Retrieving All Rules and Alerts in SCOM 2012 With Specific Alert Properties

Recently I had need to find all of the rules and monitors in my SCOM 2012 installation that generated alerts with a High priority and a Critical severity. We use this combination of priority and severity alerts to create our most serious tickets, so I needed to quickly review which rules and monitors in our management packs would create alerts like this out of the box so I could override them as needed.

The first thing I looked at were rules. The easiest brute-force way to find rules that generate alerts was just to search the WriteActionCollection configuration for the and tags and values themselves. If they weren't there, then the rule doesn't generate an alert. So that gave me a one-liner like so:

$alertingRules = Get-SCOMRule | where { $_.WriteActionCollection.Configuration -match "<Priority>2</Priority>" -and $_.WriteActionCollection.Configuration -match "<Severity>2</Severity>" }

Possible priority and severity values a 0, 1, and 2. These correspond to Low, Medium, and High for priority, and Information, Warning, and Critical for severity.

And for monitors was simple enough to look at the AlertSettings property for each monitor. If it wasn't null, then I could check it for the properties I wanted:

$alertingMonitors = Get-SCOMMonitor | where { $_.AlertSettings -ne $null -and $_.AlertSettings.AlertPriority -match "High" -and $_.AlertSettings.AlertSeverity -match "Error"}

Note here that instead of searching for Critical, I had to look for Error. When searching in this way, your possible priorities are Low, Normal, and High, and your possible severities are Information, Warning, and Error. (I actually just had to create a test monitor to get that exactly right, because I have never seen a monitor in real life that uses an "Information" alert).

However, I actually left out one other possible severity for a monitor, and that's MatchMonitorHealth. If you have a monitor that could potentially go to a critical health state, then it's possible that will create a Critical-severity alert, so I had to look for that as well. To find that, I not only have to look into the AlertSettings, but I also have to iterate through the members of the OperationalStateCollection to see if any of them have Error as a possible health state.

Sadly I couldn't whittle this one down to a one-liner, but the only thing that hurts is my pride. Here's how I found monitors with High priority and whose potential health state could cause a Critical-severity alert:

$highmatchmonitors = Get-SCOMMonitor | where { $_.AlertSettings -ne $null -and $_.AlertSettings.AlertPriority -match "High" -and $_.AlertSettings.AlertSeverity -match "MatchMonitorHealth"}
$highcriticalmatchmonitors = @()
foreach ($monitor in $highmatchmonitors) {
     foreach ($operationalState in $monitor.OperationalStateCollection) {
          if ($operationalState.HealthState -match "Error") {
               $highcriticalmatchmonitors += $monitor

All of this can be tweaked to find whatever severity and priority you're interested in seeing, and once you have these collections, it's simple enough to display them in your Powershell window or export them to a CSV to you can look at them in Excel or whatever. In my case, I was able to review monitors and rules that might potentially create high-severity tickets and override their alert properties where we didn't feel we needed that kind of incident.

comments powered by Disqus