Now that we've established the background of the components, we will put them together into a useful set of rules. Once the rules are combined together to form a set of rules (a Rule Group), it can be tied to a Computer Group to search for these conditions.
In order to get started, rules need a container called a Rule Group. The first step in creating this new set of rules is to establish this container.
Right-click the Rule Groups folder and select Create Rule Group.
Type a name such as MyTestRuleGroup and a short description for the new Rule Group.
If appropriate, enter a long description for Company Knowledge Base.
Click Finish. A prompt asking "Would you love to deploy the rules in this newly created Rule Group to a group of computers?" appears. Click No.
It's that simple. Now we have a container in which we can add new Rules.
We don't recommend that you tie the Rule Group to a Computer Group at this stage of creating Custom Rules. If you tie this Rule Group to an active Computer Group (a Computer Group that has agents associated with it), any new rules created can apply to those computers. This may not be the behavior desired, even if it's associated to a Computer Group containing test machines. It's preferable to join the Rule Group to a Computer Group after some verification that the rules have been created properly and are ready for testing.
Stepping through the creation of each Rule type will help you understand the concepts and key configuration areas to keep in mind. For the purposes of this sample, create a standard Event Rule that looks for Event ID 21060 from the Application Event Log. Event ID 21060 is actually an indication that Computer Discovery has started.
Right-click Event Rules and choose Create Event Rule.
Select Alert on or Respond to Event (Event), as shown in Figure 8-6.
Select the Application Provider and click Next, as shown in Figure 8-7.
Listed under the Provider name are all the components that this rule can use. As management packs are imported, additional Providers will be listed in this drop-down. You can manage any of the listed Providers in the Providers section of the Administrator Console or directly from the rule itself by using the Modify button.
Most of the general Event Providers should accommodate most situations. Providers starting with "Schedule every" indicate a timed event Provider type. These providers generate an event based on the time frame desired. Scheduling a script to run every x number of minutes, for example, is how this Provider is used.
Select the "with event id" check box, as shown in Figure 8-8. Type in 21060 and click Next.
We've selected only one criterion for simplicity. You can use any of the other factors (source, type, description) to narrow the scope of the events to search for. You can select other criteria in the Advanced section, as well as use conditions other than "equals," including wildcards, Boolean expressions, or regular expressions.
Leave the default as Always Process data, and click Next.
Event Rules can be modified to look for events only during certain times of the day, week, and so on. This is useful if an event that occurs during the day is important, but when it occurs overnight, it doesn't necessarily matter.
Select Generate alert, as shown in Figure 8-9. Leave all Alert properties as default and click Next.
Leave Suppress duplicate alerts selected, and click Next.
Leave the Responses section empty for now, and click Next.
Leave the Knowledge Base empty for now, and click Next.
Name your new Rule such as "Application Log event id 21060." Click Finish.
Suppose that for this group of computers, processor performance above 50 percent is a bad thing. In order to generate an alert when this condition occurs, create a Threshold Rule, as illustrated here:
Right-click on Performance Rules. Choose Compare Performance Data.
For the Provider name, choose Processor-% Processor Time-<All>-5.0-minutes, as shown in Figure 8-10, and click Next.
Leave the default as Always process data, and click Next.
Because there are no particular instances to look at in this case, click Next to continue, leaving all boxes unselected.
For the Threshold value, choose "the average of values over" and type in 5 for the samples, as shown in Figure 8-11. For "Match when the threshold meets the following condition," choose the "greater than" radio button and type in 50 for the value. Click Next.
The Threshold value section indicates the type of sampling to perform. In this example, "the average of values over 5 samples" is used. This indicates that if five samples average a value of greater than 50, then the condition is met.
Select the Generate alert check box and click Next.
Leave Suppress duplicate alerts checked and click Next.
Leave the Responses section empty. Click Next.
Leave the Knowledge Base empty or add in a summary. Click Next.
Name your new rule, such as "Test Application Processor utilization." Click Finish.
Now that you have an Event and Performance Rule, most likely the alerts generated are things that should be seen at some level. With what's been done so far, the "Generate alert" check box will show the alerts in the console but no actions will be performed at this stage (e-mail, paging, run scripts, and so on). When you use the Alert Rule, the Event and Performance Rule has some substance outside the console.
Right-click Alert Rules and choose Create Alert Rules.
Select the "of severity" check box and choose Error. Because in this case we need all potential alerts that are at least Error, click Advanced to modify the criteria.
Choose the criteria to modify (if it exists in the window). Click Remove.
Change the Condition to "is at least" and choose Add to List, as shown in Figure 8-12. Click Close to return to the Alert Criteria window.
Now the Criteria description should have state "Severity is at least ‘Error,’" as shown in Figure 8-13. Click Next.
Leave the default as Always process data. Click Next.
In the Responses window, click the Add button and select Send a notification to a Notification Group. Choose Network Administrators. Because there are no members of Network Administrators yet, click Modify.
Create a new operator to add to the Network Administrators group. In order to do this, choose New Operator.
Give the new operator a name such as NetOpGuy1, and click Next.
Check the Email this operator button. Enter NetOpGuy1's e-mail address and click Next.
Click Next to advance through the Page properties.
Click Next to advance through the Command properties. This should return to the Notification Group properties again for Network Administrators.
Choose NetOpGuy1 and click the <— button. This places NetOpGuy1 in the Group operators window (see Figure 8-14), effectively making him a member of Network Administrators. Click OK.
Click OK again to return to the Alert Rule properties.
Type in any additional information for the Company Knowledge Base or leave it blank, and click Next.
Name your new rule something like "Alert Network Admins on Errors or higher," and click Finish.
With this new Alert rule, MOM sends an e-mail notification whenever there's a matching alert generated by rules in the Rule Group with a severity of Error or higher. The only thing left to do is associate it to a Computer Group.
As stated earlier, the rules should be double-checked before associating to a Computer Group. A good practice to follow is to associate the Computer Group to a test group so that only the test computers receive the new rules. If a lab is accessible, testing rules in a lab is always the best way to ensure the rules are sound. When the rules are ready to go, use the following directions to associate it to a Computer Group.
Right-click the Rule Group to associate. In this case, the rule group is MyTestRuleGroup. Choose Associate with Computer Group.
Effectively, the Rule Group properties has been opened and the Computer Groups tab selected. Click Add.
Because the Event Rule we created in the previous section is specific to MOM, choose the Microsoft Operations Manager 2005 Servers Computer Group and click OK (see Figure 8-15).
Now the associated Computer Group is displayed in the Computer Groups tab. Click OK.
In order to move things along, right-click the Management Packs node and choose Commit Configuration Change.
With the Computer Group associated, the computers in the group will receive the new rules.