Home
  •  

Workflow Runtime: Failed to run a WMI query for WMI events

Microsoft.SystemCenter.WmiEventModule.FailedExecution.Alert (Rule)

This rule generates alerts when the WMI Event module experiences a runtime failure.

Knowledge Base article:

Summary

Operations Manager failed to run a WMI query or script related to WMI events.

Causes

The possible causes for this are:

Operations Manager failed to connect to the computer or namespace. This could be due to permissions issues or that an invalid WMI namespace is used.

Operations Manager failed to run the WMI query. This could be due to permissions or an invalid WMI query.

If the WMI failure is occurring on a computer running Windows Server 2008, it may be due to a known issue with WMI described in Knowledge Base article 958807(http://go.microsoft.com/fwlink/?LinkID=133791).

Resolutions

More details of what caused this issue can be found by examining the associated alert context.

The alert context will detail whether this was a connection, permission or query issue.

If it is a connections issue, ensure that DCOM is enabled

If it’s a permissions issue, ensure that the Operations Manager RunAs account has the appropriate permissions to access WMI.

If it’s a query issue, examine the rule or monitor that contains the WMI script and take appropriate action by modifying it.

You should also review the details provided in Knowledge Base article 958807 (http://go.microsoft.com/fwlink/?LinkID=133791). If the update is applicable, apply it to this computer.

The following link will display all events indicating a possible problem with the WMI Event component:

View WMI Provider Events

External

For more information on troubleshooting WMI problems, go to http://go.microsoft.com/fwlink/?LinkId=158224.

You can also download the WMI Diagnosis Utility at http://go.microsoft.com/fwlink/?LinkId=158226. The WMI Diagnosis Utility is a VBScript script designed to help you troubleshoot the current state of the WMI service on a computer.

Element properties:

TargetMicrosoft.SystemCenter.HealthService
CategoryAlert
EnabledTrue
Alert GenerateTrue
Alert SeverityWarning
Alert PriorityNormal
RemotableTrue
Alert Message
Operations Manager failed to run a WMI query for WMI events
{0}
Event LogOperations Manager

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Windows.EventProvider Default
Consolidator ConditionDetection Microsoft.SystemCenter.Overridable.ConsolidatorCondition Default
GenerateAlert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.SystemCenter.WmiEventModule.FailedExecution.Alert" Enabled="true" Target="SCLibrary!Microsoft.SystemCenter.HealthService" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>Alert</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>Operations Manager</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="String">PublisherName</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="String">Health Service Modules</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="String">Params/Param[1]</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="String">$Target/ManagementGroup/Name$</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <Or>

              <Expression>

                <SimpleExpression>

                  <ValueExpression>

                    <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

                  </ValueExpression>

                  <Operator>Equal</Operator>

                  <ValueExpression>

                    <Value Type="UnsignedInteger">10353</Value>

                  </ValueExpression>

                </SimpleExpression>

              </Expression>

              <Expression>

                <SimpleExpression>

                  <ValueExpression>

                    <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

                  </ValueExpression>

                  <Operator>Equal</Operator>

                  <ValueExpression>

                    <Value Type="UnsignedInteger">10357</Value>

                  </ValueExpression>

                </SimpleExpression>

              </Expression>

              <Expression>

                <SimpleExpression>

                  <ValueExpression>

                    <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

                  </ValueExpression>

                  <Operator>Equal</Operator>

                  <ValueExpression>

                    <Value Type="UnsignedInteger">10359</Value>

                  </ValueExpression>

                </SimpleExpression>

              </Expression>

              <Expression>

                <SimpleExpression>

                  <ValueExpression>

                    <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

                  </ValueExpression>

                  <Operator>Equal</Operator>

                  <ValueExpression>

                    <Value Type="UnsignedInteger">10361</Value>

                  </ValueExpression>

                </SimpleExpression>

              </Expression>

              <Expression>

                <SimpleExpression>

                  <ValueExpression>

                    <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

                  </ValueExpression>

                  <Operator>Equal</Operator>

                  <ValueExpression>

                    <Value Type="UnsignedInteger">10363</Value>

                  </ValueExpression>

                </SimpleExpression>

              </Expression>

            </Or>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <ConditionDetection ID="Consolidator" TypeID="Microsoft.SystemCenter.Overridable.ConsolidatorCondition">

    <ConsolidationProperties>

      <PropertyXPathQuery>Params/Param[1]</PropertyXPathQuery>

      <PropertyXPathQuery>Params/Param[2]</PropertyXPathQuery>

      <PropertyXPathQuery>EventDisplayNumber</PropertyXPathQuery>

    </ConsolidationProperties>

    <IntervalSeconds>3600</IntervalSeconds>

    <Count>3</Count>

  </ConditionDetection>

  <WriteActions>

    <WriteAction ID="GenerateAlert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>1</Severity>

      <AlertMessageId>$MPElement[Name="Microsoft.SystemCenter.WmiEventModule.FailedExecution.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/Context/DataItem/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression>

        <SuppressionValue>$EventData/Data[2]$</SuppressionValue>

      </Suppression>

    </WriteAction>

  </WriteActions>

</Rule>