I am looking to create a rule or monitor to alert when Event ID 4625 occurs 4 times within a minute. I know how to create the rule to alert if it happens on the same server. What I am looking for is it to alert if it happens 4 times within our environment. So alert if it happens once on server A, once on server B, once on server C and once on server D within a minute. Or a different example of it happening once on server A and three times on server B within a minute. Is this sort of aggregate counting of events within a time frame alerting possible within SCOM?  Thank you

 

Hi 

you can achieve this monitoring by distribution application monitoring, need to create two monitors as below.

1) single event id monitor

2) multiple event id monitor.

need to rollup the health of the application as below for single event id monitor need to set best state and for multiple event id monitor need to set worst state

regards

.

Hi, it depends on the size of environment

1. say you few servers you could create a monitor and target it at new or existing class, then add this class to group, create dependency monitor to rollup the health to group (worst state of the specified percentage of members in good state)

2. if you have thousand servers you could create a monitor that query OpsMgrDB directly like

SELECT LoggingComputer, Number, TimeGenerated
FROM [OperationsManager].[dbo].[EventInsertView] where number=4625 and TimeGenerated between DATEADD(MINUTE, -1, GETUTCDATE()) and GETUTCDATE()

and alert if more than 3 events

But it's better to increase monitor interval and query Data Warehouse DB.