SCOM Visual Studio Authoring – Basic Alert Rule

Welcome back, today will be a shorter one than last time. A basic alert rule. This rule looks for an application event log with an event ID of “1234” and an event source of “TestSource”. It will then alert when that condition is met. Included in the project is a script (Make-TestEventLog.ps1) that will create a test event log entry. That’s about all there is to it. Lets begin!

Download the MP here:

Alert Rule XML:



  • ID – “BasicAlertRule.TestSource1234.AlertRule” – This Uniquely Identifies the rule within the management pack
  • Enabled – “True” – This rule is enabled by default for all targeted objects
  • Target – “Windows!Microsoft.Windows.Server.Computer” – This is the class that the rule targets, in this case all Windows server computers.
  • Category – Alert – Its an Alert rule so that’s the category


  • ID – “DS” – This uniquely identifies the data source item within the scope of the rule, its not global to the MP
  • TypeID – “Windows!Microsoft.Windows.EventProvider” – Microsoft.Windows.EventProvidere Documentation: Basically the “Windows!” portion is an alias that references the Microsoft.Windows.Library MP and the “Microsoft.Windows.EventProvider” portion references that data source within that MP which we are creating a configuration for.
  • ComputerName – “$Target/Property[Type=”Windows!Microsoft.Windows.Computer”]/NetworkName$” – This is a reference to the “NetworkName” property of the parent class to the Windows.Server.Computer class we are using to target our rule against. It’s essentially just the name of the computer the rule will be running on.
  • Logname – Application – This is the event log that the rule is monitoring (application, security, etc).
  • Expression – This is the filter to find the events we’re looking for in the application log.

WriteActions – In this case it’s configuring the alert for the rule.

  • ID – Alert – Again, just an identifier scoped only to the rule, not the entire mp.
  • TypeID – “Health!System.Health.GenerateAlert”  System.Health.GenerateAlert Documentation: (the screenshot above has incorrect info cuz I don’t know how I’m too lazy to fix it in the screenshot). So like the other TypeID we’re targeting an outside MP and creating a configuration for a writeaction within it.
  • Priority and Severity are pretty straight forward and covered in the documentation linked in the TypeID above.
  • AlertmessageID – “$MPElement[Name=”BasicAlertRule.TestSource1234.AlertRule.AlertMessage”]$” – This is the unique name given to the alert and is used for providing “friendly” name within the console, more on this in a moment (see “string resource” below).
  • AlertParameters – These are used as variables that can be surfaced to the alert message within the console. Here’s a good resource for various options for parameters: Thanks Kevin (read his stuff its good).
  • All the other stuff, meh… Don’t really need it here for this example.

String Resource – This one is kinda weird, but in essence it represents the alert message and is required if you’re going to create an alert. Notice its the same as the AlertMessageID (without all the MPElement drapery). Nothing more to really say about that I suppose.


Language Packs – Not required but if you want your stuff to look pretty in the console you’ll want to take the time to configure these.


  • ID – ENU – English. you can do multiple languages for any given anything so keep that in mind if you want to do multilingual MPs.
  • Default – Default language I think? Also, If you split up your language pack definitions in visual studio like I do it will get angry if you put true on one and false on another. Or maybe its all of them…. I’m not sure, for my purposes false is grand and it will likely be the same for you.
  • DisplayString ElementID – This corresponds to those unique TypeID identifiers for rules and alerts and provides friendly display data for them in the console.
  • Remember that AlertParameter earlier? this is where you can reference the variable in the KB for the console. Take notice that the AlertParameter1 begins at 1 and goes on to Alertparameter2, 3, 4 etc but the reference in the description begins at zero {0} and then {1}, {2}, etc. I’ve always thought it odd that one reference sequence begins at 1 and the other at 0. Just thought I’d point it out as something to keep in mind when trying to reference the correct variable.
  • KnowledgeArticle – This is the KB for the alert, pretty straight forward. check the documentation if you want more info.

Alright, another exciting day in SCOM. Next time we’ll delve into scripted alert rules. Thanks for dropping by!

Site Index:


One thought on “SCOM Visual Studio Authoring – Basic Alert Rule

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s