Mechanism That Microsoft Operations Manager 2000 Uses to Evaluate and Process Rules (300116)

MORE INFORMATION

Rules are deployed by the Consolidator to the agent. The rules are configured as in-memory trees (one for each rule type) that are sorted by provider ID and rule criteria. The trees are organized so that less expensive comparisons (for example, comparing event IDs for equality) happen first, allowing the engine to avoid evaluating expensive comparisons unnecessarily.

The service activates all of its providers, which use various mechanisms to determine when to process new data. The Windows NT Event Log provider, for example, registers an event (a Windows NT notification object) with the Windows NT Event Log service. The event is signaled whenever there are new events in the event log, and the provider submits the events for immediate processing. The notification mechanism occasionally misses an event, so the provider also checks the log periodically for new activity even if it is not signaled to do so.

The service applies the rules to the event by using the in-memory trees. Within the tree for a given rule type, the behavior is as if all rules were applied, even though no event ever triggers more than a small subset of the criteria comparisons. Rules are checked in the following order:

• Collection Rules
  
  A Collection Rule identifies an event that has specific criteria and that is to be collected from specific sources. Collection Rules do not generate alerts or provide responses. For more information about Collection Rules, see "Collecting Specific Events" on page 39 of the MOM User Guide.
• Missing-Event Rules
  
  A Missing-Event Rule specifies that MOM is to generate an alert or provide a response if a defined event does not occur during a specified time. MOM stores missing-event alerts in the database. For more information about Missing-Event Rules, see "Detecting Missing Events" on page 44 of the MOM User Guide.
• Consolidation Rules
  
  A Consolidation Rule specifies that MOM is to consolidate similar events on an agent computer into a single summary event. MOM stores summary events in the database. For more information about Consolidation Rules, see "Consolidating Similar Events" on page 44 of the MOM User Guide.
• Filtering Rules
  
  A Filtering Rule specifies that MOM is to ignore certain events, typically events that you do not consider significant. For more information about Filtering Rules, see "Filtering Events" on page 45 of the MOM User Guide.
• Event Rules
  
  An Event Rule specifies that MOM is to generate an alert or run a response when a specific event occurs. You can create event rules for events that are not covered by other processing rules. MOM stores the events and alerts in the database. For more information about alerting, see "Generating Alerts" on page 40 of the MOM User Guide.

An Event Consolidation Rule or a Filter Rule can prevent the evaluation of a subsequent rule type.

Depending on the type of rules that the agent detects, the agent determines whether to send the event to the Consolidator, raise an alert, or run a response.

The service raises alerts and runs responses by generating new objects, which are sent through the system separately from the event. Multiple responses can be processed simultaneously.

Alert Processing Rules are applied to the generated alert objects. Responses that are defined in Alert Processing Rules run in response to the actual alert object, not in response to a new response or alert object as is the case for responses that are defined in Event Processing Rules.