This fragment demonstrates how you can use one of the built-in, two-state Windows event modules to compose a unit monitor. This fragment is the next example in the VSAE Fragment category; the xml fragment below should work as described if you have been following the series.

Module Type used in this post: Microsoft.Windows.2SingleEventLog2StateMonitorType

Scenario

Change state to critical and raise a critical alert when event Id 101, from  source TEST, and event level is Error is detected in the Application log. Resolve alert when same event is detected with event level Information.

A note about event level:

1 = Error

4 = Information

<ManagementPackFragment SchemaVersion="2.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <Monitoring>
    <Monitors>
      <UnitMonitor ID="SCOMskills.Demo.Event101.2State" Accessibility="Public" ConfirmDelivery="false" Enabled="true" ParentMonitorID="Health!System.Health.AvailabilityState" Priority="Normal" Remotable="false" Target="SCOMskills.Demo.ApplicationComponent.Class" TypeID="Windows!Microsoft.Windows.2SingleEventLog2StateMonitorType">
        <Category>AvailabilityHealth</Category>
        <AlertSettings AlertMessage="SCOMskills.Demo.Event101.2State.AlertMessage">
          <AlertOnState>Error</AlertOnState>
          <AutoResolve>true</AutoResolve>
          <AlertPriority>Normal</AlertPriority>
          <AlertSeverity>Error</AlertSeverity>
          <AlertParameters>
            <AlertParameter1>$Data/Context/EventDescription$</AlertParameter1>
          </AlertParameters>
        </AlertSettings>
        <OperationalStates>
          <OperationalState ID="Unhealthy" HealthState="Error" MonitorTypeStateID="FirstEventRaised"/>
          <OperationalState ID="Healthy" HealthState="Success" MonitorTypeStateID="SecondEventRaised"/>
        </OperationalStates>
        <Configuration>
          <FirstComputerName>$Target/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</FirstComputerName>
          <FirstLogName>Application</FirstLogName>
          <FirstExpression>
            <And>
              <Expression>
                <SimpleExpression>
                  <ValueExpression>
                    <XPathQuery>EventSourceName</XPathQuery>
                  </ValueExpression>
                  <Operator>Equal</Operator>
                  <ValueExpression>
                    <Value>TEST</Value>
                  </ValueExpression>
                </SimpleExpression>
              </Expression>
              <Expression>
                <SimpleExpression>
                  <ValueExpression>
                    <XPathQuery>EventDisplayNumber</XPathQuery>
                  </ValueExpression>
                  <Operator>Equal</Operator>
                  <ValueExpression>
                    <Value>101</Value>
                  </ValueExpression>
                </SimpleExpression>
              </Expression>
              <Expression>
                <SimpleExpression>
                  <ValueExpression>
                    <XPathQuery>EventLevel</XPathQuery>
                  </ValueExpression>
                  <Operator>Equal</Operator>
                  <ValueExpression>
                    <Value>1</Value>
                  </ValueExpression>
                </SimpleExpression>
              </Expression>
            </And>
          </FirstExpression>
          <SecondComputerName>$Target/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</SecondComputerName>
          <SecondLogName>Application</SecondLogName>
          <SecondExpression>
            <And>
              <Expression>
                <SimpleExpression>
                  <ValueExpression>
                    <XPathQuery>EventSourceName</XPathQuery>
                  </ValueExpression>
                  <Operator>Equal</Operator>
                  <ValueExpression>
                    <Value>TEST</Value>
                  </ValueExpression>
                </SimpleExpression>
              </Expression>
              <Expression>
                <SimpleExpression>
                  <ValueExpression>
                    <XPathQuery>EventDisplayNumber</XPathQuery>
                  </ValueExpression>
                  <Operator>Equal</Operator>
                  <ValueExpression>
                    <Value>101</Value>
                  </ValueExpression>
                </SimpleExpression>
              </Expression>
              <Expression>
                <SimpleExpression>
                  <ValueExpression>
                    <XPathQuery>EventLevel</XPathQuery>
                  </ValueExpression>
                  <Operator>Equal</Operator>
                  <ValueExpression>
                    <Value>4</Value>
                  </ValueExpression>
                </SimpleExpression>
              </Expression>
            </And>
          </SecondExpression>
        </Configuration>
      </UnitMonitor>
    </Monitors>
  </Monitoring>
  <Presentation>
    <StringResources>
      <StringResource ID="SCOMskills.Demo.Event101.2State.AlertMessage"/>
    </StringResources>
  </Presentation>
  <LanguagePacks>
    <LanguagePack ID="ENU" IsDefault="true">
      <DisplayStrings>
        <DisplayString ElementID="SCOMskills.Demo.Event101.2State">
          <Name>Event 101 Monitor</Name>
          <Description>Detect event Id 101. Raise alert if error, resolve alert if informational.</Description>
        </DisplayString>
        <DisplayString ElementID="SCOMskills.Demo.Event101.2State.AlertMessage">
          <Name>Detected Event Id 101</Name>
          <Description>{0}</Description>
        </DisplayString>
        <DisplayString ElementID="SCOMskills.Demo.Event101.2State" SubElementID="Healthy">
          <Name>Healthy</Name>
        </DisplayString>
        <DisplayString ElementID="SCOMskills.Demo.Event101.2State" SubElementID="Unhealthy">
          <Name>Unhealthy</Name>
        </DisplayString>
      </DisplayStrings>
    </LanguagePack>
  </LanguagePacks>
</ManagementPackFragment>

_