SCOM Syslog Format

Is it possible to change the format of the syslog messages received by the scom server.

Is there anyway to create views based in the event data from alert context   

March 10th, 2011 2:53pm

Hi

You won't be able to manipulate the syslog message as it comes in if you are just authoring in the standard console. You might be able to script this as a custom data source and manipulate the data using property bags using the Authoring console but this isn't straight forward.

You can create views from the rules that you create - leveraging custom fields in your rules and then create the views based on the custom field are great for this. But you can also create a view based on "specific name".

I have done something similar for a syslog collection rule here:

http://systemcentersolutions.wordpress.com/category/syslog-monitoring/

Cheers

Graham 

Free Windows Admin Tool Kit Click here and download it now
March 13th, 2011 10:26am

Can you tell us more on why you want to change the format and what you are trying to achive?

Rob

March 14th, 2011 2:48pm

i want see only the description of the event in the descripton field of the view
Free Windows Admin Tool Kit Click here and download it now
March 16th, 2011 5:40pm

Hi

If you are just looking to get the messafe ito the description then this should work:

$Data/EventData/DataItem/Message$

You can create views on rule name if you want all alerts from a specific message in one place. Or by computer etc. More complex views can be created by leveraging the custom fields.

More info here (although this is for collection rules rather than for alerting, most of the information is still relevant):

http://support.microsoft.com/kb/942863

Cheers

Graham

March 16th, 2011 6:46pm

Graham - The problem with SYSLOG message is that it contains the actual Server Name's IP (from where the alert originated) is inside the $Data/EventData/DataItem/Message$. So we really want to put that into a Custom Field or a seperate context so we can use that in our view. Isn't that possible with the existing solution?

Regards

Ramesh

Free Windows Admin Tool Kit Click here and download it now
February 7th, 2014 11:07am

We have got the actual Server Name's IP tied to $Data/EventData/DataItem/HostName$ but isn't possible to display its DNS name/FQDN instead of IP?

Regards

Ramesh

February 10th, 2014 12:06pm

We have got the actual Server Name's IP tied to $Data/EventData/DataItem/HostName$ but isn't possible to display its DNS name/FQDN instead of IP?

Regards

Ramesh

Great question
Free Windows Admin Tool Kit Click here and download it now
March 12th, 2015 2:16pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics