Data Mine the Windows Event Log by Using SCOM
I recall a discussion with a colleague a while ago around errors and warnings in event log. He was insisting that event logs should be immaculate but this sounded so disconnected from reality that I regarded it as utopia.
But he had a point – it must be that errors and warnings are there to be audited and reviewed. And fixed.
SCOM is the right tool to accomplish this task. The Management Pack that I crafted and uploaded to the TechNet Gallery gets this done for you: https://gallery.technet.microsoft.com/Windows-Event-Log-Data-cc1fe248.
Let’s make things clear from the very beginning so there is no confusion on what this Management Pack goes after.
It is NOT collecting ALL warnings and errors in Event Logs (Application, System and Operations Manager). That would be a very bad idea.
Instead it only collects statistics, periodically (every 1 day), for error and warning log entries generated in the last 24h. And by statistics I mean just count each Event ID and Source combination and provide for convenience also a sample description. Plus, the Management Pack exposes these statistics in a report.
There are 2 rules that perform the collections:
– Windows EventLog Data Mining Event Collection Rule (MS) that targets Management Server – enabled by default
– Windows EventLog Data Mining Event Collection Rule (Agent) that targets the Agent – disabled by default.
Here is a screenshot of the report:
Probably you noticed that report parameter allows you to select Information Event Type. What? We said only Error and Warnings.
Yes, that’s not by mistake – the report will display as Information events the System.Exceptions thrown by the auditing script, like:
– no Error or Warning events found
– auditing script failed because the target system does not meet the minimal requirements
I hope that you’ll appreciate the benefits of having such auditing tool in place in your environment.
And, as always, please have it tested in a Dev environment first before importing into Prod.