Including Event Description in Event Collection Rule
I have created a rule to collect events from a particular event log. The rule works fine as I am seeing events in an event view I built to capture these events. However, the description field is empty in the view. All other fields (Date/Time, Log Name, Source, etc) are filled in. I am looking for the magic formula to get the event description in the description field in the event view. Thanks in advance.
December 13th, 2010 8:59am

When you created the collection rule, did you tell it to collect the description too?Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
December 13th, 2010 11:34am

Dan, Thanks for the response. The wizard never asked me to collect the description. There is a part to build an expression, but this looks like a place to filter out similar events based on an expression. -Peter
December 13th, 2010 11:56am

Hi Peter, I have just created a event collection rule in my test environment, and I didn't have to tell the rule to collect the event description. I am able to see the event description in the Event View, but this information is in the Details pane, I don't have a field/column available for the event description, nor can I set view criteria based on the description. So to assist you with this issue, can you provide us with a bit more information on how you setup the collection rule and event view? Possibly a copy of the MP to identify what the issue might be by checking the XML, if this view isn't in 'My Workspace'? Cheers, Brian
Free Windows Admin Tool Kit Click here and download it now
December 13th, 2010 5:22pm

Hi, Additionally, I would like to share the following post with you for your reference: Using Event Description as criteria for a rule http://blogs.technet.com/b/kevinholman/archive/2008/04/22/using-event-description-as-criteria-for-a-rule.aspx Hope this helps. Thanks. Nicholas Li - MSFT Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
December 15th, 2010 2:25am

Brian, I created another rule that pulls from a different event log "Citrix Secure Gateway" and am now seeing the description in the details pane as you described above. However, the original rule I created still shows no details. This log is from another 3rd party application. I exported the log to a csv and see the event description there. I am wondering if there is something funky about the way the vendor's software writes data to the event log.
Free Windows Admin Tool Kit Click here and download it now
December 15th, 2010 8:37am

Hi Peter, It is possible the 3rd party event log might be causing the problem. If it is, I believe the issue would primarily be due to the content of the description field of these events, which might be using characters the OpsMgr Rule can't handle properly. Other than this possibility, the 3rd party event log should be no different than any other event log. I just created my own custom event log in my test lab, and I am able to successfully see the event description in the event view. So unfortunately I'm unable to re-produce the issue in my test lab to try and diagnose the problem. Have you tried re-creating the original collection rule to see if this might address the issue? Also if it's possible, if you can provide a copy of the MP XML file(s) that contain the rule and event view that would be helpful, as there might be something in the XML that could be causing this issue. Cheers, Brian
December 16th, 2010 6:34pm

Brian, Below is the XML for the rule taken out of the exported MP: - <Rule ID="MomUIGeneratedRule05423d0b1c164a5ca9ed12767f3d87ec" Enabled="true" Target="MicrosoftWindowsServer20036067940!Microsoft.Windows.Server.2003.Computer" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100"> <Category>EventCollection</Category> - <DataSources> - <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventCollector"> <ComputerName>$Target/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName> <LogName>Extentrix</LogName> <AllowProxying>false</AllowProxying> - <Expression> - <SimpleExpression> - <ValueExpression> <XPathQuery Type="String">PublisherName</XPathQuery> </ValueExpression> <Operator>Equal</Operator> - <ValueExpression> <Value Type="String">Extentrix Web Services Application Edition 4.0</Value> </ValueExpression> </SimpleExpression> </Expression> </DataSource> </DataSources> - <WriteActions> <WriteAction ID="WriteToDB" TypeID="SystemCenter!Microsoft.SystemCenter.CollectEvent" /> <WriteAction ID="WriteToDW" TypeID="SCDW!Microsoft.SystemCenter.DataWarehouse.PublishEventData" /> </WriteActions> </Rule> </Rules> Thanks,
Free Windows Admin Tool Kit Click here and download it now
December 21st, 2010 7:14am

Hi Peter, I've checked the XML, and it all looks perfectly fine in comparison to other event collection rules. The only difference between this XML and the XML of the test rule I created in my test lab is the DataSource TypeID. But I have also now tested my rule using the DataSource TypeID in your example, and it still worked fine. I've even tried creating an event log with the same name as your example above, and it all worked without any issues. So it doesn't appear to be an issue with the rule itself, I would guess either there is an issue with the event log, or with the agent's cached data. Have you tried stopping the OpsMgr agent, flushing the cache and starting the agent? Also have you tried recreating the Event View? Also have you tried checking in the database for these events, to see if the records actually store the Description field during the collection process? Depending on how important this issue is to you, I'd consider raising a case with Microsoft Support for their assistance. Hope this helps! Cheers, Brian
December 23rd, 2010 2:58pm

Brian, I flushed the agent cache as you recommended and am now able to see the event description in the event view. Regards,
Free Windows Admin Tool Kit Click here and download it now
December 29th, 2010 9:47am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics