Understanding Events

Events make up the majority of the information Microsoft Operations Manager 2000 (MOM) collects from providers. An event is a significant occurrence in the system or in an application. MOM monitors events logged in Windows 2000 and other event logs, and responds to timed events, missing events, and script-generated events.

Windows 2000 Events

Windows 2000 log events in specific event logs, and MOM collects events from these logs. MOM can collect events from the following Windows 2000 event logs:

Application
Records events from applications on the computer.
DNS Server
Records events from the Domain Name Service (DNS) server on Windows 2000 computers.
File Replication
Records events from the File Replication service on Windows 2000 computers.
Directory service
Records events from the Active Directory service on Windows 2000 computers.

Application Log Events

Some software applications create their own text log files. Using MOM, you can monitor the following application log files or messages:

Note


UNIX Syslog Messages

UNIX systems can forward syslog messages, messages about system activity, to another computer. You can configure a UNIX computer to forward syslog messages to a MOM agent. The agent can receive syslog messages and create events for them, adding these events to the datastream.

For more information about configuring MOM to provide UNIX syslog messages as events, see the Installation Guide.

Missing Events

A missing event is an event that is supposed to occur within a specified time interval, but does not. You can create processing rules for events that you expect to occur within a specific time interval. If the event does not occur, it is considered to be missing.

Timed Events

MOM can create timed events, events automatically created on a timed basis. For example, you want to test your third-party paging notification software once a day. You can create a processing rule that creates a daily event at 3:00 P.M. You can then assign a notification response to page a network administrator, sending a test message. Timed events are not stored in the database.

SNMP Traps

MOM can monitor Simple Network Management Protocol (SNMP) traps through extrinsic WMI events. An SNMP trap is a packet of information sent by a network device that is running the SNMP. SNMP is a protocol based on TCP/IP and is used to monitor and manage network devices. The network device can be hardware, such as a router, or a computer running any operating system. An SNMP trap is usually sent in response to an event, such as a service stopping. Some SNMP traps indicate normal system operation.

Service Status Changes

MOM can monitor service status list changes through intrinsic WMI events. A service is a program or routine that provides support to other programs. A WMI event is generated when a service changes from one of the following states to another state:

For example, you might want to monitor the print spooler on a remote computer. You want to know if the spooler service stops for any reason. You can create a processing rule that monitors WMI for an event indicating that the Spooler service on the computer has stopped, and when the event occurs, generates an alert.