When Is an event source not the right source?

Lets face it, if you have been an Operations Manager Admin for longer than a few months you have made your fair share of Event related Alerting. The monotony in creating another batch of said rules started to creep in on me yesterday when something very unusual happened, and it did not work. I was asked to create a rule to alert on the following event in event viewer. Screen shot is from my lab system.


The specifics of this System Log Event are in a screen shot above. Needless to say this is an important event to look for. So I am looking at the System Log for Event ID 1020 with a source of DHCP-Server. To dispense with the issue post hast, I create the rule in the OpsMgr Authoring tab so that Management will be happy the problem is taken care of and I can go back later and create the rule using the normal Authoring tools so I can see a nice rule name and not the ugly GUID name that the console makes.

It seems that this event is created every hour, by the DHCP Service, not sure why every hour, but it is what it is, so I create the rule, and continue working on other issues till the hour passes, and the event is written but no alert is generated.  How odd, the other three rules I had just made before that one had worked flawlessly, what’s going on? So I get a dump of rules that are running on the DHCP server to make sure the rule made it to the server, and it is there. The next thing I check is making sure everything in the rule is correct, Event ID number is 1020, the Source is DHCP-Server. Well everything looks good, perhaps the agent was taking a nap, and I have the agent restarted, and the agent cache cleared, to make sure that everything is loaded and good to go for the next hour. The next hour the same results. Now its officially lab time, to see what the hell is going on.

Cutting to the chase, as I recreated the rule in the lab and did the same things above in my lab till I finally looked at the Event closer. I copy the text of the event from event viewer and paste it into notepad so I can get a better look at what is truly in the event. Right after I hit paste, I notice that something looks very different with the source name.



DHCP-Server shown in event viewer does not equal Microsoft-Windows-DHCP-Server what is in the event log details.


I change the rule and the next hour when the event fires off the alert showed up in the console. The intention of this post is to help save others time.

