Automating OpsMgr Part 14: Creating Event Collection Rules

Introduction

This is the 14th installment of the Automating OpsMgr series. Previously on this series:

• Automating OpsMgr Part 1: Introducing OpsMgrExtended PowerShell / SMA Module
• Automating OpsMgr Part 2: SMA Runbook for Creating ConfigMgr Log Collection Rules
• Automating OpsMgr Part 3: New Management Pack Runbook via SMA and Azure Automation
• Automating OpsMgr Part 4:Creating New Empty Groups
• Automating OpsMgr Part 5: Adding Computers to Computer Groups
• Automating OpsMgr Part 6: Adding Monitoring Objects to Instance Groups
• Automating OpsMgr Part 7: Updated OpsMgrExtended Module
• Automating OpsMgr Part 8: Adding Management Pack References
• Automating OpsMgr Part 9: Updating Group Discoveries
• Automating OpsMgr Part 10: Deleting Groups
• Automating OpsMgr Part 11: Configuring Group Health Rollup
• Automating OpsMgr Part 12: Creating Performance Collection Rules
• Automating OpsMgr Part 13: Creating 2-State Performance Monitors

Previously in part 12 and 13, I have demonstrated how to create performance related workflows using the OpsMgrExtended module. Today, I will start discussing event data, in this post, I will demonstrate how to create an event collection rule.

In the OpsMgrExtended module, there is a function called New-OMEventCollectionRule, which can be used to create event collection rules. It has been fully documented, you can access the documentation by using the Get-Help cmdlet:

Get-Help New-OMEventCollectionRule

A side note here, Last week, I received an email asked me if the OpsMgrExtended module can be used outside of SMA and Azure Automation. The answer is yes, it can be used as a normal PowerShell module. for all the functions included in the module, you can access the examples by using the Get-Help cmdlet with –Full or –Example switch:

Runbook: New-EventCollectionRule

Workflow New-EventCollectionRule
{
  Param(
  [Parameter(Mandatory=$true)][String]$RuleName,
  [Parameter(Mandatory=$true)][String]$RuleDisplayName,
  [Parameter(Mandatory=$true)][String]$EventLog,
  [Parameter(Mandatory=$true)][String]$Publisher,
  [Parameter(Mandatory=$false)][Int]$EventID,
  [Parameter(Mandatory=$true)][String]$ClassName,
  [Parameter(Mandatory=$true)][Boolean]$RuleDisabled
  )

  #Get OpsMgrSDK connection object
  $OpsMgrSDKConn = Get-AutomationConnection -Name "OpsMgrSDK_HOME"

  #Hard code which MP to use
  $MPName = "TYANG.Test.Windows.Monitoring"

  #Make sure MP exists
  Write-Verbose "Getting management pack '$MPName'"
  $MP = Get-OMManagementPack -SDKConnection $OpsMgrSDKConn -Name $MPName -ErrorAction SilentlyContinue
  If ($MP -eq $null)
  {
    #MP doesn't exist, create it
    Write-Verbose "management pack '$MPName' does not exist. creating now."
    $CreateMP = New-OMManagementPack -SDKConnection $OpsMgrSDKConn -Name $MPName -DisplayName "TYANG Test Windows Monitoring" -Version "1.0.0.0"
  }
  #Hard code frequency (900 seconds)
  $Frequency = 900

  #Create Event Collection Rule, MP Version will be increased by 0.0.0.1
  $RuleCreated = InlineScript
  {

    #Validate rule Name
    If ($USING:RuleName -notmatch "([a-zA-Z0-9]+\.)+[a-zA-Z0-9]+")
    {
      #Invalid rule name entered
      $ErrMsg = "Invalid rule name specified. Please make sure it only contains alphanumeric charaters and only use '.' to separate words. i.e. 'Your.Company.Application.Log.EventID.1234.Collection.Rule'."
      Write-Error $ErrMsg
    } else {
      #Name is valid, creating the rule
      New-OMEventCollectionRule -SDKConnection $USING:OpsMgrSDKConn -MPName $USING:MPName -RuleName $USING:RuleName -RuleDisplayName $USING:RuleDisplayName -ClassName $USING:ClassName -EventLog $USING:EventLog -Publisher $USING:Publisher -EventID $USING:EventID -Disabled $USING:RuleDisabled -IncreaseMPVersion $true
    }
  }

  If ($RuleCreated)
  {
    Write-Output "Rule `"$RuleName`" created."
  } else {
    Write-Error "Unable to create rule `"$RuleName`"."
  }
}

I have hardcoded the following parameters in the runbook:

• SMA OpsMgr connection object name (which you will need to change to suit your environment)
• Frequency – 900 seconds
• (Unsealed) MP (where the rule  is going to be saved to) – “TYANG.Test.Windows.Monitoring”

Additionally, this runbook will firstly try to retrieve the management pack from the management group, if the MP deosn’t exist, it will create it first.

This runbook takes the following input parameters:

• ClassName – The name of the target monitoring class (i.e.Microsoft.Windows.Server.OperatingSystem)
• **EventID **– Optional. the Event ID to be collected by the rule.
• EventLog –The name of the event log to be collected by the rule
• Publisher– The event publisher
• RuleDisabled– Boolean, whether the event collection rule should be disabled by default
• RuleDisplayName– Display name of the rule
• RuleName – The name of the rule

Runbook Execution Result:

Viewing the rule properties in OpsMgr operations console:

What if I don’t want to use SMA or Azure Automation?

Like I mentioned before, you don’t have to if you don’t want to. You can simply modify the runbook demonstrated above to run in a standalone PowerShell console by changing the PowerShell workflow to pass the OpsMgr management server name to the OpsMgrExtended functions (instead of SMA connection objects):

After updated the script (which contains the PS Workflow), firstly run the workflow in PowerShell, then call / execute the workflow:

Load the workflow:

Execute the workflow:

Conclusion

In this post, I have demonstrated how to create an event collection rule using OpsMgrExtended module, with and without automation engines such as SMA and Azure Automation. I will demonstrate how to create a 2-state event monitor in the next post of the Automating OpsMgr series. Until next time, happy automating!