So we have SCOM scours through our Domain Controllers in event logs in Agentless mode to look for security event IDs such as account lockout, deletion, creation, etc. Recently, we ran into an issue where SCOM was throwing caution alerts in the monitor view of SCOM with the following description:

Parameter replacement during creation of the alert failed.

Alert: 73A482E1-631D-C63A-1D17-D563646BBD9B

Workflow: MomUIGeneratedRule800972be4c264006b51ebab11dface54

Instance: domaincontroller.domain.com

Instance ID: {7A857146-7E01-F125-C938-21D9B1F75114}

Management Group: MGMTGroup1

Failing replacement: $Data/Params/Param[8]$

After some poking around I decided that the only thing worth looking at is the Alert ID and the Workflow ID. After a googling for a bit I found this command:

Get-Rule -Criteria

The command is a powershell command and must be run in the SCOM Command shell. So I launched command shell and ran the following:

Open MOM command shell
Get-Rule -Criteria "Name like 'MomUIGeneratedRule800972be4c264006b51ebab11dface54'"

After running the command I got the following output:


ManagementGroup        : MGMGroup1
ManagementGroupId     : 67724fad-b5c1-688c-4a47-bca4cea00dbc
HasNonCategoryOverride : False
Enabled                : false
Target                 : ManagementPackElementUniqueIdentifier=eb0749d9-2030-3ab3
                         -1219-971f775f86df
ConfirmDelivery        : True
Remotable              : True
Priority               : Normal
DiscardLevel           : 100
Category               : Custom
ConditionDetection     :
DataSourceCollection   : {DS}
WriteActionCollection  : {Alert}
XmlTag                 : Rule
Name                   : MomUIGeneratedRule800972be4c264006b51ebab11dface54
Id                     : b23a9e99-5722-a6b9-fb8d-976048e06e9f
DisplayName            :  Windows is starting up W2K8
Description            :
LanguageCode           : ENU
Comment                :
Status                 : Unchanged
LastModified           : 11/20/2008 7:48:27 PM
TimeAdded              : 9/4/2008 5:17:45 PM


Baed on the Display Name field of the output I know this is a rule I previously created based on the eventlog for Windows 2008 that tells me when the DC is booting up and send an alerts via email. I then looked at the last line of the caution and found:
Failing replacement: $Data/Params/Param[8]$

This is because I had set the alert rule as follow:
$Data/Params/Param[1]$

   $Data/Params/Param[2]$

   $Data/Params/Param[3]$

   $Data/Params/Param[4]$

   $Data/Params/Param[5]$

   $Data/Params/Param[6]$

   $Data/Params/Param[7]$

   $Data/Params/Param[8]$

Where Param[8]$ is not a valid object. I removed the parameter and the issue is resolved