Rule v Simple Monitor
I have been asked to create a custom management pack for one customer but they only want a list of events turned into alerts. Immediately this suggested rules to me but it is distributed application which means that rules would not show up in the DA – only monitors do. My initial reaction was that I could not use monitors as they did not have a health model. That is they did not have an event that could be used to show that the application was now healthy. But there is a monitor that is very similar to a rule – The Manual Reset under Simple Event Detection.
I created a test alert just to see how it works. In creating the monitor it is very similar to the wizard for rule creation except you have to say what branch it goes under – Availability, Configuration, Performance or Security. I had it create an alert as that is optional on a monitor.
With a rule the event triggers an alert in the console. This alert needs to be closed manually. The rule will increment the repeat count every time the event is picked up by the rule. The rule does not affect the Computer (or state) view and does not show up in Health Explorer.
With a monitor an alert is also generated but this time it shows the state in the Computer view and can be seen in Health Explorer which means it would show up in a distributed application. Monitors do not increment the repeat count.
The difference is how you clear the alert. If you close the alert it removes the alert from the Alert view but that does not change the Computer view or Health Explorer view. What you need to do is open up Health Explorer and click Recalculate Health. This clears it from the Computer view and Health Explorer. If the alert is still in the console then clicking Recalculate Health will also close the alert. You can also use Reset Health but that is brute force and will change any monitor back to green (healthy).
So if you are looking to create simple event rules you may want to consider using the Manual Reset monitor as it will do a similar job but can be used in a distributed applications health. Make sure that the event really does make the DA unhealthy before including it. Also if you put it in the Availability branch it will affect the Availability report. The only thing to watch for is how you close the alerts. With a rule, close it in the Alert view. With a Manual Reset monitor open Health Explorer and do a Recalculate Health.
It would have been nice if the Product Group had made it consistent so that closing the alert also clears the health view so that there is only one method of closing alerts. Also it brings up the question of how do you know what type of monitor that has created an alert and whether it will auto resolve or needs manual intervention.