Hello Folks,
I'm getting the alert" Operations Manager Failed to Access the Windows Event Log" frequently. However the Event Source which is referring as Unable is actually not present in the event log. Could you please help.
Regards
SK
Hello Folks,
I'm getting the alert" Operations Manager Failed to Access the Windows Event Log" frequently. However the Event Source which is referring as Unable is actually not present in the event log. Could you please help.
Regards
SK
Hi @SaiKumarM-5560,
If SCOM is unable to access the event log because the event log/source doesn't exist, then it's a valid alert.
Can you please post the full alert description?
Does this happen on one or many servers?
(If the reply was helpful please don't forget to upvote or accept as answer, thank you)
Best regards,
Leon
Its on multiple servers. Here is the full alert. If there is no such event source how would SCOM monitor, that's my concern is.
The Windows Event Log Provider is still unable to open the OSIsoft-Search/Admin event log on computer
The Provider has been unable to open the OSIsoft-Search/Admin event log for 720 seconds.
Most recent error details: The specified channel could not be found. Check channel configuration.
But does this event log (OSIsoft-Search/Admin) in question exists on the affected servers? The event logs sound like a custom/third-party application, you probably have custom rules monitoring this event log, can you verify this?
Yes event Log is third party application. But the monitor is the from the System Center Core Monitoring which is looking for event ids 26002, 26004.25002,25004 in unhealthy expression.
Looks like someone created an event rule or monitor on a custom event log and targeted it a Windows Computers, so it runs everywhere even though that custom event log only exists on specific servers.
So now you need to find that monitor or rule, and then you have two options :
- Easy but not optimum : Configure the monitor/rule as "disabled" by default, create a group of servers running the "custom app" where the event log exists and override the monitor/rule to enable it only for that group
- Best option : create a class and an associated discovery for that "custom app" and then target the monitor/rule at that class instead of "Windows Computer"
As mentioned in my above comments, monitor is not third party and is from System Center Core Monitoring. Monitor Target is health service. Monitor Name is "Failed Accessing Windows Event Log" and alert name is "Operations Manager Failed to Access the Windows Event Log".
I know, but my answer is still valid.
Some rule or monitor tries to access to an event log that doesn't exist > the agent can't open that event log and generates a generic error > that generic error is picked up by a generic SCOM rule to let you know there is some kind of issue.
But the rule or monitor that try to access the event log is obviously a custom one, given the name of that event log.
5 people are following this question.