Creating a Repeat Event Detection Rule

I had a requirement to create a repeat event detection rule the other day, and I thought to myself that it would be very easy.  As it turns out though, it is not as easy to create a repeat event detection rule as it is a monitor.  When creating a new monitor you have an option to select a Repeat Event monitor type, but when creating a rule there is no such option.  I the set about looking for a way to solve this issue as I needed to alert on repeated events but I didn’t want to affect the state of any object.

After 30 minutes or so, I found the Consolidator module which sounded like it could provide me with the functionality I needed.  After further digging, I managed to confirm that I could indeed use this module as a condition detection on the rule to perform the repeat count.  So, by building a custom rule in the Authoring Console or in the XML, you can manually specify a data source module, a condition detection module, and a write action module to create an alert generating rule based on repeat events.

I’ll demonstrate how to build an alert generating repeat event detection rule using the authoring console.  I know many of you also work directly in the XML, as I am one of them, but I don’t think think that is the most common way of authoring; but to satisfy you XML geeks out there, I will also provide the XML.  Smile

1.  Create a new custom rule.



2.  Provide an ID, Name, Description and Target.



3.  Select the Modules tab.

4.  Create a New data source.

5.  Select Microsoft.Windows.EventProvider, enter a module ID, click OK.



6.  Create a New condition detection.

7.  Select System.ConsolidatorCondition, enter a module ID, click OK.



8.  Create a New write action.

9.  Select System.Health.GenerateAlert, enter a module ID, click OK.



10.  Your rule modules should now look like this.



11.  Now to configure the modules.

12.  Edit EventProvider, then select Configure to configure the events you want to monitor for.  Click OK to get back to the modules.



13.  Edit Consolidator, then select Configure to set the repeat detection requirements.  Click OK to get back to the modules.



14.  Edit Alert, then select Configure to specify the alert information required.   Click OK to get back to the modules.



20.  Update Product Knowledge and rule Options as you require.

21.  Click OK and you’re Done!

And, as promised here is the XML.

<Rule ID="TEST.NewRule" Enabled="true" Target="Windows!Microsoft.Windows.Server.OperatingSystem" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
          <DataSource ID="EventProvider" TypeID="Windows!Microsoft.Windows.EventProvider">
                      <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
                      <Value Type="UnsignedInteger">1234</Value>
                      <XPathQuery Type="String">PublisherName</XPathQuery>
                      <Value Type="String">TEST</Value>
        <ConditionDetection ID="Consolidator" TypeID="System!System.ConsolidatorCondition">
            <ConsolidationProperties />
          <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">

I think this does highlight that there are a number of modules that we could be making better use of, but we just don’t know about them.

Happy rule building!