Putting It All Together
Now that we've established the background of
the components, we will put them together into a useful set of
rules. Once the rules are combined together to form a set of rules
(a Rule Group), it can be tied to a Computer Group to search for
these conditions.
Creating a Rule Group
In order to get started, rules need a
container called a Rule Group. The first step in creating this new
set of rules is to establish this container.
-
Right-click the Rule Groups folder and select Create
Rule Group.
-
Type a name such as MyTestRuleGroup and a
short description for the new Rule Group.
-
If appropriate, enter a long description for
Company Knowledge Base.
-
Click Finish. A prompt asking "Would you love
to deploy the rules in this newly created Rule Group to a group of
computers?" appears. Click No.
It's that simple. Now we have a container in which
we can add new Rules.
|
Note |
We don't recommend that you tie the Rule
Group to a Computer Group at this stage of creating Custom Rules.
If you tie this Rule Group to an active Computer Group (a Computer
Group that has agents associated with it), any new rules created
can apply to those computers. This may not be the behavior desired,
even if it's associated to a Computer Group containing test
machines. It's preferable to join the Rule Group to a Computer
Group after some verification that the rules have been created
properly and are ready for testing.
|
Adding an Event Rule
Stepping through the creation of each Rule
type will help you understand the concepts and key configuration
areas to keep in mind. For the purposes of this sample, create a
standard Event Rule that looks for Event ID 21060 from the
Application Event Log. Event ID 21060 is actually an indication
that Computer Discovery has started.
-
Right-click Event Rules and choose Create
Event Rule.
-
Select Alert on or Respond to Event (Event),
as shown in Figure
8-6.
Figure
8-6
-
Select the Application Provider and click
Next, as shown in Figure
8-7.
Figure
8-7
|
Note |
Listed under the Provider name are all the
components that this rule can use. As management packs are
imported, additional Providers will be listed in this drop-down.
You can manage any of the listed Providers in the Providers section
of the Administrator Console or directly from the rule itself by
using the Modify button.
Most
of the general Event Providers should accommodate most situations.
Providers starting with "Schedule every" indicate a timed event
Provider type. These providers generate an event based on the time
frame desired. Scheduling a script to run every x number of
minutes, for example, is how this Provider is used.
|
-
Select the "with event id" check box, as
shown in Figure 8-8.
Type in 21060 and click Next.
Figure
8-8
|
Note |
We've
selected only one criterion for simplicity. You can use any of the
other factors (source, type, description) to narrow the scope of
the events to search for. You can select other criteria in the
Advanced section, as well as use conditions other than "equals,"
including wildcards, Boolean expressions, or regular
expressions.
|
-
Leave the default as Always Process data, and
click Next.
|
Note |
Event Rules can be modified to look for
events only during certain times of the day, week, and so on. This
is useful if an event that occurs during the day is important, but
when it occurs overnight, it doesn't necessarily matter.
|
-
Select Generate alert, as shown in Figure 8-9. Leave all Alert
properties as default and click Next.
Figure
8-9
-
Leave Suppress duplicate alerts selected, and
click Next.
-
Leave the Responses section empty for now,
and click Next.
-
Leave the Knowledge Base empty for now, and
click Next.
-
Name your new Rule such as "Application Log
event id 21060." Click Finish.
Adding a Performance Rule
Suppose that for this group of computers,
processor performance above 50 percent is a bad thing. In order to
generate an alert when this condition occurs, create a Threshold
Rule, as illustrated here:
-
Right-click on Performance Rules. Choose Compare
Performance Data.
-
For the Provider name, choose Processor-%
Processor Time-<All>-5.0-minutes, as shown in Figure 8-10, and click
Next.
Figure
8-10
-
Leave the default as Always process data, and
click Next.
-
Because there are no particular instances to
look at in this case, click Next to continue, leaving all boxes
unselected.
-
For the Threshold value, choose "the average
of values over" and type in 5 for the samples,
as shown in Figure
8-11. For "Match when the threshold meets the following
condition," choose the "greater than" radio button and type in
50 for the value. Click Next.
Figure
8-11
|
Note |
The Threshold value section indicates the
type of sampling to perform. In this example, "the average of
values over 5 samples" is used. This indicates that if five samples
average a value of greater than 50, then the condition is met.
|
-
Select the Generate alert check box and click
Next.
-
Leave Suppress duplicate alerts checked and
click Next.
-
Leave the Responses section empty. Click
Next.
-
Leave the Knowledge Base empty or add in a
summary. Click Next.
-
Name your new rule, such as "Test Application
Processor utilization." Click Finish.
Adding an Alert Rule
Now that you have an Event and Performance
Rule, most likely the alerts generated are things that should be
seen at some level. With what's been done so far, the "Generate
alert" check box will show the alerts in the console but no actions
will be performed at this stage (e-mail, paging, run scripts, and
so on). When you use the Alert Rule, the Event and Performance Rule
has some substance outside the console.
-
Right-click Alert Rules and choose Create
Alert Rules.
-
Select the "of severity" check box and choose
Error. Because in this case we need all potential alerts that are
at least Error, click Advanced to modify the criteria.
-
Choose the criteria to modify (if it exists
in the window). Click Remove.
-
Change the Condition to "is at least" and
choose Add to List, as shown in Figure 8-12. Click Close to return to the Alert
Criteria window.
Figure
8-12
-
Now the Criteria description should have
state "Severity is at least ‘Error,’" as shown in Figure 8-13. Click Next.
Figure
8-13
-
Leave the default as Always process data.
Click Next.
-
In the Responses window, click the Add button
and select Send a notification to a Notification Group. Choose
Network Administrators. Because there are no members of Network
Administrators yet, click Modify.
-
Create a new operator to add to the Network
Administrators group. In order to do this, choose New Operator.
-
Give the new operator a name such as
NetOpGuy1, and click Next.
-
Check the Email this operator button. Enter
NetOpGuy1's e-mail address and click Next.
-
Click Next to advance through the Page
properties.
-
Click Next to advance through the Command
properties. This should return to the Notification Group properties
again for Network Administrators.
-
Choose NetOpGuy1 and click the <— button.
This places NetOpGuy1 in the Group operators window (see Figure 8-14), effectively
making him a member of Network Administrators. Click OK.
Figure
8-14
-
Click OK again to return to the Alert Rule
properties.
-
Type in any additional information for the
Company Knowledge Base or leave it blank, and click Next.
-
Name your new rule something like "Alert
Network Admins on Errors or higher," and click Finish.
With this new Alert rule, MOM sends an e-mail
notification whenever there's a matching alert generated by rules
in the Rule Group with a severity of Error or higher. The only
thing left to do is associate it to a Computer Group.
Associating a Computer Group to the Rule
Group
As stated earlier, the rules should be
double-checked before associating to a Computer Group. A good
practice to follow is to associate the Computer Group to a test
group so that only the test computers receive the new rules. If a
lab is accessible, testing rules in a lab is always the best way to
ensure the rules are sound. When the rules are ready to go, use the
following directions to associate it to a Computer Group.
-
Right-click the Rule Group to associate. In this
case, the rule group is MyTestRuleGroup. Choose Associate with
Computer Group.
-
Effectively, the Rule Group properties has
been opened and the Computer Groups tab selected. Click Add.
-
Because the Event Rule we created in the
previous section is specific to MOM, choose the Microsoft
Operations Manager 2005 Servers Computer Group and click OK (see
Figure 8-15).
Figure
8-15
-
Now the associated Computer Group is
displayed in the Computer Groups tab. Click OK.
-
In order to move things along, right-click
the Management Packs node and choose Commit Configuration
Change.
With the Computer Group associated, the
computers in the group will receive the new rules.
|