Alerting on two Event IDs
Sakkie
I am currently setting up alert rules on Event ID generated.
My event ID’s I alert on are 560 (Folder, Reg Access) and 562 (Folder, Reg
edited).
I would like to alert the user when both events are generated. Don’t really
know if the And Group expression will work.
If this can’t be done, Is there a way to alert on event ID 560 and display
event data from 562?
Alerting on both is more accurate that only alerting on one event ID
Cheers
sridhar
you can create a wmi unite moniter to check for two event.
lehi
>
> - Show quoted text -
I have created a simlar alert but currently it is not working:
I created a unit montior for to alert on a particular event id
I selected a computer group that contains the computers I'm interested
in, slected Availability as the parent monitor and chose the
application event log which is where the event happens. selected the
evnt id as the paramater name, operator was equals and value was the
event value im looking for.
under health state:
critical was the healt state and operation sate was event raised
alerting was configured to send an alert
when monitor is in critical health state
to test I use the eventcreate tool and it does create the event with
the correct event id in the correct server event log, but scom does
not seem to detect the event. Is there something else I'm missing?
If i could get this to work I could create another montor for the next
eventid which would do what the user wants. I just couldnt get the
expression to be an or instead of an and ( to capture both event id in
one rule)