Creating an event rule

How you can create an event rule.

About this task

The purpose of the following scenario is to show how to create a new event rule in the context of an example.

The scope of the following draft event rule is to monitor log files named "messages.log*" for error messages written to the log containing the text "ERROR: Authentication did not succeed for user ID dwcadmin. An invalid user ID or password was specified", every 60 seconds on a workstation named "MDM_production". When an event that corresponds to this rule occurs, a new incident is automatically opened in Service Now containing a description of the error.


  1. Create a new event rule and define general information about it:
    1. Go to Create Event Rules section and choose an engine.
    2. In the Explore area, select Create new +.
    3. In General Info, in Name type: SERVICENOW
    4. In General Info, set Save as draft: on
  2. Define the event to be triggered:
    1. Select Add events
    2. Select the Log message written event from the File Monitor category
    3. In Event name type: logMessWritEvt1
    4. In File name type: matches C:\Users\DWC\stdlist\appserver\dwcServer\logs\messages.log*
    5. In Match expression type: matches ERROR: Authentication did not succeed for user ID dwcadmin. An invalid user ID or password was specified
    6. In Sample interval: equal to 60
    7. In Workstation: matches MDM_production
  3. Define the action to be performed when the defined event occurs:
    1. Select Add actions
    2. Select the Open Incident action from the ServiceNow category
    3. In Short Description type: In the %{logMessWritEvt1.FileName} file, the following error has been found: %{logMessWritEvt1.MatchExpression}
    4. Set Priority: 3
    5. In Description type: At %{logMessWritEvt1.TimeStamp} on the %{logMessWritEvt1.Hostname} workstation, the following error %{logMessWritEvt1.MatchExpression} has been found in the %{logMessWritEvt1.FileName} file
    6. Type the ServiceNow URL:
    7. Enter the ServiceNow User: TWS_user
    8. In Assignment Group: L3_Busines_Unit_Team
  4. Select the event rule and click Save.


You have now created a draft event rule that monitors the log file, and when a new error string is added, an event is triggered and an action automatically opens an incident in Service Now. The ticket contains the error message, the name of the log file in which the error is written, and the name of the workstation on which the log file is located. Furthermore, the ticket is assigned to the specified user of the specified group.

What to do next

To activate the rule, you need to deploy it in the scheduling environment by switching the draft toggle off, and save again.

Go to Manage Event Rule to verify that the event rule is active.