Recently we have started having the problem of new Alert Generating NT Event Log rules not generating any alerts to the console. Initially tried creating rule disabled with an override for single server using only event ID and Event source. Created test event, no alert. Removed source, test event, no alert. Tried different ID, test, no alert. different server/agent, no alert. Tried creating rule to target all windows server class enabled, generic id, no source. Test, no alert. Even tried creating a new MP to rule out corrupt MP. You get the idea... I've checked the event logs on the RMS, MS, and agent and see nothing out of the ordinary. I can see the MP pushed to the agent seemingly fine. check the .xml on the RMS, MS, and agent computer and can see the rule there. Ran the task for "Show Running Rules and Monitors for this Health Service" and the rule shows up on for the agent. (and also when in the disabled rule, override for one agent scenario, the rule showed on the overridden computer and not for others). I feel like I'm running out of troubleshooting options here. The only other information I can give is that we recently installed the Exchange 2010 MP about a week ago. Any ideas? *EDIT: old Event Log rules are still generating alerts and all previously created alerts are still rolling in just fine. Its just new alert generating rules that appear to be misbehaving.*

To what did you target the rule? You have created an alert generating - NT event log (alert) rule? What SCOM and CU version are you on? Bob Cornelissen - BICTT (My BICTT Blog) - Microsoft Community Contributor 2011 Recipient

Hi, Please also check the following information; SCOM Alerts not being generated http://social.technet.microsoft.com/Forums/en/operationsmanagergeneral/thread/3da4f436-82ab-4156-b27b-2255f9dbfce5 How to create a SCOM Windows Events Monitor and alert on the Description field http://bradstechblog.com/scom/how-to-create-a-scom-windows-events-monitor-and-alert-on-the-description-fieldPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Yes, NT event log (alert rule). Targeted at Windows Server. Also tried a rule for Windows Computer. Neither worked. I'd seen those two articles as well. I'm only checking for Event ID. SCOM R2 CU3

Can you screencap the configuration for the alert rule and upload it so we can see it?"Fear disturbs your concentration"

Ok, so we got an answer on the root of the issue. The problem is that by default, Event Rules/Monitors apparently cannot catch events if the event was not generated by the server that the agent is on (remote events). In our testing case, we were using eventcreate from our remote laptops instead of going straight to the server and using eventcreate there. If the "computer source" does not match the computer name, the event will simply be overlooked. We were then pointed to a Holman article stating how to overcome this: http://blogs.technet.com/b/kevinholman/archive/2010/07/23/how-to-monitor-events-logged-by-another-computer-or-cluster.aspx by allowing proxy in the rule xml. So, in reality the events that the rule was supposed to catch would have worked famously, but our test failed miserably, doh! Lesson learned. Thanks for the input! Issue closed.