I have an event based unit monitor set up to alert when someone logs onto any of our servers via remote desktop connection. The monitor watches the security event log on the servers for event ID 4624 and filters all events out that don't have a parameter 9 value of 10 (indicating a remote login). The alert is set to auto resolve after 15 seconds. The monitor and it's alert work fine; when I log onto a server via RDC I see the alert pop up in the console, and 15 seconds later the alert disappears. Here's where I'm having trouble: When I set up a notification subscription for the alert and specify, as part of the subscription criteria, that the notification should be generated only when the alert has a "New(0)" resolution state, the server never sends the notification. If, however, I change the criteria so that the notification is generated only when the alert has a "Closed(255)" resolution state, the notification is sent as expected. I'm not quite comfortable with this scenario though since the alert has to auto resolve first before the notification is sent. Anyone know what I'm doing wrong? I've deleted and recreated the monitor and subscription without any luck. Also, if I leave the resolution state completely out of the subscription criteria then I receive both the new and closed notifications as expected. I'm using SCOM 2012 on 2008R2.

Hi Do you have alert ageing set on the subscription? This would stop the notification being sent on New because the alert would have been resolved before the alert aging time had expired. It might also just be that the alert is autoresolving before the notification fires. Is there a specific reason for using a monitor rather than a rule here? A rule without suppression would fire off an alert and notification without any need to autoresolve. You could always have a timed script running to close the alerts every hour for alert management. Cheers GrahamRegards Graham New System Center 2012 Blog! - http://www.systemcentersolutions.co.uk View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/

Hi Do you have alert ageing set on the subscription? This would stop the notification being sent on New because the alert would have been resolved before the alert aging time had expired. It might also just be that the alert is autoresolving before the notification fires. Is there a specific reason for using a monitor rather than a rule here? A rule without suppression would fire off an alert and notification without any need to autoresolve. You could always have a timed script running to close the alerts every hour for alert management. Cheers GrahamRegards Graham New System Center 2012 Blog! - http://www.systemcentersolutions.co.uk View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/

I'm not using alert aging. I thought maybe the alert was closing before the notification subscription was triggered, but the notification works fine for new alerts when I take the criteria for resolution state out of the subscription, which contradicts that theory. I could change this monitor to a rule, but at this point I'd like to know why this is behaving this way and if it's going to impact other notification subscriptions I already have running. I used this exact setup in SCOM 2007 for years without any issues...

You may try to set the auto-resolve after 1 mins and see does this solve your issue. Roger

Thanks for the replies guys! I tried changing the auto resolve time to 1 and then 5 minutes and it still doesn't send the notification. However, I found that if I turn the auto resolve function off then I receive the notification immediately when the alert is generated. Any ideas?

Thanks for the replies guys! I tried changing the auto resolve time to 1 and then 5 minutes and it still doesn't send the notification. However, I found that if I turn the auto resolve function off then I receive the notification immediately when the alert is generated. Any ideas?