Friday, October 12, 2012

SBS2011 Cleaning up Event Logs of False Alerts

 

Credit- Damian Leibaschoff and Justin Crosby

http://blogs.technet.com/b/sbs/archive/2012/01/16/managing-event-alerts-in-your-reports-an-sbs-monitoring-feature-enhancement.aspx

http://support.microsoft.com/kb/2483007

This process is actually quite easy to complete and will reduce the “what do you mean the error is normal” conversations with clients.

Installation and Usage

  1. Download and extract the SBSAlertsCleanup package which is hosted on the SBS Support Team’s SkyDrive.  (Kevin’s Note: When you extract it you will want to copy the files or rename the path with a shorter name (no spaces…) to make directory access easier in Powershell later in the steps)
  2. Open the location of the extracted files and then the properties of SBSAlertsCleanup.ps1 file.
  3. Unblock the file if the option is shown. Note: you do not need to do this to the .sql files.
  4. Launch an elevated PowerShell prompt.
  5. From PowerShell, browse to the folder where you extracted the files.
  6. From PowerShell, run:
    .\SBSAlertsCleanup.ps1 –Action install [enter]

You will see “Changed database context to ‘SBSMonitoring’

Listing current Exclusions

.\SBSAlertsCleanup.ps1 –Action ListExclusions

ID Event Source
-- ----- ------
1 129 WinRM
2 142 WinRM
3 4107 Microsoft-Windows-CAPI2
4 10016 DCOM
5 10009 DCOM
6 5586 SharePoint Foundation
7 6772 SharePoint Foundation
8 6398 SharePoint Foundation
9 8 MSExchange CmdletLogs
10 6 MSExchange CmdletLogs

Removing an Exclusion

This is a 2 part process, first you have to list the current exclusions, and then we can pick which one to remove.

.\SBSAlertsCleanup.ps1 –Action ListExclusions

ID Event Source
-- ----- ------
1 129 WinRM
2 142 WinRM
3 4107 Microsoft-Windows-CAPI2
4 10016 DCOM
5 10009 DCOM
6 5586 SharePoint Foundation
7 6772 SharePoint Foundation
8 6398 SharePoint Foundation
9 8 MSExchange CmdletLogs
10 6 MSExchange CmdletLogs

.\SBSAlertsCleanup.ps1 –Action RemoveExclusion –ID 1
Removing Exclusion for Source: WinRM, EventID: 129

To confirm:

.\SBSAlertsCleanup.ps1 –Action ListExclusions

ID Event Source
-- ----- ------
2 142 WinRM
3 4107 Microsoft-Windows-CAPI2
4 10016 DCOM
5 10009 DCOM
6 5586 SharePoint Foundation
7 6772 SharePoint Foundation
8 6398 SharePoint Foundation
9 8 MSExchange CmdletLogs
10 6 MSExchange CmdletLogs

Adding an Exclusion

This is a 2 part process, first you have to list the available instances of events that have already been collected, and then we can pick which one to exclude.

.\SBSAlertsCleanup.ps1 –Action ListEvents

ID Event Source
-- ----- ------
346141 11 Disk
349778 13 Server Infrastructure Licensing
349779 14 Server Infrastructure Licensing
349781 15 Server Infrastructure Licensing
349552 25 WindowsUpdateClient
349832 54 MSExchange OWA
349827 135 WinRM
349795 502 Windows Small Business Server 2011 Standard
349809 1000 Application Error
343153 1016 DhcpServer
342822 2002 ESENT
348341 2007 ESE
342823 2007 ESENT

Let’s say that the administrator was been receiving several events for WindowsUpdateClient 25 on a regular basis. The admin has investigated this event and determined that it is not cause for concern on their network and they would no longer like to be notified about this event. The admin can do the following to exclude this event from the report:

.\SBSAlertsCleanup.ps1 –Action AddExclusion –ID 349552

Adding Exclusion for Source: WindowsUpdateClient, EventID: 25

To confirm:

.\SBSAlertsCleanup.ps1 –Action ListExclusions

ID Event Source
-- ----- ------
2 142 WinRM
3 4107 Microsoft-Windows-CAPI2
4 10016 DCOM
5 10009 DCOM
6 5586 SharePoint Foundation
7 6772 SharePoint Foundation
8 6398 SharePoint Foundation
9 8 MSExchange CmdletLogs
10 6 MSExchange CmdletLogs
11 25 WindowsUpdateClient

Uninstalling

Upon removing an exclusion or uninstalling the product, the process of collecting all events will resume and only after the event is experienced again it will then be collected and will appear on the report.

.\SBSAlertsCleanup.ps1 –Action Uninstall

Default set of exclusions

We install a set of common exclusions for known events that are generally considered as ignorable. This may not be the case for each and every server so you might have to tweak the list of exclusions, removing and adding as needed as to make your reports show relevant errors that could be of interest for someone administering the health of the server.

SBS 2008

  • 10016 DCOM
  • 10009 DCOM

SBS 2011 Standard

  • 129 WinRM
  • 142 WinRM
  • 4107 Microsoft-Windows-CAPI2
  • 10016 DCOM
  • 10009 DCOM
  • 5586 SharePoint Foundation
  • 6772 SharePoint Foundation
  • 6398 SharePoint Foundation
  • 8 MSExchange CmdletLogs

    6 MSExchange CmdletLogs

  • No comments:

    Post a Comment