Hello again. In trying to create a simple alert generating event log rule, I was using LogParser to figure out the parameters, especially in the description. Here's what the description says in Event Viewer: "Switch Initiated". So I run logparser.exe "select top 1 strings as parameters from \\server\application where EventID=11515", and I get back "Backup server switching to primary mode". It doesn't say Switch Initiated. I then run logparser.exe "select Message from \\server\application where eventid=11515" and I get back: "Switch initiated". So event viewer shows "Switch Initiated", and one logparser query shows "Switch Initiated", but when I use logparser to show parameters of the event, it comes back with something completely different. Has anyone seen this? Should I still try to use Parameters in my rule, or just go ahead with the still workable EventDescription? Thanks, Layne

Hi Layne, 'Strings' and 'Message' is a different fields in the event. You can see it with logparser.exe -o:DATAGRID "SELECT * FROM Application WHERE EventID=11515" You can use 'Parameters' in OpsMgr modules, but remember that 'Parameters' in OpsMgr event module isn't logparser's 'Strings' field. HTHhttp://OpsMgr.ru/

Thanks Alexey. I'm confused because I've used logparser to get the parameters found in an event description many times, as described in Kevin's posting here. Usually the event description appears as strings in logparser. This is the first time in my experience where the strings have not matched the event description. I guess maybe we should all be using "SELECT TOP 1 Message AS Parameters" instead of "SELECT TOP 1 Strings AS Parameters."Layne

>Usually the event description appears as strings in logparser. That's true for security (audit) events, but isn't always true for other, especially, application eventlog events.http://OpsMgr.ru/