1. The text that appears in the description of windows event log entries is actually made up of a series of parameters. If you want to filter based on content in the Description field, first you need to determine the parameter number that relates to the text you want to find. To find the parameter number, see the following post:

http://blogs.technet.com/stefan_stranger/archive/2008/05/13/opsmgr-2007-parameters-explained.aspx

2. When using the Windows Event Viewer, it will parse some parameter fields so what you see in the event viewer is not what OperationsManager sees when it reads the event log.

E.g. for security event id 560, under ‘accesses’ field in the description, the windows event viewer could show (amongst other things) WRITE_DAC, but if you try and get Operations Manager to filter against parameter 15 for ‘WRITE_DAC’ it will not work, as that’s not what Operations Manager sees.

To get around this, the following command will create a text file with all events of type 560 that has the content in the same format that Operations Manager sees, if you then search this file for the specific event you are looking at in event viewer, you can match with what SCOM sees and what the event viewer sees to determine what you need to tell Operations Manager to search for:

LogParser.exe -q:ON “SELECT Strings AS Parameters FROM Security WHERE EventID=560″ > 560.txt

Using the above you can determine that in SCOM that you need to filter for ‘Parameter 15 contains 1539′. You can also use this to find the parameter number (parameter number can be counted from the left starting from 1, not 0).

3. PS I haven’t had success in filtering based on the ‘event type’ yet (EventType), including it in the filter stopped scom from picking up the alert.

4. Create a test rule in the management pack you are creating the event log monitoring rule(s), which is basic search for application log, Source “User Event” and then use the logevent (http://support.microsoft.com/kb/315410) application to create a test event, to confirm that your management pack is actively running on the target device.

e.g.

logevent -s I -e 45 “Test Event”

Logevent download at: http://www.petri.co.il/download_free_reskit_tools.htm

5. You can also check the ops mgr windows event log to see it has downloaded your changes, but step 4 will tell you for sure. This will also contain information if ops mgr can’t keep up with the event log and is falling behind in monitoring the event log.

6. Monitors are for monitoring for things that affect the health of an object, rules are where monitoring for things that don’t affect object health.

There are 3 types of monitors for the windows event log, manual health reset, automatic after a set time, and automatic after a specific event has been received.

7. Use trial and error, start with basic filtering criteria, check that receive alerts and make it more specific, at each step checking if you receive an alert, being careful to not create a filter that is so generic that it will result in hundreds of alerts.

8. To avoid possible performance issues during step 7, test against a single device by disabling your rule and specifically overriding it to enabled for a specific device, and removing the override and re-enabling once you know it is working if so required.

9. Too many event log monitors could reduce the system wide performance of the monitored device(s).

10. It is possible to filter based on the entire description field, using a parameter with name EventDescription (howto: http://contoso.se/blog/?p=250), but it is recommended to use parameters instead as searching the entire description will have a greater system wide performance impact on the monitored device(s).

The key requirement for such a solution is one that has the following features:

a) Escalation path
You don’t want an incident to go unchecked because the person the incident notification went to failed to get it for whatever reason. An escalation path ensures that someone is notified by escalating it to other contact methods for that person, or to other people until a receipt acknowledgement is received (typically by pressing a button in the case of voice alert, or replying to a SMS or email message).

b) Date scheduling
If you have staff that work on a shift basis, then you will want the system to be able to be programmed with those shift patterns.

c) Voice Alerting
Ideally, a combination of both SMS Text and Voice alerting capabilities, as voice calls can be heard easier on most devices out of the box than SMS Text messages and allows fallback to contact land based telephones.

In the United Kingdom: http://www.ringcentral.bt.com/

In the USA: http://www.ringcentral.com/

Features (UK Version):
0800 Numbers
0844 Numbers
Voicemail with Email Delivery
Internet Fax
Auto-Attendant and Extensions
Dial-by-name Directory
In-Queue Music and Messages
Call Diversion with FindMe
Call Management
Time of day Routing and Answering Rules
Call Screening
Desktop Call Controller
Call Logs
RingMe Click-to-Call from the Web
Outlook Integration

After observing that my personal domain has started to see an increase in junk mail sent to invalid addresses, I configured our mail system to differentiate between junk mail sent to valid internal addresses and invalid internal addresses.

The results have been a huge success, showing that 50% of all mail received is sent to invalid addresses, cutting the size of our junk mail queues in half overnight.

Starting on March 26, 2008, Cisco will release bundles of IOS Security Advisories on the fourth Wednesday of the month in March and September of each calendar year.

This schedule change will not restrict us from promptly publishing an individual IOS security advisory for a serious vulnerability which is publicly disclosed or for which we are aware of active exploitation.

Cisco is adopting this approach in response to extensive feedback from customers, who seek further predictability for support planning and deployment cycles.

The current format of IOS Security Advisories will remain the same. The software table in the advisory includes a list of recommended releases (where possible) for each software train that addresses all of the security vulnerabilities included in the bundle.

All other non-IOS Cisco security vulnerabilities will continue to be announced per Cisco’s standard disclosure policy, available at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.”

Source: http://www.cisco.com/en/US/products/products_security_advisories_listing.html