How to Create an NT-Event-Log Event Collection Rule in Operations Manager 2007
Applies To: Operations Manager 2007 R2, Operations Manager 2007 SP1
Use the following procedure to create an NT-Event-log event collection rule in Operations Manager 2007. The events collected by the rule will display in event views for the targeted objects.
To create an NT-Event-Log event collection rule in Operations Manager 2007
Start the Operations Manager 2007 Create Rule Wizard.
For information about starting the Create Rule Wizard, see How to Start the Create Rule Wizard in Operations Manager 2007.
On the Select a Rule Type page, do the following:
Expand Collection Rules, expand Event Based, and then click NT Event Log.
Select a Management pack from the list or click New to create a management pack with the Create a Management Pack Wizard.
The rule will be added to the specified management pack; therefore, only unsealed management packs are listed. By default, when you create a management pack object, disable a rule or monitor, or create an override, Operations Manager saves the setting to the Default Management Pack. As a best practice, you should create a separate management pack for each sealed management pack you want to customize, rather than saving your customized settings to the Default Management Pack. For more information, see Default Management Pack.
On the Rule Name and Description page, do the following:
Type the Rule name, such as Win App Event 1000 LoadPerf.
Optionally, type a Description for the rule.
Click Select, click a target, such as Windows Computer, and then click OK.
Leave Rule is enabled selected to have the rule take affect at the completion of the wizard, or clear the check box to enable the rule at a later time, and then click Next.
On the Event Log Name page, leave Log name set to Application, or click the (…) button and select a different event log, and then click Next.
On the Build Event Expression page, build the filter the rule will use to collect events, for example:
Set Event Number equal to the Windows Event ID of the events you want the rule to collect, such as 1000.
Set Event Source to a specific source of the events, such as LoadPerf.
Click Insert to add an Expression, such as Event Level equals Error, or group expressions with OR or AND operators.
The rule created in the preceding steps will collect Windows events with an ID of 1000 and generated by the source LoadPerf. Event ID and Source are properties of Windows events and can be viewed in the Windows Event Viewer.