 96   [void]$oBuilder.Append("</SimpleExpression>")
 97   [void]$oBuilder.Append("</Expression>")
 98   [void]$oBuilder.Append("</And>")
 99   [void]$oBuilder.Append("</Expression>")
100   return $oBuilder.ToString()
101 }
102 
103 function CreateSystemHealthGenerateAlertModule
104 {
105   param([int]$AlertPriority, [int]$AlertSeverity, [string]$AlertName, [string]$RuleID)
106   $EventDescription = '$Data/EventDescription$'
107   $EventDisplayNumber = '$Data/EventDisplayNumber$'
108   $AlertMessageID = '{0}.AlertMessage' -f $RuleID
109   $AlertMessageObject = New-Object Microsoft.EnterpriseManagement.Configuration.ManagementPackStringResource($MP, $AlertMessageID)
110   $AlertMessageObject.DisplayName = (XMLEncode -s $AlertName)
111   $txt = 
112 @"
113 
114 Event ID: {0}
115 Event Description: {1}
116 
117 "@
118   $AlertMessageObject.Description = $txt
119   $AlertMessageXPath = '$MPElement[Name="{0}"]$' -f $AlertMessageObject.Name
120 
121   $oBuilder = New-Object System.Text.StringBuilder
122   [void]$oBuilder.AppendFormat("<Priority>{0}</Priority>", $AlertPriority)
123   [void]$oBuilder.AppendFormat("<Severity>{0}</Severity>", $AlertSeverity)
124   [void]$oBuilder.AppendFormat("<AlertName>{0}</AlertName>", (XMLEncode -s $AlertName))
125   [void]$oBuilder.AppendFormat("<AlertMessageId>{0}</AlertMessageId>", $AlertMessageXPath)
126   [void]$oBuilder.Append("<AlertParameters>")
127   [void]$oBuilder.AppendFormat("<AlertParameter1>{0}</AlertParameter1>", $EventDisplayNumber)
128   [void]$oBuilder.AppendFormat("<AlertParameter2>{0}</AlertParameter2>", $EventDescription)
129   [void]$oBuilder.Append("</AlertParameters>")
130   [bool]$SuppressOnEventID = [System.Convert]::ToBoolean($SuppressOnEventID)
131   if ($SuppressOnEventID)
132   {
133     [void]$oBuilder.Append("<Suppression>")
134     [void]$oBuilder.AppendFormat("<SuppressionValue>{0}</SuppressionValue>", $EventDisplayNumber)
135     [void]$oBuilder.Append("</Suppression>")
136   }
137   return $oBuilder.ToString()
138 }
139 
140 function CreateSystemHealthGenerateAlertWriteAction
141 {
142   param([object]$Rule, [object]$MG, [int]$AlertPriority, [int]$AlertSeverity, [string]$AlertName, [string]$RuleID)
143   $WAModuleType = $MG.GetMonitoringModuleTypes("System.Health.GenerateAlert")[0]
144   $WAModule = New-Object Microsoft.EnterpriseManagement.Configuration.ManagementPackWriteActionModule($Rule, "GenerateAlert")
145   $WAModule.TypeID = [Microsoft.EnterpriseManagement.Configuration.ManagementPackWriteActionModuleType]$WAModuleType
146   $WAModule.Configuration = CreateSystemHealthGenerateAlertModule $AlertPriority $AlertSeverity $AlertName $RuleID
147   $Rule.WriteActionCollection.Add($WAModule)
148 }
149 
150 function XMLEncode
151 {
152   param([string]$s)
153   $s = $s.Replace("&", "&amp;")
154   $s = $s.Replace("<", "&lt;")
155   $s = $s.Replace(">", "&gt;")
156   $s = $s.Replace('"', "&quot;")
157   $s = $s.Replace("'", "&apos;")
158   return $s.ToString()
159 }
160 
161 Write-Host "Adding SCOM Snap-in"
162 Add-PSSnapin Microsoft.EnterpriseManagement.OperationsManager.Client
163 
164 Write-Host "Connecting to SCOM Management Group"
165 $MG = New-Object Microsoft.EnterpriseManagement.ManagementGroup($ManagementServer)
166 
167 Write-Host "Getting MP Information and Incrementing Version"
168 try
169 {
170   $MP = $MG.GetManagementPacks($ManagementPackID)[0]
171   $VIncrement = $MP.Version.ToString().Split('.')
172   $VIncrement[$VIncrement.Length - 1] = ([system.int32]::Parse($VIncrement[$vIncrement.Length - 1]) + 1).ToString()
173   $MP.Version = ([string]::Join(".", $VIncrement))
174 }
175 catch
176 {
177   Write-Host "MP Not Found, Creating New MP"
178   CreateManagementPack $MG $ManagementPackID
179   $MP = $MG.GetManagementPacks($ManagementPackID)[0]
180 }
181 
182 Write-Host "Creating New Rule"
183 $Rule = New-Object Microsoft.EnterpriseManagement.Configuration.ManagementPackRule($MP, $RuleID)
184 
185 Write-Host "Creating Data Source Section of Rule"
186 CreateWindowsMicrosoftWindowsEventProviderModule $Rule $MG $ComputerName $EventLogName $EventSource $EventID
187 
188 Write-Host "Creating Write Action Section of Rule"
189 CreateSystemHealthGenerateAlertWriteAction $Rule $MG $AlertPriority $AlertSeverity $AlertName $RuleID
190 
191 Write-Host "Adding Rule Target"
192 $Rule.Target = $MG.GetMonitoringClasses($RuleTarget)[0]
193 
194 Write-Host "Adding Rule Category"
195 $Rule.Category = [Microsoft.EnterpriseManagement.Configuration.ManagementPackCategoryType]::Alert
196 
197 Write-Host "Adding Display Name"
198 $Rule.DisplayName = (XMLEncode -s $RuleName)
199 
200 Write-Host "Adding Description"
201 $Rule.Description = (XMLEncode -s $RuleDescription)
202 
203 Write-Host "Setting Enabled Property"
204 [bool]$Enabled = [System.Convert]::ToBoolean($Enabled)
205 If (!($Enabled)){$Rule.Enabled = [Microsoft.EnterpriseManagement.Configuration.ManagementPackMonitoringLevel]::false}
206 
207 Write-Host "Writing Changes via SDK"
208 $MP.AcceptChanges()
209 
210 Write-Host "Script Completed"

CreateEventBasedAlertingRule.txt