Hi <o:p></o:p>

We have Monitoring created to monitor and alert on windows event ID 41, 109, 6008, 6009 but doesn't seems to work when these event actually raised.<o:p></o:p>

Setup and Test <o:p></o:p>

1) Monitors are disabled initially but applied overrides to enable for specific group of servers.<o:p></o:p>

2) Event Expression is set to only look at event ID.<o:p></o:p>

3) Manually generate windows event with above event ID<o:p></o:p>

- i.e. eventCreate /ID 41 /L System /SO Winplat.Net /T Error /D "This test error"<o:p></o:p>

4) SCOM successfully detects the event and sends the alert.<o:p></o:p>

 

We do not seems understand why above events are not being detected. <o:p></o:p>

 

Wondering if anyone had this issue and how they have overcome the issue. Any alternative method will be also appreciated.<o:p></o:p>

Just to update

we are using SCOM2012 r2 and server we are monitoring are windows 2008r2 servers.

Thank you

what is your event Expression?
Your event expression may look like this
event Log: System
Event expression
or group
event id equals 41
event id equals 109
event id equals 6008
event id equals 6009

Roger

Hi Roger Thanks for the reply For our testing we are keeping simple I.e. We have one monitor for each e event E.g Event log: system Event ID equals 41 Thank you

• Edited by akg1 3 hours 5 minutes ago

Does it means that your testing event monitor would not fired when event 41 is log on the system event log?

Roger

Hi Roger When I generate system event 41 manually (as per above post), SCOM detects the alert as expected but. When real event occurs SCOM is not detecting the event. Thank you

Hi

I've seen something like this only once - where the "real" event doesn't generate an alert.

There was an entry in the OperationsManager event log each time the real event occurred and the error message was that it couldn't read the "real event" due to an xml problem (that I can't remember).

Perhaps just check the OperationsManager event log for such errors.

Regards

Graham