Monitoring Windows Event ID 41, 109, 6008, 6009 Doesn't Work

Hi <o:p></o:p>

We have Monitoring created to monitor and alert on windows event ID 41, 109, 6008, 6009 but doesn't seems to work when these event actually raised.<o:p></o:p>

Setup and Test <o:p></o:p>

1) Monitors are disabled initially but applied overrides to enable for specific group of servers.<o:p></o:p>

2) Event Expression is set to only look at event ID.<o:p></o:p>

3) Manually generate windows event with above event ID<o:p></o:p>

- i.e. eventCreate /ID 41 /L System /SO Winplat.Net /T Error /D "This test error"<o:p></o:p>

4) SCOM successfully detects the event and sends the alert.<o:p></o:p>

 

We do not seems understand why above events are not being detected. <o:p></o:p>

 

Wondering if anyone had this issue and how they have overcome the issue. Any alternative method will be also appreciated.<o:p></o:p>


September 6th, 2015 9:48pm

Just to update

we are using SCOM2012 r2 and server we are monitoring are windows 2008r2 servers.

Thank you

Free Windows Admin Tool Kit Click here and download it now
September 6th, 2015 9:50pm

what is your event Expression?
Your event expression may look like this
event Log: System
Event expression
or group
event id equals 41
event id equals 109
event id equals 6008
event id equals 6009

Roger

September 7th, 2015 12:06am

Hi Roger Thanks for the reply For our testing we are keeping simple I.e. We have one monitor for each e event E.g Event log: system Event ID equals 41 Thank you
  • Edited by akg1 2 hours 34 minutes ago
Free Windows Admin Tool Kit Click here and download it now
September 7th, 2015 12:35am

Does it means that your testing event monitor would not fired when event 41 is log on the system event log?

Roger

September 7th, 2015 12:55am

Hi Roger When I generate system event 41 manually (as per above post), SCOM detects the alert as expected but. When real event occurs SCOM is not detecting the event. Thank you
Free Windows Admin Tool Kit Click here and download it now
September 7th, 2015 1:11am

Hi

I've seen something like this only once - where the "real" event doesn't generate an alert.

There was an entry in the OperationsManager event log each time the real event occurred and the error message was that it couldn't read the "real event" due to an xml problem (that I can't remember).

Perhaps just check the OperationsManager event log for such errors.

Regards

Graham

September 7th, 2015 3:26am

Hi Roger Thanks for the reply For our testing we are keeping simple I.e. We have one monitor for each e event E.g Event log: system Event ID equals 41 Thank you
  • Edited by akg1 Monday, September 07, 2015 4:34 AM
Free Windows Admin Tool Kit Click here and download it now
September 7th, 2015 4:32am

Hi Roger Thanks for the reply For our testing we are keeping simple I.e. We have one monitor for each e event E.g Event log: system Event ID equals 41 Thank you
  • Edited by akg1 Monday, September 07, 2015 4:34 AM
September 7th, 2015 4:32am

Hi Graham

Thank you for the reply

I have been looking around the operation manager event logs and didn't find any error in related to event I am looking at but

I found there is Time gap of 15minutes and 8 minutes for scom event being logged in operation manager event log. 

and I checked time event 41(e.g.) was generated and found that event 41 was generated exactly on that gap.

Does this mean SCOM agent was not operational during this time? event I am trying to monitors are the event for server being rebooted so I am thinking scom agent is too long to agent to get fully operational...

any thoughts?

Thank you 

Free Windows Admin Tool Kit Click here and download it now
September 7th, 2015 6:19pm

Hi Guys Just to let you know that I came across below post and problem I am facing is similar so I will try the management pack and see how it will go. https://social.technet.microsoft.com/Forums/systemcenter/en-US/b4303ca6-2c8d-4a7d-8a2f-4f1ce34a7654/unexpected-restart-alert-did-not-generate?forum=operationsmanagergeneral Thank you
September 7th, 2015 9:22pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics