Hello, was there an answer as to why Multiple SCOM Alerts for the same unique Windows Event? I am seeing this with SCOM 2019.
Thanks.
Graham.
Hi Graham,
if you are using a custom Rule and you haven't configured Alert Supression, then this is expected. The rule will simply generate one Alert for each logged Event.
i would like to point to a similar thread here, answered by one of the Experts - CyrAz:
SCOM 2019 - Alert Suppresion for same alerts on same agent
scom-2019-alert-suppresion-for-same-alerts-on-same.html
I hope I could help you out with this.
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Stoyan Chalakov
Hi Stoyan,
I don't think it is to do with Alert Suppression as I have this configured.
I have is the same issues as in the original post, and that is when only one event is created in the Windows Log file, 3 alerts are generated in the SCOM Console for the one logged event.
When the same event (only one) is logged in the Windows log file again, 3 more alerts are generated in the SCOM Console and they Dup so Alert Suppression is working. So now I have 3 alerts Dup'd.
When the same event (only one) is logged in the Windows log file again, 3 more alerts are generated in the SCOM Console and they Dup again.
So now 3 events in the Windows Event Log, and 9 alerts generated which all dup up, that is, 3 alerts each Dup'd 3 times each.
Any ideas?
Regards,
Graham.
Same here. 3 alerts for one unique Event.
Is this a custom rule? If so; can you post the code?
If it is from a Microsoft Management Pack then which one? And does it happen for just one rule or does it seem to happen for a number of rules?
Also; does it happen for all servers? Or just specific ones? E.g. same OS?
I've never seen this before so it would be interesting to narrow down what is causing it.
The simplest answer is that there are multiple rules using the same criteria so each rule is triggering one alert but I guess that sadly isn't the case.
All my custom rules monitoring various events in the Forwarded Events log do the same. One Alert in the Console, 3 email alerts sent via subscription. Same content, same event ID.
No issues or clues in the Operations Manager log on the server monitoring Forwarded Events log or management server generating alert and sending notifications.
Hi Graham,
I think I get it now. I don't think that the same event is picked up by different rules, otherwise you will see this in the console. Each alert in the console shows the workflow that generated the alert (a rule or a monitor), so you would have noticed this.
In my opinion, you need to look for clues either on the agent directly (Health Changes, Maintenance Mode related issues, Events in the Opsmgr event log, etc.) or on its corresponding management server.
Does this happen in a intermittent way or it can be reproduced? Is the same rule the cause? anyy Mainatenance Mode schedules involved?
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Stoyan Chalakov
It happens every time specific Event ID is detected, I've checked all possible logs, except enabling verbose on management server.
Hi Jan,
do the alerts get generated by the same rule? What do you see in the alert properties itself, which rule is mentioned there? Also, when you open the alert context of each alert, do you see the same event with the same time stamp?
Thanks,
Stoyan
Could you confirm number of events, number of alerts and number of emails. Graham Parker in the original post mentioned 1 event to 3 SCOM alerts in the SCOM console but no details about number of emails.
You seem to have a different issue 1 event to 1 SCOM alert in the SCOM console to 3 emails. Do you include the workflowid and subscription id in the email to confirm that they are all from the same workflow \ subscription?
Does this only impact rules? Or rules and monitors? If monitors then I'd suspect a misconfigured monitor that is triggering health state changes so that it looks like you have only one alert but if you look at health explorer you'll see the monitor doing a quick flip \ flop similar to what Kevin explains here - https://kevinholman.com/2009/11/24/writing-monitors-to-target-logical-or-physical-disks/ (I appreciate you are not doing disk monitoring but the concept is the same).
Perhaps create a closed alert view on that specific type of alert and confirm that an alert isn't closing straight away. Do you have any automation tool that manipulates the alerts that might be impacting this?
You have also mentioned forwarded events. So to confirm; you have configured Windows Event Log Forwarding so events are being forwarded from the event log on one server (which I'm guessing does not have a SCOM agent installed) to the event log on another which does have a SCOM agent installed. This isn't something I've done in the past but I might be able to test in my lab. Which log is this ? Security? Is it from Domain Controllers? Password reset events?
I'm sorry. You are absolutely right. Graham's issue is not the same and I missed it. My bad.
I have one event, one alert but three exactly same "notifications". Not email, but MS Teams although process seems to be same.
Alerts are initiated by rule. The trigger is Event with Event ID 6008 (unexpected shutdown) in Forwarded Events log, sent by Windows clients to Windows Event Collector (Windows Server with SCOM agent).
I will try to extend notification with the workflow ID and subscription ID to identify possible differences between "notifications" but I'm skeptical, because only one subscription is related to this MS Teams channel,
Thanks a lot for your help!
If it is just custom rules that are targeted just at forwarded events then that could potentially be the issue but on the other hand, if it was a rule issue then I'm surprised you only get one scom console alert to 3 notifications.
On that basis, all I can suggest is trying to narrow down where the issue is occuring.
E.g. If all 3 notifications do have the same workflow id and same subscription id then do all 3
notifications occur at exactly the same time or is there a delay (even of a few seconds) between them?
If the notifications \ Teams integration is triggered by a script then can you put some logging in the script to verify whether the script is executing once and Teams is generating 3 notifications or whether the script is executing 3 times and Teams is just doing what you'd expect and firing off a notification for each time the script tells it to?
This is really embarrassing for me, but real source of these notifications was SCSM fiddling with alert. Known issue. Sorry and thanks again for your time.
Thanks for posting back with the resolution; the troubleshooting process might help others in a similar situation so all good in the end.
6 people are following this question.
