Consolidating Duplicate Events in MOM 2005

March 2006

 

Often, events that you want to monitor occur may occur frequently. If collected in their default state, this can fill the mom database with redundant event data or cause network congestion issues. In some instances, you may wish to raise an alert if the issue occurs multiple times within a given period (e.g. 5 event occurrences within 10 minutes). A Consolidation rule, in conjunction with an Event rule to fire an alert or other response can address this need. (In MOM management packs, consolidation rules out-of-the-box are most common in the IIS MP, where high traffic web servers may create large numbers of alerts)

 

The configuration steps are:

 

  1. Create a Consolidation rule to log a single summary event for multiple event occurrences.
  2. Create an Event rule to fire an e-mail Alert or other response as desired.

 

Creating the Consolidation Rule

 

A consolidation rule for an Application Event Log event will be used simply for purposes of illustration. You wish to track occurrences of the following event written by your custom application to the Application Event Log.

 

Event Source: apphelp

Event Number: 100

Event Severity: Error

Logged To: Application Log

 

However, you only wish to fire an alert if the same event occurs 10 times or more in a 5 minute period. To make this happen, we create a Consolidation rule as follows:

 

  1. Launch the MOM Administrator Console. In the Navigation pane, expand Rule Groups and browse to the target rule set.
  2. Right click the Event Rules icon and select New, Consolidation Rule (“Consolidate Similar Events”)
  3. Fill in the rule properties as listed in Table 1.

 

IMPORTANT:

All criteria defined on the Criteria tab must be identical for a given event in order for it to be consolidated by the rule.

 

 

Table 1 - Event Consolidation Rule Properties

 

Tab

Property

Value

General

Name

Test Consolidation Rule

Data Provider

Provider name

Application – Windows NT Event log

Criteria

From Source

apphelp

Criteria

With Event ID

100

Consolidate

Fields to be consolidated

Event Number

Source Name

Consolidate

Events must occur within (seconds)

300  (which is 5 minutes)

 

The result of this rule is that for multiple occurrences of this event that occur within a 5 minute period, an event is logged for the first occurrence, and the repeat count (Consolidated: field in event details) is incremented for each additional occurrence within the next 5 minutes.

 

The Event output in the MOM Operator Console will look like this:

 

Domain:

TEST

Computer:

MGMTSVR1

Time:

3/20/2006 1:05:53 PM

Type:

Success

Provider Name:

Application

Event Number:

100

Provider Type:

Event Log

Source:

apphelp

Category:

 

Raises Alert:

True

Consolidated:

7

From:

3/20/2006 1:05:22 PM

To:

3/20/2006 1:05:24 PM

Event Id:

afa4bf83-899f-4388-b0b8-65cf7b12b4d6

 

Creating the Event Rule

 

To generate an Alert or other Response when the threshold is reached within the given timeframe, we create an Event Rule as follows:

 

  1. Launch the MOM Administrator Console. In the Navigation pane, expand Rule Groups and browse to the target rule set.
  2. Right click the Event Rules icon and select New, Event Rule (“Alert on or Respond to Event”)
  3. Fill in the rule properties as listed in Table 2.

 

 

Table 2 - Event Rule Properties

 

Tab

Property

Value

General

Name

Test Consolidation Rule

Data Provider

Provider name

Application – Windows NT Event log

Criteria

From Source

apphelp

Criteria

With Event ID

100

Criteria – Advanced

Repeat count – is at least

9

Alert

Generate Alert

Checkbox elected

Response

Launch Script, Send Notification, etc.

 

 

How Consolidation Rules Work

 

Consolidation rules are actually idle until the first instance of the target event for consolidation occurs. So in our example, the rule would function as follows:

 

 

 

 

Hope you find this helpful. If you have any questions. Please contact me via email or on the boards at www.momcommunity.com