Defining Alerts

Microsoft Operations Manager 2000 (MOM) provides predefined alerts for monitored environments or applications within Management Pack modules. You can also create alerts that are specific to your enterprise.

You define alerts when you create processing rules. Processing rules identify the information to be collected, the alert to be generated, and any response to the identified condition. The following types of processing rules allow you to define alerts:

Event rules
Can generate an alert when specific events occur.
Missing event rules
Can generate an alert when a specific event does not occur during a specified time.
Threshold rules
Can generate an alert when a WMI numeric value crosses a defined threshold.


Alert Severity

Within a processing rule, you can define the severity of the alert, including Security Breach, Critical Alert, and Success. When you monitor alerts using the Monitor snap-in or the Web Console, the alert severity tells you at a glance the importance of the indicated condition.

Duplicate Alert Suppression

Event storms occur when an application or system rapidly produces a large number of identical events. If you have an alert associated to that particular event, receiving a large number of alerts for the same event could be annoying. MOM provides duplicate alert suppression, which combines duplicate alerts received while the original alert is unresolved into a single alert. You will see only one alert. The one alert indicates the number of alerts that were combined, the time of the first alert, and the time of the last alert.

Alert Response

Processing rules also define responses to an alert. Responses help resolve the issue indicated by the event or alert. Responses can include the following actions:

Processing rules can define more than one response. For example, if a Security Breach alert indicates that a security violation has occurred, MOM can respond by running a batch file that locks out an offending user account and by paging a network administrator.

Resolution State

Resolution state indicates the alert's current point in the resolution process. The default resolution state for most alerts is New. You can select any resolution state for an alert within the processing rule. When that alert occurs, its first resolution state is the state defined in the processing rule.

You can rename these resolution states, or create your own to meet the needs of your enterprise. Examples of custom resolution states might include In Progress or Deferred. Using the Configuration snap-in, you can create custom resolution states and the maximum length of time you expect alerts to remain in any particular state.

The maximum length of time you expect an alert to remain in a particular resolution state is called the service level agreement time. For example, a company policy might require all alerts with a resolution state of New to be addressed within ten minutes. If any alert remains with a resolution state of New for longer than ten minutes, it is considered a service level exception. The All Service Level Exceptions view in the Monitor snap-in and the Web Console shows the alerts that have spent more time than expected at a particular service level.

Other Alert Properties

You can assign an Owner to an alert. The owner is typically the person responsible for tracking and resolving the indicated problem. You can assign an Owner when you create a processing rule that generates an alert, or you can assign an Owner when the alert occurs. Alerts can also contain the source of the alert and an alert description.