Alerts and State
One area that causes confusion is about alerts and how they are displayed. In 2007 the product has moved towards health monitoring and so the Computers view (this was the State view in 2005) using monitors is the way forward. But there are still a number of MPs that have rules.
A rule is simple. It will look for a particular event, a performance counter threshold, WMI etc and create an alert. This alert gets updated with the repeat count. If it is being generated by a script running every 5 minutes then the repeat count will increment every 5 minutes. If the repeat counter stops incrementing it is a good sign, but not infallible, that the problem has stopped. An alert from a rule ONLY shows in the Active Alerts view and NOT in the Computers view. This is different from MOM 2005 where the State view also had a column for alerts generated by rules. Rule alerts must be closed by an operator. They do not auto resolve.
A monitor can be 2 state (green – red or amber) or 3 state (green – amber – red). Unlike a rule a monitor knows when the problem has gone away and will auto resolve the alert in the Active Alerts view and return the appropriate component back to green in the Computers view.
One issue is that the creator of the monitor does not have to chose to create an alert. It is an option. Also the alert created by the monitor will never increment. It is a one off alert even though the problem may be continually happening. The Repeat Count was a useful indicator of what was happening in MOM 2005. The big problem is that if the agent misses the event that turns it back to green it still thinks it is in the red state and will not change back. People think that the Reset button in Health Explorer will clear it back to green but it does not.
In the Active Alerts view when you highlight an alert you will get the description box at the bottom. The rule/monitor that created the alert is shown and it will either say Rule Alert or Monitor Alert so you know whether it should auto resolve or you need to resolve it.
A rule will only create alerts and will not affect the Computer view.
A monitor will update the Computer view and may or may not create an alert in the Active Alerts view.
An alert created by a rule needs to be manually resolved.
An alert created by a monitor will auto resolve.
So you can have alerts in the Alert View but the State View is all green. Likewise you can have red components in the State view without any alerts in the Alert View. Which is bizarre. There is no single view in 2007 (unlike 2005) that you can see the total state of the computers. You can create a dashboard view with both views in it but I find that unsatisfactory.
For the Product Group
What I would like to see is the ability to have a column in the Computers view that is the roll-up of all rule alerts so that there is one view to see everything.
- Posted in: System Center Operations Manager 2007