SCOM: AD MP – Journal Wrap error on SYSVOL Rule

We realized in our SCOM 2012 SP1 environment that the rule “Journal Wrap error on SYSVOL” of the Active Directory Management Pack was not detecting correctly.

I have checked the rule A_journal_wrap_error_has_occurred_on_the_Sysvol_5_Rule in the Microsoft.Windows.Server.AD.2008.Monitoring.xml (Version 6.0.8228.0).

It looked ok, the only thing which could be a problem is the Description search. It uses this expression:


<SimpleExpression>
<ValueExpression>
<XPathQuery>Params/Param[1]</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>DOMAIN SYSTEM VOLUME (SYSVOL SHARE)</Value>
</ValueExpression>
</SimpleExpression>

I disabled the rule and created a new one with this Description search:

<RegExExpression>
<ValueExpression>
<XPathQuery Type=”String”>EventDescription</XPathQuery>
</ValueExpression>
<Operator>ContainsSubstring</Operator>
<Pattern>DOMAIN SYSTEM VOLUME (SYSVOL SHARE)</Pattern>
</RegExExpression>

Now the event was detected correctly and an alert was created.

So if you recognize the same problem, then I suggest to also create a new custom management pack with this rule and disable the original rule.

You can download my sample MP here.

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: