If you have an environment containing both Hyper-V 2008 and 2012 servers and thus have the Hyper-V 2008 Management Packs installed you’ll find you get some false alerts for your 2012 Hyper-V servers.
The 2008 Hyper-V Management pack looks for event logs that no longer exist in Hyper-V 2012 thus you’ll receive an alert stating an event log is inaccessible.
Example SCOM Alerts:
Alert description: The Windows Event Log Provider is still unable to open the Microsoft-Windows-Hyper-V-Network-Admin event log on computer ‘hostname’. The Provider has been unable to open the Microsoft-Windows-Hyper-V-Network-Admin event log for 720 seconds.
Alert description: The Windows Event Log Provider is still unable to open the Microsoft-Windows-Hyper-V-Image-Management-Service-Admin event log on computer ‘hostname’.
The Provider has been unable to open the Microsoft-Windows-Hyper-V-Image-Management-Service-Admin event log for 6480 seconds.
To resolve this you need to create an override that excludes your Hyper-V 2012 hosts from these monitors as follows:
- In the SCOM Management console navigate to Authoring > Management Pack Objects > Monitors
- Click Scope button at the top of the console, enter ‘Hyper-V’ > View All Targets > Select All > OK
- In the Look for field enter ‘Connectivity’ > Find
- For both ‘Port Connectivity’ and ‘Port Disconnectivity’ right click the Monitor > Overrides > Disable the monitor > For a specific object of class
- You should see your Agent managed Hyper-V hosts, tick the 2012 Hyper-V Hosts > OK
- Back to the Look for field enter ‘mounted drive’ > Find
- Find the ‘Mounted Drive Read-Only’ monitor > Right click > Overrides > Disable the monitor > For a specific object of class
- Select your 2012 Hyper-V hosts > OK
I found the alerts didn’t recover automatically after adding the overrides and had to manually mark them as resolved/closed.
James