This is probably the most frequently asked question by new SCOM administrators once I mention that there IS a difference between an alert generated by a monitor and an alert generated by a rule. There are a few different ways to approach this explanation. I have attempted to dive right in with the technical and functional differences per most blog posts, but the reaction to this approach in my experience is a glazed look of frustration. What I have found to work best is to start with basic alert administration and work from there. On that note, let’s get started….
Rule number one…you should never manually close a an alert generated by a monitor! Yes, there are some exceptions like manual reset monitors, but they are increasingly the exception to this rule and in my opinion should be disabled across the board. As a beginner, rule number one is your friend!
High level, if you close an alert that is generated by a monitor, it will never alert again while the object being monitored remains in an unhealthy state. Higher level, you will break the monitor.
So…what’s the big deal?
Let’s use an example where the C: drive on computer1 has generated a critical alert with a MB free value of 700 MB. If I were to right-click the alert and select “close alert”, the alert would indeed close and disappear from the active alerts console view. Awesome. However, when this free space level reaches 400 MB or 200 MB or 20 MB, I will not receive another alert, which in my experience will result in a crashed drive and an unpleasant conversation with upper management explaining why there was no alert. By manually closing the monitor generated alert, the sync between the alert resolution state and the health state was broken, and will not be fixed until the health state of the object being monitored (C: drive) is reset or the issue is resolved.
Lesson: You should never manually close alerts generated by monitors, they resolve themselves automatically when the condition that triggered the alert has been resolved. If the logical disk free space monitor is still showing critical in your active alerts view, it is most likely still an issue.
To make things a bit more interesting and confusing….you absolutely CAN close an alert generated by a rule. For now, it doesn’t matter why, let’s keep it simple. To learn more about the differences between rules and monitors check out Michiel Wouter’s blog post here: http://michielw.blogspot.com/2009/04/scom-monitor-vs-rule.html
How do I know if it’s a rule or a monitor!?
There are several methods to tell whether an alert is generated by a rule or a monitor.
- Right click the alert and in the menu you see 1 of 2 options:
- View or edit the settings of this monitor. This means the alert was generated by a monitor.
- View or edit the settings of this rule. This means the alert as was generated by a rule.
2. While an alert is selected in the active alerts view, you will see 1 of the 2 above options in the “Alert Actions” section of the “Tasks” pane like below:
3. While an alert is selected, in the “Alert Details” pane at the bottom of the “Active Alerts” view will show one of the following:
There are a few other options to work around the age-old monitor vs. rule issue, including the utilization of the “Alerts” dashboard view which includes an “IsMonitor” property field option that exposes monitor generated alerts in SCOM 2012, or automating alert resolution to remove human error altogether which is my choice. I won’t get into those options here, but I will create a follow-up post that walks though some of the better options.
Update: See my post on how to create an Alert dashboard to view whether an alert is generated by a rule or monitor here.