A single event immediately followed by a second event can be indicative of a serious issue. To monitor these types of issues, you can configure the correlated Windows event unit monitor to define a health state for two different events that occur within a short time frame.

In the Create Monitor Wizard, you define three events in succession. The first event you define is the simple event. This event triggers a timer. The second event you define is the first correlated event. This event is compared to the simple event to specify the health state for the monitor. The third event you define is the second correlated event to reset the health state to Healthy.

To create a correlated Windows event unit monitor

  1. In the Essentials 2007 console, click the Authoring button.

  2. In the Authoring pane, expand Authoring, expand Management Pack Objects, and then click Monitors.

  3. Click the Scope button.

  4. In the Scope MP Objects by target(s) dialog box, in the Look for text box, type Windows Computer, select the Windows Computer target check box, and then click OK.

  5. In the Monitors pane, expand Windows Computer, expand Entity Health, right-click Availability, point to Create a monitor, and then click Unit Monitor.

  6. In the Create Monitor Wizard, on the Select a Monitor Type page, expand Windows Events, expand Correlated Event Detection, click Windows Event Reset, and then click Next.

    Note
    You can select a Management Pack either from the Select destination management pack list or create a new unsealed Management Pack by clicking New.

  7. On the General Properties page, in the Name box, type a name for the Windows event unit monitor, and then as an option, you can type a description.

  8. In the Parent monitor list, click the appropriate parent monitor, and then click Next.

  9. On the Event Log Name page (for the simple event), under Log name, click the () button.

  10. On the Select event log page, under Computer, click the () button or type the name of the computer, click one of the available event logs, and then click OK.

  11. On the Event Log Name page, click Next.

  12. On the Build Event Expression page (for Build Simple Event Expression), set Event ID equal to the Windows Event ID that you want to monitor, set Event Source equal to the source of the event, and then click Next.

    Note
    Event ID and Source are properties of an event and can be viewed in the Windows Event Viewer.

  13. On the Event Log Name page (for Define Event Log Name A), under Log name, click the () button.

  14. On the Select event log page, under Computer, click the () button or type the name of the computer, click one of the available event logs, and then click OK.

  15. On the Event Log Name page, click Next.

  16. On the Build Event Expression page (for Build Event Log Expression for A), set Event ID equal to the Windows Event ID that you want to monitor, set Event Source equal to the source of the event, and then click Next.

    Note
    Event ID and Source are properties of an event and can be viewed in the Windows Event Viewer.

  17. On the Event Log Name page (for Define Event Log Name B), under Log name, click the () button.

  18. On the Select event log page, under Computer, click the () button or type the name of the computer, click one of the available event logs, and then click OK.

  19. On the Event Log Name page, click Next.

  20. On the Build Event Expression page (for Build Event Log Expression B), set Event ID equal to the Windows Event ID that you want to monitor, set Event Source equal to the source of the event, and then click Next.

    Note
    Event ID and Source are properties of an event and can be viewed in the Windows Event Viewer.

  21. On the Correlated Events Configuration page:

    1. Under Correlation Interval, set the correlation interval you want.

      Note
      The minimum value for a correlation interval is 1 second. The maximum value is 2,147,483,647 seconds (approximately 68 years).
    2. Under Correlation Details, in the Correlate when the following happens list, click an entry in the list that defines the relationship between the simple event (A) and the first correlating event (B).

    3. Click Next.

  22. On the Configure Health page:

    1. For the EventRaised row, click the name in the Operational State column and type a new name for this event, click health state in the Health State column, and then click Critical or Warning.

    2. For the CorrelatedEventRaised row, click the name in the Operational State column and type a new name for this event, click health state in the Health State column, and then click Healthy.

    3. Click Next.

  23. On the Configure Alerts page, set the properties of the alert, and then click Create.

    Note
    You can test the functionality of the event monitor with the eventcreate.exe command-line utility that is included with Windows XP and Windows Server 2003 operating systems. The following is an example: C:\WINNT\system32\eventcreate.exe /L SYSTEM /ID 100 /T ERROR /D "System Event ID 100 from source EventCreate". For more information about EventCreate, see http://go.microsoft.com/fwlink/?LinkId=79244.

See Also