I had a requirement to create a repeat event detection rule the other day, and I thought to myself that it would be very easy.  As it turns out though, it is not as easy to create a repeat event detection rule as it is a monitor.  When creating a new monitor you have an option to select a Repeat Event monitor type, but when creating a rule there is no such option.  I the set about looking for a way to solve this issue as I needed to alert on repeated events but I didn’t want to affect the state of any object.

After 30 minutes or so, I found the Consolidator module which sounded like it could provide me with the functionality I needed.  After further digging, I managed to confirm that I could indeed use this module as a condition detection on the rule to perform the repeat count.  So, by building a custom rule in the Authoring Console or in the XML, you can manually specify a data source module, a condition detection module, and a write action module to create an alert generating rule based on repeat events.

I’ll demonstrate how to build an alert generating repeat event detection rule using the authoring console.  I know many of you also work directly in the XML, as I am one of them, but I don’t think think that is the most common way of authoring; but to satisfy you XML geeks out there, I will also provide the XML.  Smile

1.  Create a new custom rule.

1

 

2.  Provide an ID, Name, Description and Target.

2

 

3.  Select the Modules tab.

4.  Create a New data source.

5.  Select Microsoft.Windows.EventProvider, enter a module ID, click OK.

3

 

6.  Create a New condition detection.

7.  Select System.ConsolidatorCondition, enter a module ID, click OK.

5

 

8.  Create a New write action.

9.  Select System.Health.GenerateAlert, enter a module ID, click OK.

4

 

10.  Your rule modules should now look like this.

5

 

11.  Now to configure the modules.

12.  Edit EventProvider, then select Configure to configure the events you want to monitor for.  Click OK to get back to the modules.

6

 

13.  Edit Consolidator, then select Configure to set the repeat detection requirements.  Click OK to get back to the modules.

7

 

14.  Edit Alert, then select Configure to specify the alert information required.   Click OK to get back to the modules.

8

 

20.  Update Product Knowledge and rule Options as you require.

21.  Click OK and you’re Done!

And, as promised here is the XML.

<Rule ID="TEST.NewRule" Enabled="true" Target="Windows!Microsoft.Windows.Server.OperatingSystem" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
        <Category>Custom</Category>
        <DataSources>
          <DataSource ID="EventProvider" TypeID="Windows!Microsoft.Windows.EventProvider">
            <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
            <LogName>Application</LogName>
            <Expression>
              <And>
                <Expression>
                  <SimpleExpression>
                    <ValueExpression>
                      <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
                    </ValueExpression>
                    <Operator>Equal</Operator>
                    <ValueExpression>
                      <Value Type="UnsignedInteger">1234</Value>
                    </ValueExpression>
                  </SimpleExpression>
                </Expression>
                <Expression>
                  <SimpleExpression>
                    <ValueExpression>
                      <XPathQuery Type="String">PublisherName</XPathQuery>
                    </ValueExpression>
                    <Operator>Equal</Operator>
                    <ValueExpression>
                      <Value Type="String">TEST</Value>
                    </ValueExpression>
                  </SimpleExpression>
                </Expression>
              </And>
            </Expression>
          </DataSource>
        </DataSources>
        <ConditionDetection ID="Consolidator" TypeID="System!System.ConsolidatorCondition">
          <Consolidator>
            <ConsolidationProperties />
            <TimeControl>
              <WithinTimeSchedule>
                <Interval>300</Interval>
              </WithinTimeSchedule>
            </TimeControl>
            <CountingCondition>
              <Count>10</Count>
              <CountMode>OnNewItemTestOutputRestart_OnTimerRestart</CountMode>
            </CountingCondition>
          </Consolidator>
        </ConditionDetection>
        <WriteActions>
          <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
            <Priority>1</Priority>
            <Severity>2</Severity>
            <AlertMessageId>$MPElement[Name="AlertMessageID916c4011bf974c688031509e9d09a120"]$</AlertMessageId>
            <AlertParameters>
              <AlertParameter1>$Data/Count$</AlertParameter1>
              <AlertParameter2>$Data/Context/DataItem/EventDescription$</AlertParameter2>
            </AlertParameters>
          </WriteAction>
        </WriteActions>
      </Rule>

I think this does highlight that there are a number of modules that we could be making better use of, but we just don’t know about them.

Happy rule building!

David