SCOM Event Log monitoring–Event Source vs EventSourceName

This is an old subject and EVERYBODY should know how to create an Alerting rule that detects a certain event and triggers and alert. However, the way things are laid out in SCOM can make your daily life difficult. Just run in to an issue yesterday that was giving me (more) gray hair.

The requirement was simple: detect abnormal BSOD or power related shutdowns. Easy as pie, right?

The events are fairly easy to pinpoint. Say, for example, event ID 1001:

image

Cool. All you have to do is create an Alerting rule in SCOM, with this criteria:

image

image

Event ID: 1001

Source: BugCheck

image

Right?

Wrong!

Here’s what I’ve experienced. When testing the rule, I run a simple PowerShell command to create a fake event:

Write-EventLog –LogName System –Source “BugCheck” –EntryType Error –EventID 1001 –Message “This is a test message.”

Event is pretty similar:

image

That should have triggered my alerts. It didn’t however. Since I have ‘faked’ the event, the message shows me a bit more than just ‘This is a test message.’:

image

Now, notice this:

image

Why does it say the source is Microsoft-Windows-WER-SystemErrorReporting when the source is supposed to be “BugCheck”?

So, I’ve decided to change the rule to:

image

Bingo! Now, the alert was generated correctly. In summary, the source you see in the event log is what SCOM sees when detecting the event. The same applies for Kernel-Power, for example:

image

Now the reason for that is in the details of the event:

image

In fact, the EventSourceName is ‘BugCheck’. The Provider Name is considered the souce by SCOM, as  you can see above and below:

image

The way to fix it, if you want to use the EvenSourceName is to use a custom field. Notice SCOM doesn’t provide a native ‘EventSourceName’ option:

image

You can then use:

image

And there you have it!

 

Hope this helps!