Walkthrough: Creating a Custom Alert

  • Article

This walkthrough demonstrates how to use XML to create a custom alert that adds alert information to reports and enables users to receive e-mail notifications when the specified event occurs. The custom alert will provide information about a specific event that has occurred, which will enable a system administrator to quickly correct a problem. For this walkthrough, the Windows Firewall will represent the application that will be monitored. This walkthrough illustrates the following tasks:

  • Creating a custom alert using XML.

  • Deploying the custom alert.

Prerequisites

This walkthrough assumes that you have a basic understanding of XML and Event Viewer. For more information about using XML, see “XML Overviews” at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=120543). For more information about using Event Viewer, see “Event Viewer” at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=120544).

To uniquely identify a custom alert, you must assign a GUID to the alert.

To acquire a GUID

  1. Click Start, click All Programs, and then expand Windows PowerShell 1.0.

  2. Click Windows PowerShell.

  3. In the command-prompt window for Windows PowerShell, type the following command:

    [System.Guid]::NewGuid().ToString()

  4. Record the GUID that is returned. You will need it later in this document.

Note

You do not need to download Windows PowerShell because it is provided with Windows® Small Business Server 2008.

To associate an event to your custom alert, you need to use Event Viewer to obtain information about the event.

To obtain information about an event

  1. Click Start, point to Adminitrative Tools, and then click Event Viewer.

  2. Locate the event log where the event is recorded. For this example, expand Windows Logs, and then click Security.

    Note

    You must stop the Windows Firewall service to see the event that is used in this example.

  3. In the events pane, select the event that you want to associate to the custom alert. For this example, select the event with an ID of 5025. The event ID will be used later in this document.

  4. Click the Details tab, click Friendly View, and then expand System. Record the information for the Provider Name and Channel, which will be used later in this document.

Creating a Custom Alert

In this section, an .xml file is created that contains the elements and attributes to represent a custom alert. The custom alert will provide event information to the reports and e-mail notifications in the Windows SBS Console.

To define the ID, title, and application source attributes of the custom alert

  1. Open Notepad.

  2. Add the following XML data to the new file to define the ID, name, and application for the custom alert.

    <?xml version="1.0" encoding="utf-8" ?>
<AlertDefinitions>
  <AlertDefinition ID="38C4B89D-6A30-41EA-8FCC-C485AAD3C01C" 
                   Default="1" 
                   Title="Custom Windows Firewall Add-in" 
                   Source="Windows Firewall Service">
  </AlertDefinition>
</AlertDefinitions>

    The following table lists the attributes that are used with an AlertDefinition Element.

    Attribute Description

    ID

    Defines the GUID that uniquely identifies the custom alert. Use the GUID that you obtained earlier in this document.

    Default

    Defines whether the custom alert will be enabled and whether it will be included in the list of alerts that will be restored when Restore Defaults is clicked in the Notifications Settings dialog box.

    Title

    Defines the name that will be displayed for the alert in the Windows SBS Console.

    Source

    Defines the application that the alert is monitoring. For this example, the Windows Firewall service is used as the application to monitor.

    Note

    You can add multiple AlertDefinition elements to an AlertDefinitions Element to define multiple custom alerts.

To define the event parameters for the custom alert

  1. The Parameters Element is added to the AlertDefinition element to define the event parameters for the custom alert. The parameters are used by the custom alert to obtain the appropriate event from the specified event log. Add the following XML data to the file to specify the event parameters for the custom alert.

    <Parameters>
  <Path>Security</Path>
  <Provider>Microsoft-Windows-Security-Auditing</Provider>
  <SetEventID>5025</SetEventID>
  <ClearEventID>5024</ClearEventID>
</Parameters>

    The following table lists the elements that are used to define the event parameters.

    Element Description

    Path Element

    Specifies the name of the event log where the event will be recorded. The value that is used for this element is the Channel value that you obtained earlier in this document.

    Provider Element

    Specifies the name of the provider that wrote the event to the event log. The value that is used for this element is the Provider Name value that you obtained earlier in this document.

    SetEventID Element

    Specifies the ID number of the event that triggers the alert.

    ClearEventID Element

    This is an optional element that specifies the ID number of the event that clears the alert. If this element is not defined, the alert will be cleared after 30 minutes. If this element is defined, the alert will not be automatically cleared after the timeout period, it will only be cleared if the specified event occurs. For this example, event ID 5024 is used, which is the event that is logged when the Windows Firewall service is started.

  2. Save the .xml file.

The following example shows the complete XML data that is used in this walkthrough to define a custom alert.

<?xml version="1.0" encoding="utf-8" ?>
<AlertDefinitions>
  <AlertDefinition ID="38C4B89D-6A30-41EA-8FCC-C485AAD3C01C" 
                   Default="1" 
                   Title="Custom Windows Firewall Add-in" 
                   Source="Windows Firewall Service">
    <Parameters>
      <Path>Security</Path>
      <Provider>Microsoft-Windows-Security-Auditing</Provider>
      <SetEventID>5025</SetEventID>
      <ClearEventID>5024</ClearEventID>
    </Parameters>
  </AlertDefinition>
</AlertDefinitions>

Deploying the Custom Alert

In this section, you will place the .xml file that you previously created in the directory where the Windows SBS Console can locate it, and you will verify that the custom alert is functioning correctly.

To deploy the custom alert

  1. Copy the .xml file that was created earlier in this document to the %programfiles%\Windows Small Business Server\Data\Monitoring\ExternalAlerts directory on the computer that is running the Windows SBS 2008 operating system.

  2. Restart the Windows SBS Manager service.

    To restart the Windows SBS Manager service

    1. Click Start, point to Administrative Tools, and then click Services.

    2. Right-click the Windows SBS Manager service, and then click Restart.

  3. To trigger the alert, stop the Windows Firewall service.

    Note

    You might need to wait up to 30 minutes for the alert to be displayed in the Windows SBS Console. The Windows SBS Console polls for new events every 30 minutes.

  4. To view the new alert, click the Network tab, click the Computers tab, click the server, and then click the View computer alerts task.

    You can also see information about alerts by generating a report.

See Also

Concepts

Custom Alert XML Schema Reference