Search My Site

Ops Mgmt Blogroll
WHO AM I
MS MOM 2005 and Ops Mgr 2007 Resources
SCE 2007 Bloggers


Previous Posts

Comments

Syndication


Google Reader
del.icio.us Pete's Management Blog
Add to My Yahoo!
Subscribe with Bloglines
Subscribe in NewsGator Online
myFeedster
Add to My AOL
Add 'Pete's Management Blog' to Newsburst from CNET News.com

Powered by Blogger

My MVP Profile


My MVP Profile

Tuesday, February 21, 2006

Event Filtering with Regular Expressions

Regular expressions are a handy way to narrow event/alert criteria in MOM 2005. Before diving into a quick example of event filtering using regular expressions, there are a couple of handy resources everyone should have:

  • A regular expressions cheat sheet (thanks John!):

http://msmvps.com/blogs/jfhann/archive/2005/08/15/62762.aspx




  • A utility for validating syntax of regular expressions – Run your regex through these to check your syntax

Regular Expressions Workbench is a nice tool for this function.


http://blogs.msdn.com/ericgu/archive/2003/07/07/52362.aspx




This example illustrates how to filter unwanted Events generated by the Exchange Best Practices Analyzer Management Pack. Events included in the rule are simply ignored, and no longer generate alert traffic.




  1. Launch the MOM Administrator Console. Under Management Packs, browse to the Exchange Best Practices Analyzer MP.
  2. Right click the target rule and select Properties. Then go to the Criteria tab.



  1. Click the Advanced Button. Below the Advanced Criteria window, define more criteria as follows:


Field: Event Number


Condition: Doesn’t match regular expression


Value*: ^(1915|2179|1804)$



*The Event IDs in the regular expression string will vary based on which Event IDs you wish to filter for a given Event Source. In this example, event IDs 1915, 2179, and 1804 generated by source BPA will be ignored




  1. When complete, click Add to List. Click OK to exit. Then commit rule changes.


IMPORTANT:


Since the example provided, it should be noted that under ExBPA Event Handling folder, there 2 rules in the ExBPA management pack that generate alerts: 1) ExBPA Error and 2) ExBPA Warning. When identifying events you wish to filter, it is important to note the event type (warning or error) and update the regular expression on the appropriate rule. In this example, the source is BPA and the type is Warning or Error, depending which event you’re editing.





Event Source and Source Name will generally be populated in the criteria. It is simply Event Numbers that must be defined for filtering for a given rule.


If you create a custom rule, be sure to define the correct Event Source and Source Name.



Breakdown of the regular expression components provided in this example:




















Character


Character Definition


^


Matches the beginning of a line


( )


Groups one or more regular expressions to establish a logical regular expression consisting of sub-regular expressions. Used to override the standard precedence of certain operators.


|


OR operator. Matches either the regular expression preceding it or the regular expression following it. (Separates Event IDs in this example).


$


Matches the end of a line




Powered By Qumana

posted by Pete Zerger at 9:28 PM  

Comments on "Event Filtering with Regular Expressions"

 

Anonymous said ... (10:17 AM) : 

Hi,

I am using the security mgmt pack and needed to create a regular expression that will ignore the administrator and IWAM user names from alerts.

The expression I have is User Names Does Not Match Regular Expression (Administrator|IWAM)$, would this be correct and if not what would be correct?

Thank you very much for any help.

Mike

 

post a comment links to this post