microsoft / manageability-toolkits Goto Github PK

View Code? Open in Web Editor NEW

67.0 15.0 34.0 504 KB

Sample code to get quickly on-boarded to common Azure manageability tools and platforms like Azure Monitor.

License: MIT License

PowerShell 100.00%

manageability-toolkits's Introduction

Alert ToolKit

Overview
Prerequisites
Deployment Steps
Script Help
Alert Components
Alert Configuration File
References

Overview

The Alert Toolkit automates the deployment of an example set of log alerts to Azure Monitor Log Analytics. The toolkit consists of configuration file containing log alert definitions and a script that deploys the alerts.

NOTE! The Alert Toolkit now uses the new scheduledQueryRules API. If you need a copy of the toolkit that works with the old API please use the release linked below. If your workspace is using the new API you can use the latest code from the master branch. Any workspaces created before June 1st 2019 will be using the old API unless you migrated to the new API. For more information on the difference between the two APIs, please refer here.

Alert Toolkit for Legacy Log Alerts API https://github.com/microsoft/manageability-toolkits/releases/tag/v1.0

##Prerequisites

Azure PowerShell module installed (Az, not AzureRm) - Version 2.4.0+
Log Analytics workspace created
User running the toolkit will need Contributor role on the resource group and workspace

Deployment Steps

Download the Alert Toolkit contents to your local system
Navigate to the script directory
Run the PowerShell script, New-CoreAlerts.ps1, with desired parameters. Minimum suggested parameters shown in the example below.

# Run Alert Toolkit with email specified.
.\New-CoreAlerts.ps1 `
-SubscriptionID "<subscriptionId>" `
-WorkspaceName "<Log Analytics Workspace Name>" `
-ResourceGroup "<Log Analytics Workspace resource group name>" `
-Location '<Location of workspace and resource group>' `
-AlertEmailAddress "<email address>"

Sample Output:

4. Alternatively you can run the script with no parameters and you will be prompted for the required parameters.

# Run Alert Toolkit with no parameters
.\New-CoreAlerts.ps1

Sample Output:

The toolkit can also use an existing action group.

# Run Alert Toolkit with an existing action group specified.
.\New-CoreAlerts.ps1 `
-SubscriptionID "<subscriptionId>" `
-WorkspaceName "<Log Analytics Workspace Name>" `
-ResourceGroup "<Log Analytics Workspace resource group name>" `
-Location '<Location of workspace and resource group>' `
-ExistingActionGroupName '<Name of existing action group>'

Lastly, the toolkit can also be used to deploy the alerts based on the alert types specified in the configuration file.

# Run Alert Toolkit with an existing action group specified.
.\New-CoreAlerts.ps1 `
-SubscriptionID "<subscriptionId>" `
-WorkspaceName "<Log Analytics Workspace Name>" `
-ResourceGroup "<Log Analytics Workspace resource group name>" `
-Location '<Location of workspace and resource group>' `
-AlertTypes '<Required Alert Types like SQL,HP>'

Sample Output:

Once the script completes you will see the alerts in the Azure Portal -> Log Analytics-> Alerts

Script Help

The New-CoreAlerts script supports PowerShell's Get-Help command. To get the most up-to-date information please run the following from within the script directory.

PS C:\Demo> Get-Help .\New-CoreAlerts.ps1 -Full

At the time of this writing:

	.SYNOPSIS
		The Alert Toolkit automates the deployment of an example set of log alerts to Azure Monitor Log Analytics.
	.DESCRIPTION
		The Alert Toolkit automates the deployment of an example set of log alerts to Azure Monitor Log Analytics.
		The toolkit consists of configuration file containing log alert definitions and a script that deploys the alerts.
	.Parameter SubscriptionID
		Specifies the Azure Subscription ID for the workspace where the alerts will be created.
	.Parameter WorkspaceName
		Specifies the name for the log analytics workspace where the alerts will be created.
	.Parameter ResourceGroup
		Specifies the resource group of the workspace where the alerts will be created.
	.Parameter Location
		Specifies the location of the workspace where the alerts will be created.
	.Parameter NewActionGroupName
		Specifies the name of the action group to be added to all alerts created by this toolkit. Default is '<workspacename>-email-ag1', where workspacename is the name of the workspace.
	.Parameter ActionGroupShortName
		Specifies the short name (12 char max, no spaces) of the action group to be added to all alerts created by this toolkit. Default is 'CoreAlert'.
	.Parameter AlertEmailAddress
		Specifies the email address that will be configured for the action group to be added to all alerts created by this toolkit.
	.Parameter ExistingActionGroupName
		Specifies the name of an existing action group to be added to all alerts created by this toolkit.
	.Parameter AlertTypes
		Specifies the type(s) of alerts to be deployed.
	.Parameter ConfigPath
		Specifies the path to the JSON file containing the alert configurations. Default is '.\DefaultAlertConfig.json'.
	.EXAMPLE 
	   .\New-CoreAlerts.ps1 -SubscriptionId 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' -WorkspaceName 'alertsWorkspace' -ResourceGroup 'alertsRG' -Location 'East US'
	   
	   This command will run the Alert Toolkit script with the provided parameters.
	   
	.EXAMPLE
	   .\New-CoreAlerts.ps1
	   
	   This command will run the Alert Toolkit script and prompt the user for required parameters.
	   
	.EXAMPLE 
	   .\New-CoreAlerts.ps1 -SubscriptionId 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' -ExistingActionGroupName 'useractiongroupname' -WorkspaceName 'alertsWorkspace' -ResourceGroup 'alertsRG' -Location 'East US' 
	   
	   This command will run the Alert Toolkit script with the provided parameters, adding the existing action group named 'useractiongroupname' to all alerts created by the toolkit.
	   
	.EXAMPLE
		.\New-CoreAlerts.ps1 -SubscriptionId 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' -WorkspaceName 'alertsWorkspace' -ResourceGroup 'alertsRG' -Location 'East US' -AlertTypes "Core,SQL"

		This command will run the Alert Toolkit script with the provided parameters, deploying only alerts that are tagged with 'Core' or 'SQL'
		
	.LINK
	https://github.com/Microsoft/manageability-toolkits
	
	
	.Notes
		NAME:     New-CoreAlerts
		AUTHOR(s): Arun Kumar Rajendra <[email protected]>, Matt Carlson <[email protected]>
		LASTEDIT: 02/04/2019
		KEYWORDS: OMS, Log Analytics, Alerts, Core Alerts

Alert Components

The toolkit automates the creation of alerts by creating several different resources and associating them to one another.

Action Group: The action group contains any number of actions that should happen once the alert fires. This could include sending an email or calling a webhook. The Alert Toolkit currently supports just a single email unless an existing action group is provided.

Saved Search The saved search is where the alert query is defined. When the query returns results over a given time period, the alert is fired.

Schedule A saved search can have one or more schedules. The schedule defines how often the search is run and the time interval over which the criteria is identified.

Alert Action Finally, the toolkit creates an alert action. This is associated with the Saved Search, Schedule and Action Group to create the final alert.

More information on how to configure alerts using the REST API can be found here: https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-api-alerts

Alert Configuration File

The alert configuration file, DefaultAlertConfig.json, contains the alert definitions for Alerts included in the Alert Toolkit. Alerts can be added or removed from the configuration file before running the script.

Creating a custom alert

A custom alert can be added to the toolkit by modifying the configuration file before running the deployment script. Existing alerts can be used an example, but the alert should have the following elements. More detailed information about what is required by the Log Analytics REST API can be found here.

AlertName - Name of the alert. To be displayed in script output. AlertGuid - Unique GUID for the alert in your subscription. Click here for more information on Creating a new GUID.

SavedSearch - The SavedSearch element contains the JSON payload required to create saved search. This is the basis of a log analytics alert. This includes such information as the category and display name, but most importantly the query that will be used to define the criteria for an Alert.

Category - The category for the saved search. This can be used to group alerts together or filter them in the Azure Portal.
DisplayName - The display name for the saved search.
Query - The Log Analytics query for the saved search. This must be properly escaped Json for special characters like quotes. Click here for more information on Converting KQL to Json
Version - The API version being used. Currently, this should always be set to 1.

Schedule - This section contains the Json payload required to create the alert schedule.

Interval - How often the search is run. Measured in minutes.
QueryTimeSpan - The time interval over which the criteria is evaluated. Must be equal to or greater than Interval. Measured in minutes.
Active - Need to be set to true.

AlertDefinition - This section contains the configuration for the alert itself.

Name - The name displayed for the alert.
Description - A description of the alert.
Version - The API version being used. Currently, this should always be set to 1.
Severity - Log Analytics allows you to classify your alerts into categories, to allow easier management and triage. The Alert severity defined is: informational, warning, and critical.
Type - This should be set to Alert.
Threshold - Criteria for when the action is run.
- Operator - Operator for the threshold comparison. gt = Greater Than lt = Less Than
- Value - Value for the threshold.
AzNsNotification - This section contains the configuration for what action is taken when the alert fires.
- GroupIds - Should be set to /subscriptions/subscrname/resourcegroups/resourcegrp/providers/microsoft.insights/actiongroups/samplecoreactiongroup
- CustomEmailSubject - The custom email subject text if the default email notification is used.

Example:

{
      "AlertName": "NTFS - File System Corrupt",
      "AlertGuid": "bb8527b1-6152-4d28-be04-c3d81cf98407",
      "Tags": [
        "Core"
      ],
      "SavedSearch": {
        "Category": "Core",
        "DisplayName": "Alert - NTFS - File System Corrupt",
        "Query": "Event | where EventLog == \"System\" and Source == \"DISK\" or Source == \"Ntfs\" and EventID == 55 | project Computer, TimeGenerated, AlertType_s = \"NTFS - File System Corrupt\", Severity = 4, SeverityName_s = \"WARNING\", AffectedCI_s = Computer, AlertTitle_s = strcat(Computer, \": NTFS - File System Corrupt\"), AlertDetails_s = strcat(\"Event Description:\\r\\n\", RenderedDescription)",
        "Version": "1"
      },
      "Schedule": {
        "Interval": 30,
        "QueryTimeSpan": 30,
        "Active": "true"
      },
      "AlertDefinition": {
        "Name": "NTFS - File System Corrupt",
        "Description": "Core monitoring alert for monitoring disk",
        "Version": "1",
        "Severity": "critical",
        "Type": "Alert",
        "Threshold": {
          "Operator": "gt",
          "Value": 0
        },
        "AzNsNotification": {
          "GroupIds": [
            "/subscriptions/subscrname/resourcegroups/resourcegrp/providers/microsoft.insights/actiongroups/samplecoreactiongroup"
          ],
          "CustomEmailSubject": "Alert - NTFS - File System Corrupt"
        }
      }
    }

Creating a new GUID

Run the following in a PowerShell console to generate a new GUID.

New-Guid

Converting KQL to JSON

To convert an existing Log Analytics query to JSON you can use the folloiwng method in PowerShell.

$kql = '[insert KQL query text here, new lines and all]'
($kql.Replace("`r","").Replace("`n","")) | ConvertTo-Json

Here’s an example with the NTFS Alert from the toolkit:

KQL:

Event
| where EventLog == "System" and Source == "DISK" or Source == "Ntfs" and EventID == 55
| project Computer, TimeGenerated, AlertType_s = "NTFS - File System Corrupt", Severity = 4, SeverityName_s = "WARNING", AffectedCI_s = Computer, AlertTitle_s = strcat(Computer, ": NTFS - File System Corrupt"), AlertDetails_s = strcat("Event Description:\r\n", RenderedDescription)

Output:

PS C:\> $kql = 'Event
>> | where EventLog == "System" and Source == "DISK" or Source == "Ntfs" and EventID == 55
>> | project Computer, TimeGenerated, AlertType_s = "NTFS - File System Corrupt", Severity = 4, SeverityName_s = "WARNING", AffectedCI_s = Computer, AlertTitle_s = strcat(Computer, ": NTFS - File System Corrupt"), AlertDetails_s = strcat("Event Description:\r\n", RenderedDescription)'

PS C:\> ($kql.Replace("`r","").Replace("`n","")) | ConvertTo-Json
"Event| where EventLog == \"System\" and Source == \"DISK\" or Source == \"Ntfs\" and EventID == 55| project Computer, TimeGenerated, AlertType_s = \"NTFS - File System Corrupt\", Severity = 4, SeverityName_s = \"WARNING\", AffectedCI_s = Computer, AlertTitle_s = strcat(Computer, \": NTFS - File System Corrupt\"), AlertDetails_s = strcat(\"Event Description:\\r\\n\", RenderedDescription)"

The downside to this approach is that ConvertTo-Json replaces special characters like ‘>’ with their Unicode representation like ‘\u003e’. The good news is that ConvertFrom-Json, which the script uses, will convert it back. Alternatively, you can replace it yourself as long as it’s not a character that needs to be escaped. We’ve done this with some of the alerts in the default toolkit because it looks cleaner. It’s not strictly necessary though.

References

Create and manage alert rules in Log Analytics with REST API https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-api-alerts

Contributing

Contribution guidelines for this project

manageability-toolkits's People

Contributors

Stargazers

Watchers

manageability-toolkits's Issues

(400) Bad Request

Hello Guys,

We are from SWO cloud support, and one of our customers is trying to use this code to generate the alerts, however is getting The remote server returned an error: (400) Bad Request when creating the alert 1 of 38 'High CPU Usage', can you please check and let me know if there is any issue here?

This repo is missing important files

There are important files that Microsoft projects should all have that are not present in this repository. A pull request has been opened to add the missing file(s). When the pr is merged this issue will be closed automatically.

Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.

Merge this pull request

Issue while adding new alert

Hi There,

I have added an update management alert in DefaultAlertConfig file. But when I am trying to execute this script for alert creation I am getting below error.

Note: - I have checked the JSON format and it is valid.

Please find the below JSON "DefaultAlertConfig" file for further clarification.

{ 
"ConfigFileVersion":"1.3",
"ApiVersion":"2015-03-20",
"Alerts":[ 
{ 
"AlertName":"High CPU Usage",
"AlertGuid":"8a9b0a3b-5f17-4a55-8132-0fe6dcbf968f",
"Tags":[ 
"Core"
],
"SavedSearch":{ 
"Category":"Core",
"DisplayName":"Alert - High CPU Usage",
"Query":"let _maxValue = 85; let _timeWindow = 4h; let _AvgCpu = Perf | where TimeGenerated >= ago(_timeWindow) | where CounterName == \"% Processor Time\" and InstanceName =~ \"_Total\" | summarize mtgPerf=max(TimeGenerated), CounterValue=round(avg(CounterValue)), SampleCount=count(CounterValue) by Computer, InstanceName, CounterName, ObjectName; _AvgCpu | where CounterValue > _maxValue | project Computer , ObjectName , CounterName , InstanceName , TimeGenerated=mtgPerf , CounterValue , AlertType_s = \"Sustained High CPU Utilization\" , Severity = 4 , SeverityName_s = \"WARNING\" , AffectedCI_s = strcat(Computer, \"/CPUPercent/\", InstanceName) , AlertTitle_s = strcat(Computer, \": Sustained High CPU Utilization\") , AlertDetails_s = strcat(\"Computer: \", Computer, \"\\r\\nAverage CPU Utilization: \", CounterValue, \"%\\r\\nSample Period: Last \", _timeWindow, \"\\r\\nSample Count: \", SampleCount, \"\\r\\nAlert Threshold: > \", _maxValue, \"%\")",
"Version":"1"
},
"Schedule":{ 
"Interval":30,
"QueryTimeSpan":240,
"Active":"true"
},
"AlertDefinition":{ 
"Name":"High CPU Usage",
"Description":"Triggers an alert for a high CPU usage condition",
"Version":"1",
"Severity":"critical",
"Type":"Alert",
"Threshold":{ 
"Operator":"gt",
"Value":0
},
"AzNsNotification":{ 
"GroupIds":[ 
"/subscriptions/subscrname/resourcegroups/resourcegrp/providers/microsoft.insights/actiongroups/samplecoreactiongroup"
],
"CustomEmailSubject":"Alert - High CPU Usage"
}
}
},
{ 
"AlertName":"Update Missing On Server",
"AlertGuid":"7a8b0a4b-7f17-4a55-8123-0fe4dcbf354f",
"Tags":[ 
"Core"
],
"SavedSearch":{ 
"Category":"Core",
"DisplayName":"Alert - Update Missing on Server",
"Query":"Update | where UpdateState =~ \"Needed\" and iff(isnotnull(toint(Optional)), Optional == false, Optional == \"false\") == true and Classification == \"Critical Updates\" and iff(isnotnull(toint(Approved)), Approved != false, Approved != \"false\") == true | summarize AggregatedValue = count() by Computer",
"Version":"1"
},
"Schedule":{ 
"Interval":30,
"QueryTimeSpan":30,
"Active":"true"
},
"AlertDefinition":{ 
"Name":"Critical Update Missing on Server",
"Description":"Triggers an alert when a critical or needed update missing on server",
"Version":"1",
"Severity":"critical",
"Type":"Alert",
"Threshold":{ 
"Operator":"gt",
"Value":0
},
"AzNsNotification":{ 
"GroupIds":[ 
"/subscriptions/subscrname/resourcegroups/resourcegrp/providers/microsoft.insights/actiongroups/samplecoreactiongroup"
],
"CustomEmailSubject":"Alert - Update Missing on Server"
}
}
},
{ 
"AlertName":"Low Disk Space Windows - Critical",
"AlertGuid":"844d2068-65ea-45d0-98d0-44e34a0548c6",
"Tags":[ 
"Core"
],
"SavedSearch":{ 
"Category":"Core",
"DisplayName":"Alert - Low Disk Space Windows",
"Query":"let _minValue = 10; Perf | where TimeGenerated >= ago(1h) | where CounterValue <= _minValue | where CounterName == \"% Free Space\" and InstanceName in (\"C:\", \"E:\", \"F:\", \"G:\") | summarize mtgPerf=max(TimeGenerated), CounterValue=max(CounterValue) by Computer, InstanceName, CounterName, ObjectName, DriveLetter=replace(@\"(\\w).\",@\"\\1\", InstanceName) | join kind=inner ( Heartbeat | where OSType == \"Windows\" | summarize max(TimeGenerated) by Computer ) on Computer | project Computer , ObjectName , CounterName , InstanceName , TimeGenerated=mtgPerf , round(CounterValue) , DriveLetter , AlertType_s = \"Windows Low Disk Space\" , Severity = 3 , SeverityName_s = \"WARNING\" , AffectedCI_s = strcat(Computer, \"/\", DriveLetter) , AlertTitle_s = strcat(Computer, \": Low Disk Space on Drive \", DriveLetter) , AlertDetails_s = strcat(\"Computer: \", Computer, \"\\r\\nDrive Letter: \", DriveLetter, \"\\r\\nPercent Free Space: \", round(CounterValue), \"%\\r\\nAlert Threshold: <= \", _minValue, \"%\")",
"Version":"1"
},
"Schedule":{ 
"Interval":30,
"QueryTimeSpan":35,
"Active":"true"
},
"AlertDefinition":{ 
"Name":"Low Disk Space Windows",
"Description":"Triggers an alert for a low disk space condition",
"Version":"1",
"Severity":"critical",
"Type":"Alert",
"Threshold":{ 
"Operator":"gt",
"Value":0
},
"AzNsNotification":{ 
"GroupIds":[ 
"/subscriptions/subscrname/resourcegroups/resourcegrp/providers/microsoft.insights/actiongroups/samplecoreactiongroup"
],
"CustomEmailSubject":"Alert - Low Disk Space Windows"
}
}
},
{ 
"AlertName":"Low Memory",
"AlertGuid":"1fcf8156-fcca-45d2-be45-aca07b90aee8",
"Tags":[ 
"Core"
],
"SavedSearch":{ 
"Category":"Core",
"DisplayName":"Alert - Low Memory",
"Query":"let _minAvailableMB = 1024;\nlet _sampleInterval = 4h;\nlet _linuxMem = Perf\n| where TimeGenerated >= ago(_sampleInterval)\n| where CounterName == \"Available MBytes Memory\"\n| summarize mtgPerf=max(TimeGenerated), CounterValue=avg(CounterValue), SampleCount=count(CounterValue) by Computer\n| join kind=inner\n(\n Heartbeat\n | where OSType == \"Linux\"\n | summarize max(TimeGenerated) by Computer\n)\non Computer\n| project Computer, mtgPerf, AvailableMBytes=round(CounterValue), SampleCount;\nlet _windowsMem = Perf\n| where TimeGenerated >= ago(_sampleInterval)\n| where CounterName == \"Available MBytes\"\n//and ObjectName == \"Logical Disk\"\n\n//and InstanceName matches regex \"/.*\"\n| summarize mtgPerf=max(TimeGenerated), CounterValue=avg(CounterValue), SampleCount=count(CounterValue) by Computer\n| join kind=inner\n(\n Heartbeat\n | where OSType == \"Windows\"\n | summarize max(TimeGenerated) by Computer\n)\non Computer\n| project Computer, mtgPerf, AvailableMBytes=round(CounterValue), SampleCount;\n_linuxMem\n| union _windowsMem\n| where AvailableMBytes < _minAvailableMB\n| project Computer , TimeGenerated=mtgPerf , CounterValue=AvailableMBytes , AlertType_s = \"Low Available Memory\" , Severity = 4 , SeverityName_s = \"WARNING\" , AffectedCI_s = strcat(Computer, \"/FreeMemoryMB/\") , AlertTitle_s = strcat(Computer, \": Low Available Memory\") , AlertDetails_s = strcat(\"Computer: \", Computer, \"\\r\\nAverage Free Memory: \", AvailableMBytes, \" MB\\r\\nSample Period: Last \", _sampleInterval, \"\\r\\nSample Count: \", SampleCount, \"\\r\\nAlert Threshold: < \", _minAvailableMB, \" MB\")",
"Version":"1"
},
"Schedule":{ 
"Interval":30,
"QueryTimeSpan":240,
"Active":"true"
},
"AlertDefinition":{ 
"Name":"Low Memory",
"Description":"Triggers an alert for a low memory condition",
"Version":"1",
"Severity":"critical",
"Type":"Alert",
"Threshold":{ 
"Operator":"gt",
"Value":0
},
"AzNsNotification":{ 
"GroupIds":[ 
"/subscriptions/subscrname/resourcegroups/resourcegrp/providers/microsoft.insights/actiongroups/samplecoreactiongroup"
],
"CustomEmailSubject":"Alert - Low Memory"
}
}
},
{ 
"AlertName":"NTFS - File System Corrupt",
"AlertGuid":"bb8527b1-6152-4d28-be04-c3d81cf98407",
"Tags":[ 
"Core"
],
"SavedSearch":{ 
"Category":"Core",
"DisplayName":"Alert - NTFS - File System Corrupt",
"Query":"Event | where EventLog == \"System\" and Source == \"DISK\" or Source == \"Ntfs\" and EventID == 55 | project Computer, TimeGenerated, AlertType_s = \"NTFS - File System Corrupt\", Severity = 4, SeverityName_s = \"WARNING\", AffectedCI_s = Computer, AlertTitle_s = strcat(Computer, \": NTFS - File System Corrupt\"), AlertDetails_s = strcat(\"Event Description:\\r\\n\", RenderedDescription)",
"Version":"1"
},
"Schedule":{ 
"Interval":30,
"QueryTimeSpan":30,
"Active":"true"
},
"AlertDefinition":{ 
"Name":"NTFS - File System Corrupt",
"Description":"Core monitoring alert for monitoring disk",
"Version":"1",
"Severity":"critical",
"Type":"Alert",
"Threshold":{ 
"Operator":"gt",
"Value":0
},
"AzNsNotification":{ 
"GroupIds":[ 
"/subscriptions/subscrname/resourcegroups/resourcegrp/providers/microsoft.insights/actiongroups/samplecoreactiongroup"
],
"CustomEmailSubject":"Alert - NTFS - File System Corrupt"
}
}
},
{ 
"AlertName":"Unexpected shutdown",
"AlertGuid":"39128bb3-9a64-4d81-bc36-58be5e101514",
"Tags":[ 
"Core"
],
"SavedSearch":{ 
"Category":"Core",
"DisplayName":"Alert - Unexpected shutdown",
"Query":"Event | where EventLog == \"System\" and EventID == 6008 | project Computer, TimeGenerated, AlertType_s = \"Unexpected shutdown\", Severity = 4, SeverityName_s = \"WARNING\", AffectedCI_s = strcat(Computer), AlertTitle_s = strcat(Computer, \": Unexpected Shutdown\"), AlertDetails_s = strcat(\"Multiple shutdowns detected in the past 24 hours\\r\\nEventID: 6008\\r\\nEvent Description: \", RenderedDescription)",
"Version":"1"
},
"Schedule":{ 
"Interval":1440,
"QueryTimeSpan":1440,
"Active":"true"
},
"AlertDefinition":{ 
"Name":"Unexpected shutdown",
"Version":"1",
"Description":"Unexpected shutdown monitoring from core monitoring",
"Severity":"critical",
"Type":"Alert",
"Threshold":{ 
"Operator":"gt",
"Value":1
},
"AzNsNotification":{ 
"GroupIds":[ 
"/subscriptions/subscrname/resourcegroups/resourcegrp/providers/microsoft.insights/actiongroups/samplecoreactiongroup"
],
"CustomEmailSubject":"Alert - Unexpected shutdown"
}
}
},
{ 
"AlertName":"HP Windows (SNMP) Power sub system degraded or failed",
"AlertGuid":"c40aab23-0622-4648-9a67-6118858bdbd5",
"Tags":[ 
"Physical,HP"
],
"SavedSearch":{ 
"Category":"Core",
"DisplayName":"Alert - HP Windows (SNMP) Power sub system degraded or failed",
"Query":"Event | where EventLog == \"System\" | where EventID == 1103 or EventID == 1128 or EventID == 1126 or EventID == 1124 or EventID == 1125 or EventID == 1184 | where RenderedDescription contains \"System Information Agent: Health\" | project Computer, TimeGenerated, AlertType_s = \"HP Windows (SNMP) Power sub system degraded or failed\", Severity = 4, SeverityName_s = \"WARNING\", AffectedCI_s = strcat(Computer, \"/EventId-\", EventID), AlertTitle_s = strcat(Computer, \": HP Windows (SNMP) Power sub system degraded or failed with Event ID \", EventID), AlertDetails_s = strcat(\"Computer: \", Computer, \"\\r\\nEvent ID: \", EventID, \"\\r\\nRenderedDescription: \", RenderedDescription)",
"Version":"1"
},
"Schedule":{ 
"Interval":30,
"QueryTimeSpan":30,
"Active":"true"
},
"AlertDefinition":{ 
"Name":"HP Windows (SNMP) Power sub system degraded or failed",
"Description":"Power sub system degraded or failed. The fault tolerant power supply has degraded, failed or lost redundancy.",
"Version":"1",
"Severity":"critical",
"Type":"Alert",
"Threshold":{ 
"Operator":"gt",
"Value":0
},
"AzNsNotification":{ 
"GroupIds":[ 
"/subscriptions/subscrname/resourcegroups/resourcegrp/providers/microsoft.insights/actiongroups/samplecoreactiongroup"
],
"CustomEmailSubject":"Alert - HP Windows (SNMP) Power sub system degraded or failed"
}
}
},
{ 
"AlertName":"HP Windows (SNMP) Fan degraded",
"AlertGuid":"804809b2-8cac-4d72-b186-ecd40f59ed95",
"Tags":[ 
"Physical,HP"
],
"SavedSearch":{ 
"Category":"Core",
"DisplayName":"Alert - HP Windows (SNMP) Fan degraded",
"Query":"Event | where EventLog == \"System\" | where Source == \"Server Agents\" | where EventID == 1131 or EventID == 1129 or EventID == 1086 | where RenderedDescription contains \"CPQHLTH.MIB\" | project Computer, TimeGenerated, AlertType_s = \"HP Windows (SNMP) Fan degraded\", Severity = 4, SeverityName_s = \"WARNING\", AffectedCI_s = strcat(Computer, \"/EventId-\", EventID), AlertTitle_s = strcat(Computer, \": HP Windows (SNMP) Fan degraded with Event ID \", EventID), AlertDetails_s = strcat(\"Computer: \", Computer, \"\\r\\nEvent ID: \", EventID, \"\\r\\nRenderedDescription: \", RenderedDescription)",
"Version":"1"
},
"Schedule":{ 
"Interval":30,
"QueryTimeSpan":30,
"Active":"true"
},
"AlertDefinition":{ 
"Name":"HP Windows (SNMP) Fan degraded",
"Description":"Fan degraded. A fault tolerant fan or system fan has been degraded.",
"Version":"1",
"Severity":"critical",
"Type":"Alert",
"Threshold":{ 
"Operator":"gt",
"Value":0
},
"AzNsNotification":{ 
"GroupIds":[ 
"/subscriptions/subscrname/resourcegroups/resourcegrp/providers/microsoft.insights/actiongroups/samplecoreactiongroup"
],
"CustomEmailSubject":"Alert - HP Windows (SNMP) Fan degraded"
}
}
},
{ 
"AlertName":"HP Windows (SNMP) Rack Enclosure Fan Failed or Degraded",
"AlertGuid":"73032be3-1f4e-44a4-88be-ca25b797b1bc",
"Tags":[ 
"Physical,HP"
],
"SavedSearch":{ 
"Category":"Core",
"DisplayName":"Alert - HP Windows (SNMP) Rack Enclosure Fan Failed or Degraded",
"Query":"Event | where EventID == 1150 or EventID == 1151 | where RenderedDescription contains \"CPQRACK.MIB\" | project Computer, TimeGenerated, AlertType_s = \"HP Windows (SNMP) Rack Enclosure Fan Failed or Degraded\", Severity = 4, SeverityName_s = \"WARNING\", AffectedCI_s = strcat(Computer, \"/EventId-\", EventID), AlertTitle_s = strcat(Computer, \": HP Windows (SNMP) Rack Enclosure Fan Failed or Degraded with Event ID\", EventID), AlertDetails_s = strcat(\"Computer: \", Computer, \"\\r\\nEvent ID: \", EventID, \"\\r\\nRenderedDescription: \", RenderedDescription)",
"Version":"1"
},
"Schedule":{ 
"Interval":30,
"QueryTimeSpan":30,
"Active":"true"
},
"AlertDefinition":{ 
"Name":"HP Windows (SNMP) Rack Enclosure Fan Failed or Degraded",
"Version":"1",
"Description":"Rack fans have failed.",
"Severity":"critical",
"Type":"Alert",
"Threshold":{ 
"Operator":"gt",
"Value":0
},
"AzNsNotification":{ 
"GroupIds":[ 
"/subscriptions/subscrname/resourcegroups/resourcegrp/providers/microsoft.insights/actiongroups/samplecoreactiongroup"
],
"CustomEmailSubject":"Alert - HP Windows (SNMP) Rack Enclosure Fan Failed or Degraded"
}
}
},
{ 
"AlertName":"HP Windows (SNMP) Drive Array Physical Drive degraded",
"AlertGuid":"eca68326-ebc4-490d-b33b-071af8380e81",
"Tags":[ 
"Physical,HP"
],
"SavedSearch":{ 
"Category":"Core",
"DisplayName":"Alert - HP Windows (SNMP) Drive Array Physical Drive degraded",
"Query":"Event | where EventID == 1202 or EventID == 1203 or EventID == 1216 | where RenderedDescription contains \"CPQIDA.MIB\" | project Computer, TimeGenerated, AlertType_s = \"HP Windows (SNMP) Drive Array Physical Drive degraded\", Severity = 4, SeverityName_s = \"WARNING\", AffectedCI_s = strcat(Computer, \"/EventId-\", EventID), AlertTitle_s = strcat(Computer, \": HP Windows (SNMP) Drive Array Physical Drive degraded with Event ID \", EventID), AlertDetails_s = strcat(\"Computer: \", Computer, \"\\r\\nEvent ID: \", EventID, \"\\r\\nRenderedDescription: \", RenderedDescription)",
"Version":"1"
},
"Schedule":{ 
"Interval":30,
"QueryTimeSpan":30,
"Active":"true"
},
"AlertDefinition":{ 
"Name":"HP Windows (SNMP) Drive Array Physical Drive degraded",
"Version":"1",
"Description":"The drive array physical drive has degraded.",
"Severity":"critical",
"Type":"Alert",
"Threshold":{ 
"Operator":"gt",
"Value":0
},
"AzNsNotification":{ 
"GroupIds":[ 
"/subscriptions/subscrname/resourcegroups/resourcegrp/providers/microsoft.insights/actiongroups/samplecoreactiongroup"
],
"CustomEmailSubject":"Alert - HP Windows (SNMP) Drive Array Physical Drive degraded"
}
}
},
{ 
"AlertName":"HP Windows (SNMP) Drive Array Logical Drive Status is readyForRebuild",
"AlertGuid":"372ffd1b-2a78-4ef4-b801-2c902bc8d3c1",
"Tags":[ 
"Physical,HP"
],
"SavedSearch":{ 
"Category":"Core",
"DisplayName":"Alert - HP Windows (SNMP) Drive Array Logical Drive Status is readyForRebuild",
"Query":"Event | where EventLog == \"System\" | where EventID == 1200 | where Source == \"Storage Agents\" | where RenderedDescription contains \"new status of 6\" and RenderedDescription contains \"CPQIDA.MIB\" | project Computer, TimeGenerated, AlertType_s = \"HP Windows (SNMP) Drive Array Logical Drive Status is readyForRebuild\", Severity = 4, SeverityName_s = \"WARNING\", AffectedCI_s = strcat(Computer, \"/EventId-\", EventID, \"/readyForRebuild\"), AlertTitle_s = strcat(Computer, \": HP Windows (SNMP) Drive Array Logical Drive Status is readyForRebuild\"), AlertDetails_s = strcat(\"Computer: \", Computer, \"\\r\\nEvent ID: \", EventID, \"\\r\\nRenderedDescription: \", RenderedDescription)",
"Version":"1"
},
"Schedule":{ 
"Interval":30,
"QueryTimeSpan":30,
"Active":"true"
},
"AlertDefinition":{ 
"Name":"HP Windows (SNMP) Drive Array Logical Drive Status is readyForRebuild",
"Version":"1",
"Description":"The drive array logical drive status has changed to 'readyForRebuild'",
"Severity":"critical",
"Type":"Alert",
"Threshold":{ 
"Operator":"gt",
"Value":0
},
"AzNsNotification":{ 
"GroupIds":[ 
"/subscriptions/subscrname/resourcegroups/resourcegrp/providers/microsoft.insights/actiongroups/samplecoreactiongroup"
],
"CustomEmailSubject":"Alert- HP Windows (SNMP) Drive Array Logical Drive Status is readyForRebuild"
}
}
},
{ 
"AlertName":"HP Windows (SNMP) Drive Array Logical Drive Status is failed",
"AlertGuid":"749aee97-1666-4635-8f88-38afd598e9b5",
"Tags":[ 
"Physical,HP"
],
"SavedSearch":{ 
"Category":"Core",
"DisplayName":"Alert - HP Windows (SNMP) Drive Array Logical Drive Status is failed",
"Query":"Event | where EventLog == \"System\" | where EventID == 1200 | where Source == \"Storage Agents\" | where RenderedDescription contains \"new status of 3\" and RenderedDescription contains \"CPQIDA.MIB\" | project Computer, TimeGenerated, AlertType_s = \"HP Windows (SNMP) Drive Array Logical Drive Status is failed\", Severity = 4, SeverityName_s = \"WARNING\", AffectedCI_s = strcat(Computer, \"/EventId-\", EventID, \"/failed\"), AlertTitle_s = strcat(Computer, \": HP Windows (SNMP) Drive Array Logical Drive Status is failed\"), AlertDetails_s = strcat(\"Computer: \", Computer, \"\\r\\nEvent ID: \", EventID, \"\\r\\nRenderedDescription: \", RenderedDescription)",
"Version":"1"
},
"Schedule":{ 
"Interval":30,
"QueryTimeSpan":30,
"Active":"true"
},
"AlertDefinition":{ 
"Name":"HP Windows (SNMP) Drive Array Logical Drive Status is failed",
"Version":"1",
"Description":"The drive array logical drive status has changed to 'failed'",
"Severity":"critical",
"Type":"Alert",
"Threshold":{ 
"Operator":"gt",
"Value":0
},
"AzNsNotification":{ 
"GroupIds":[ 
"/subscriptions/subscrname/resourcegroups/resourcegrp/providers/microsoft.insights/actiongroups/samplecoreactiongroup"
],
"CustomEmailSubject":"Alert - HP Windows (SNMP) Drive Array Logical Drive Status is failed"
}
}
},
{ 
"AlertName":"HP Windows (SNMP) Memory degraded",
"AlertGuid":"c1446d74-f632-49eb-b426-0e536386cfc6",
"Tags":[ 
"Physical,HP"
],
"SavedSearch":{ 
"Category":"Core",
"DisplayName":"Alert - HP Windows (SNMP) Memory degraded",
"Query":"Event | where EventLog == \"System\" | where Source == \"Server Agents\" | where EventID == 1025 or EventID == 1026 or EventID == 1027 or EventID == 1028 or EventID == 1031 or EventID == 1071 or EventID == 1035 or EventID == 1039 | where RenderedDescription contains \"CPQHLTH.MIB\" | project Computer, TimeGenerated, AlertType_s = \"HP Windows (SNMP) Memory degraded\", Severity = 4, SeverityName_s = \"WARNING\", AffectedCI_s = strcat(Computer, \"/EventId-\", EventID), AlertTitle_s = strcat(Computer, \": HP Windows (SNMP) Memory degraded with Event ID \", EventID), AlertDetails_s = strcat(\"Computer: \", Computer, \"\\r\\nEvent ID: \", EventID, \"\\r\\nRenderedDescription: \", RenderedDescription)",
"Version":"1"
},
"Schedule":{ 
"Interval":30,
"QueryTimeSpan":30,
"Active":"true"
},
"AlertDefinition":{ 
"Name":"HP Windows (SNMP) Memory degraded",
"Version":"1",
"Description":"Memory degraded. Advanced Memory Protection has detected a memory fault.",
"Severity":"critical",
"Type":"Alert",
"Threshold":{ 
"Operator":"gt",
"Value":1
},
"AzNsNotification":{ 
"GroupIds":[ 
"/subscriptions/subscrname/resourcegroups/resourcegrp/providers/microsoft.insights/actiongroups/samplecoreactiongroup"
],
"CustomEmailSubject":"Alert - HP Windows (SNMP) Memory degraded"
}
}
}
],
"Events":[ 
{ 
"EventLogName":"Application",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Microsoft-Windows-ClusterAwareUpdating/Admin",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Microsoft-Windows-Desired State Configuration/Operational",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Microsoft-Windows-FailoverClustering-CsvFs/Operational",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Microsoft-Windows-FailoverClustering/Operational",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Microsoft-Windows-GroupPolicy/Operational",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Microsoft-Windows-Hyper-V-Config/Admin",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Microsoft-Windows-Hyper-V-High-Availability/Admin",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Microsoft-Windows-Hyper-V-Integration/Admin",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Microsoft-Windows-Hyper-V-Shared-VHDX/Operational",
"Error":true,
"Warning":true,
"Information":false
},
{ 
"EventLogName":"Microsoft-Windows-Hyper-V-SynthNic/Admin",
"Error":true,
"Warning":true,
"Information":false
},
{ 
"EventLogName":"Microsoft-Windows-Hyper-V-VMMS/Admin",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Microsoft-Windows-Hyper-V-VMMS/Networking",
"Error":true,
"Warning":true,
"Information":false
},
{ 
"EventLogName":"Microsoft-Windows-Hyper-V-VMMS/Storage",
"Error":true,
"Warning":true,
"Information":false
},
{ 
"EventLogName":"Microsoft-Windows-Hyper-V-Worker-Admin",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Microsoft-Windows-NetworkProfile/Operationa",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Microsoft-Windows-SMBServer/Operational",
"Error":true,
"Warning":true,
"Information":false
},
{ 
"EventLogName":"Microsoft-Windows-TaskScheduler/Operational",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Microsoft-Windows-VHDMP/Operational",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"MSNIPAK",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Operations Manager",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"Setup",
"Error":true,
"Warning":true,
"Information":true
},
{ 
"EventLogName":"System",
"Error":true,
"Warning":true,
"Information":true
}
],
"PerformanceCounters":[ 
{ 
"ObjectName":"Cluster CSV File System",
"CounterName":"IO Read Bytes/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"Cluster CSV File System",
"CounterName":"IO Read Latency",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"Cluster CSV File System",
"CounterName":"IO Reads/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"Cluster CSV File System",
"CounterName":"IO Write Bytes/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"Cluster CSV File System",
"CounterName":"IO Write Latency",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"Cluster CSV File System",
"CounterName":"IO Writes/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"Hyper-V Dynamic Memory VM",
"CounterName":"Guest Visible Physical Memory",
"InstanceName":"*",
"intervalSeconds":1800
},
{ 
"ObjectName":"Hyper-V Dynamic Memory VM",
"CounterName":"Physical Memory",
"InstanceName":"*",
"intervalSeconds":1800
},
{ 
"ObjectName":"Hyper-V Hypervisor Logical Processor",
"CounterName":"% Total Run Time",
"InstanceName":"*",
"intervalSeconds":60
},
{ 
"ObjectName":"Hyper-V Hypervisor Virtual Processor",
"CounterName":"% Total Run Time",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"Hyper-V Virtual Storage Device",
"CounterName":"Read Bytes/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"Hyper-V Virtual Storage Device",
"CounterName":"Read Operations/Sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"Hyper-V Virtual Storage Device",
"CounterName":"Write Bytes/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"Hyper-V Virtual Storage Device",
"CounterName":"Write Operations/Sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"LogicalDisk",
"CounterName":"% Free Space",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"LogicalDisk",
"CounterName":"Avg. Disk sec/Read",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"LogicalDisk",
"CounterName":"Avg. Disk sec/Transfer",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"LogicalDisk",
"CounterName":"Avg. Disk sec/Write",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"LogicalDisk",
"CounterName":"Current Disk Queue Length",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"LogicalDisk",
"CounterName":"Disk Bytes/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"LogicalDisk",
"CounterName":"Disk Read Bytes/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"LogicalDisk",
"CounterName":"Disk Reads/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"LogicalDisk",
"CounterName":"Disk Transfers/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"LogicalDisk",
"CounterName":"Disk Write Bytes/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"LogicalDisk",
"CounterName":"Disk Writes/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"LogicalDisk",
"CounterName":"Free Megabytes",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"Memory",
"CounterName":"% Committed Bytes In Use",
"InstanceName":"*",
"intervalSeconds":1800
},
{ 
"ObjectName":"Memory",
"CounterName":"Available MBytes",
"InstanceName":"*",
"intervalSeconds":1800
},
{ 
"ObjectName":"Memory",
"CounterName":"Commit Limit",
"InstanceName":"*",
"intervalSeconds":1800
},
{ 
"ObjectName":"Memory",
"CounterName":"Committed Bytes",
"InstanceName":"*",
"intervalSeconds":1800
},
{ 
"ObjectName":"Network Adapter",
"CounterName":"Bytes Received/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"Network Adapter",
"CounterName":"Bytes Sent/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"Network Interface",
"CounterName":"Bytes Total/sec",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"NUMA Node Memory",
"CounterName":"Available MBytes",
"InstanceName":"_Total",
"intervalSeconds":1800
},
{ 
"ObjectName":"NUMA Node Memory",
"CounterName":"Total MBytes",
"InstanceName":"_Total",
"intervalSeconds":1800
},
{ 
"ObjectName":"Processor",
"CounterName":"% Processor Time",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"Processor",
"CounterName":"% Processor Time",
"InstanceName":"_Total",
"intervalSeconds":60
},
{ 
"ObjectName":"System",
"CounterName":"Processor Queue Length",
"InstanceName":"*",
"intervalSeconds":300
},
{ 
"ObjectName":"TCPv4",
"CounterName":"Connections Established",
"InstanceName":"*",
"intervalSeconds":300
}
]
}

The error which I am getting is as follows: -

PS C:\Work\ARM Temp\manageability-toolkits-master\Alert Toolkit\Test> .\New-CoreAlerts.ps1 -SubscriptionId 'XXXX2
0b3-e3cb-XXXXX-8f46-XXXXXXXX' -NewActionGroupName 'testautomateXXX' -WorkspaceName 'testautomationXXX' -Resource
Group 'testautomation' -Location 'Canada Central' -ActionGroupShortName 'test' -AlertEmailAddress '[email protected]'

Verifying parameters...
Creating action group...
Action group with name, 'testautomatealertXXX' created successfully
Configuring event log collections...
Configuring performance counter collections...
Beginning creation of 13 alerts...
-Creating alert 1 of 13: 'High CPU Usage'
-Creating alert 2 of 13: 'Update Missing On Server'
Invoke-RestMethod : {"error":{"code":"BadRequest","message":"Please validate the JSON payload."}}
At C:\Work\ARM Temp\manageability-toolkits-master\Alert Toolkit\Test\New-CoreAlerts.ps1:320 char:2

Invoke-RestMethod -Uri $uri -Headers $header -Method Put -Body $a ...

```
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
- CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebExc
  eption
- FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
  -Creating alert 3 of 13: 'Low Disk Space Windows - Critical'
  -Creating alert 4 of 13: 'Low Memory'
  -Creating alert 5 of 13: 'NTFS - File System Corrupt'
  -Creating alert 6 of 13: 'Unexpected shutdown'
  -Creating alert 7 of 13: 'HP Windows (SNMP) Power sub system degraded or failed'
  -Creating alert 8 of 13: 'HP Windows (SNMP) Fan degraded'
  -Creating alert 9 of 13: 'HP Windows (SNMP) Rack Enclosure Fan Failed or Degraded'
  -Creating alert 10 of 13: 'HP Windows (SNMP) Drive Array Physical Drive degraded'
  -Creating alert 11 of 13: 'HP Windows (SNMP) Drive Array Logical Drive Status is readyForRebuild'
  -Creating alert 12 of 13: 'HP Windows (SNMP) Drive Array Logical Drive Status is failed'
  -Creating alert 13 of 13: 'HP Windows (SNMP) Memory degraded'
  Alert creation complete...
  Script exiting...

PS C:\Work\ARM Temp\manageability-toolkits-master\Alert Toolkit\Test> test-connection

Getting errors when i run PS script .\New-CoreAlerts.ps1

Hi,

I followed your steps until the part i have to run the PS script.

.\New-CoreAlerts.ps1

But i am getting these errors :

At C:\Users......r\New-CoreAlerts.ps1:148 char:19

```
          Sign&nbsp;up
```
```
              ~
```

The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double quotation marks ("&") to pass it as part of a string.
At C:......\New-CoreAlerts.ps1:175 char:190

The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double quotation marks ("&") to pass it as part of a string.
At C:\Users.....\New-CoreAlerts.ps1:190 char:255

The errors seem to be related to symbols like "&" and "<" not being allowed. Do you know how i can have this fixed?

Alert creation stops after 27th

Hi There,

I am trying to create the alert using the same however alert creation always stopped after 27th

Please find the below error and details,

`PS C:\Gourav\Git\Alert_OMS_2\manageability-toolkits\Alert Toolkit> .\New-CoreAlerts.ps1
cmdlet New-CoreAlerts.ps1 at command pipeline position 1
Supply values for the following parameters:
SubscriptionId: 8c328a86-XXXX-XXX-XXX-bXXXXXXX
WorkspaceName: omsrg03
ResourceGroup: omsrg03
Location: 'Canada Central'

Logging into Azure and selecting subscription...
Existing Az session detected. Skipping login prompt.
Verifying parameters...

Enter the email address to be subscribed for alerts: [email protected]
Creating action group...
Action group with name, 'omsrg03-email-ag1' created successfully
Configuring event log collections...
Configuring performance counter collections...
Alerts where selected with the tags All ...
Beginning creation of 38 alerts...
-Creating alert 1 of 38: 'High CPU Usage'
-Creating alert 2 of 38: 'Low Disk Space Windows - Critical'
-Creating alert 3 of 38: 'Low Memory'
-Creating alert 4 of 38: 'NTFS - File System Corrupt'
-Creating alert 5 of 38: 'Unexpected shutdown'
-Creating alert 6 of 38: 'SQL - Cannot recover the master database'
-Creating alert 7 of 38: 'SQL - Could not find filegroup in sys.filegroups'
-Creating alert 8 of 38: 'SQL - Could not mark database as suspect'
-Creating alert 9 of 38: 'SQL - Could not recover database because of unresolved transaction outcomes'
-Creating alert 10 of 38: 'SQL - Database cannot be opened due to inaccessible files or insufficient memory or disk space'
-Creating alert 11 of 38: 'SQL - Failed to allocate memory for common language runtime (CLR) functionality'
-Creating alert 12 of 38: 'SQL - An error occurred during database recovery'
-Creating alert 13 of 38: 'SQL - The maximum number of user connections has already been reached'
-Creating alert 14 of 38: 'SQL - The server is too busy to perform the backup or restore operation'
-Creating alert 15 of 38: 'SQL - Could not do cleanup for the killed process'
-Creating alert 16 of 38: 'SQL - Could not find FOREIGN KEY constraints for table, although the table is flagged as having them'
-Creating alert 17 of 38: 'SQL - Could not write a CHECKPOINT record in database because the log is out of space'
-Creating alert 18 of 38: 'SQL - Database capacity threshold exceeded'
-Creating alert 19 of 38: 'SQL - Enlist of MSDTC transaction failed'
-Creating alert 20 of 38: 'SQL - Log Capacity threshold exceeded'
-Creating alert 21 of 38: 'SQL - Microsoft SQLServer 2014 Monitoring Event 17063 DatabaseConsistencyErrors'
-Creating alert 22 of 38: 'SQL - Microsoft SQLServer 2014 Monitoring Event 17063 SQLOpsJobExecutionfailures'
-Creating alert 23 of 38: 'SQL - Microsoft SQLServer 2014 Monitoring Override Custom Error 60200'
-Creating alert 24 of 38: 'SQL - Microsoft SQLServer 2014 Monitoring Override Event14151 ExpiredSubscription'
-Creating alert 25 of 38: 'SQL - SQLServerAgent could not be started'
-Creating alert 26 of 38: 'SQL - The log for database is not available'
-Creating alert 27 of 38: 'SQL - Transactional replication latency threshold exceeded'
C:\Gourav\Git\Alert_OMS_2\manageability-toolkits\Alert Toolkit\New-CoreAlerts.ps1 : Failed to create alert rule with exception:
Exception type: Exception, Message: System.Exception: Error occurred while creating Log Alert rule ---> System.AggregateException:
One or more errors occurred. ---> Microsoft.Azure.Management.Monitor.Models.ErrorResponseException: Operation returned an invalid
status code 'BadRequest'
at Microsoft.Azure.Management.Monitor.ScheduledQueryRulesOperations.d__5.MoveNext()
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at Microsoft.Azure.Commands.Insights.ScheduledQueryRules.NewScheduledQueryRuleCommand.ProcessRecordInternal()
--- End of inner exception stack trace ---
at Microsoft.Azure.Commands.Insights.ScheduledQueryRules.NewScheduledQueryRuleCommand.ProcessRecordInternal()
at Microsoft.Azure.Commands.Insights.MonitorCmdletBase.ExecuteCmdlet(), Code: Null, Status code:Null, Reason phrase: Null
At line:1 char:1

.\New-CoreAlerts.ps1

  + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
  + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,New-CoreAlerts.ps1`

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.

microsoft / manageability-toolkits Goto Github PK

manageability-toolkits's Introduction

Alert ToolKit

Overview

Deployment Steps

Script Help

Alert Components

Alert Configuration File

Creating a custom alert

Creating a new GUID

Converting KQL to JSON

References

Contributing

manageability-toolkits's People

Contributors

Stargazers

Watchers

Forkers

manageability-toolkits's Issues

Recommend Projects

Recommend Topics

Recommend Org