Search code examples
xmleventsmonitorscom

SCOM monitor for removable devices Windows Server 2012 event ID 4656, 4663 doesn't generate an alert

Hi I created a monitor on SCOM 2012 to generate an alert for removable devices using event ID 4656, 4663. When usb is plugged and something's copied out from usb, it picks up event ID 4656/4663 on event viewer of Win server 2012 but scom monitor doesn't generate an alert at all. Can anyone advise me what could be the problem of this? Thanks in advance

Here's exported XML of monitor.

-<Monitoring>

-<Monitors>

-<UnitMonitor ConfirmDelivery="true" TypeID="MicrosoftWindowsLibrary7585010!Microsoft.Windows.SingleEventLogManualReset2StateMonitorType" Priority="Normal" Remotable="true" ParentMonitorID="Health!System.Health.SecurityState" Target="MicrosoftWindowsLibrary7585010!Microsoft.Windows.Server.Computer" Enabled="true" Accessibility="Public" ID="UIGeneratedMonitor31432af1c0314b2ea7696791d7dac049">

<Category>Custom</Category>

-<AlertSettings AlertMessage="UIGeneratedMonitor31432af1c0314b2ea7696791d7dac049_AlertMessageResourceID">

<AlertOnState>Warning</AlertOnState>

<AutoResolve>true</AutoResolve>

<AlertPriority>High</AlertPriority>

<AlertSeverity>Warning</AlertSeverity>

-<AlertParameters>

<AlertParameter1>$Data[Default='']/Context/EventDescription$</AlertParameter1>

</AlertParameters>

</AlertSettings>

-<OperationalStates>

<OperationalState ID="UIGeneratedOpStateId58a8f14c9fe94927a4984dbec28a7e29" HealthState="Success" MonitorTypeStateID="ManualResetEventRaised"/>

<OperationalState ID="UIGeneratedOpStateIdb4815f99eb2248ff95a7b428c1dc702f" HealthState="Warning" MonitorTypeStateID="EventRaised"/>

</OperationalStates>

-<Configuration>

<ComputerName>$Target/Property[Type="MicrosoftWindowsLibrary7585010!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

<LogName>Security</LogName>

-<Expression>

-<Or>

-<Expression>

-<SimpleExpression>

-<ValueExpression>

<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

</ValueExpression>

<Operator>Equal</Operator>

-<ValueExpression>

<Value Type="UnsignedInteger">4656</Value>

</ValueExpression>

</SimpleExpression>

</Expression>

-<Expression>

-<SimpleExpression>

-<ValueExpression>

<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

</ValueExpression>

<Operator>Equal</Operator>

-<ValueExpression>

<Value Type="UnsignedInteger">4663</Value>

</ValueExpression>

</SimpleExpression>

</Expression>

</Or>

</Expression>

</Configuration>

</UnitMonitor>

</Monitors>

</Monitoring>

Solution
    1. An event must be identified not only by ID but also by Log/Channel. Please, check that event appears in the same log/channel as you are detecting in your MP.
    2. You said that you can't see an alert, but can you see that monitor changed the state? To make monitor generate alert you need to specify it explicitly.

    For a better advice, please post here a source code of your monitor.

    Thank you, Roman.