Event unit monitors in Microsoft Windows can be one of three types: manual reset, timer reset, and Windows event reset. A Windows event reset type of unit monitor detects two events: the first event indicates a failure, and the second event indicates that the failure was resolved.

Use the procedure in this topic to create a unit monitor to generate alerts based on two events in an event log: the first event, indicating an issue, and the second event, indicating that the problem was resolved.

To create a simple Windows event unit monitor

  1. In the Essentials 2007 console, click the Authoring button.

  2. In the Authoring pane, expand Authoring, expand Management Pack Objects, and then click Monitors.

  3. Click the Scope button.

  4. In the Scope MP Objects by target(s) dialog box, in the Look for text box, type Windows Computer, select the Windows Computer target check box, and then click OK.

  5. In the Monitors pane, expand Windows Computer, expand Entity Health, right-click Availability, point to Create a monitor, and then click Unit Monitor.

  6. In the Create Monitor Wizard, on the Select a Monitor Type page, expand Windows Events, expand Simple Event Detection, click Windows Event Reset, and then click Next.

    Note
    You can either select a Management Pack from the Select destination management pack list or create a new unsealed Management Pack by clicking New.
  7. On the General Properties page, in the Name box, type a name for the Windows event unit monitor, and then as an option, you can type a description.

  8. In the Parent monitor list, click the appropriate parent monitor, and then click Next.

  9. On the Event Log Name page (for the unhealthy event), under Log name, click the () button.

  10. On the Select event log page, under Computer, click the () button or type the name of the computer, click one of the available event logs, and then click OK.

  11. On the Event Log Name page, click Next.

  12. On the Build Event Expression page (for the unhealthy event), set Event ID equal to the Windows Event ID that you want to monitor, such as 100. Set Event Source equal to the source of the event, such as EventCreate, and then click Next.

    Note
    Event ID and Source are properties of an event and can be viewed in the Windows Event Viewer.
  13. On the Event Log Name page (for the healthy event), under Log name, click the () button.

  14. On the Select event log page, under Computer, click the () button or type the name of the computer, click one of the available event logs, and then click OK.

  15. On the Event Log Name page, click Next.

  16. On the Build Event Expression page (for the healthy event), set Event ID equal to the Windows Event ID that you want to monitor, set Event Source equal to the source of the event, and then click Next.

    Note
    Event ID and Source are properties of an event and can be viewed in the Windows Event Viewer.
  17. On the Configure Health page, do the following:

    1. For the FirstEventRaised row, click the name in the Operational State column and type a new name for this event, click health state in the Health State column, and then click Critical or Warning.

    2. For the SecondEventRaised row, click the name in the Operational State column and type a new name for this event, click health state in the Health State column, and then click Healthy.

    3. Click Next.

  18. On the Configure Alerts page, set the properties of the alert and then click Create.

    Note
    You can test the functionality of the event monitor with the eventcreate.exe command-line utility that is included with Windows XP and Windows Server 2003 operating systems. The following is an example: C:\WINNT\system32\eventcreate.exe /L SYSTEM /ID 100 /T ERROR /D "System Event ID 100 from source EventCreate" For more information about EventCreate, see http://go.microsoft.com/fwlink/?LinkId=79244.

See Also