So, one of the most basic things one might want to do with SCOM when monitoring UNIX/Linux systems would be to observe the syslog for certain kinds of entries, alerting administrators through rules and notifications when they occur. Doing this is easy enough with SCOM 2012 and the Management Pack for UNIX and Linux Operating Systems.
But, what if you want to do something a little more complex? What if you need to, for example, send alerts regarding all instances of log entries save for those which contain certain expressions? Perhaps you want to be alerted any time anyone logs into a machine, but you don’t want to know if the login comes from a particular IP address. In order to do that, you need to makes use of the System.ExpressionFilter class.
Here are some examples of persons implementing the class in their Management Pack XML files to allow matches to rules through only on the condition that some additional criteria (such as not containing a particular set of error codes) are met.
It took a while to figure that out, since the implementation of the System.ExpressionFilter class through the ConditionDetection XML stanza is not something accomplishable through the GUI.
SCOM 2012 is…not as intuitive as one would hope it to be. I haven’t really given it enough study time, and I hate to ignorantly remark about software’s “unintuitive” nature, but that’s where I am with my relationship to SCOM 2012 at the moment.