question

ChuaLiangWei-4173 avatar image
0 Votes"
ChuaLiangWei-4173 asked ·

Windows 2003 agent - SCOM 2012R2 - Failed to access Event Log (Warning Message)

How can we fix this issue, the agent is configured using local system. Tried to flush the agent but did not recalculate,

The log path does not exist.


The Windows Event Log Provider was unable to open the Microsoft-Windows-TaskScheduler/Operational event log on computer <hostname>' for reading. The provider will retry opening the log every 30 seconds. Most recent error details: The system cannot find the file specified. One or more workflows were affected by this.

msc-operations-manager-general
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CyrilAzoulay avatar image
0 Votes"
CyrilAzoulay answered ·

From the name of the workflow, it looks like it was created directly in the SCOM console by someone from your company.
You can run the following command to find its display name and which management pack it's stored in :

 Get-SCOMRule -Name MomUIGeneratedRuleafc86050fc76455eab425ce588c73c7e

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks a lot, We managed to trace the rule name.

0 Votes 0 ·
CyrilAzoulay avatar image
0 Votes"
CyrilAzoulay answered ·

That event shows up because you have a management pack that tries to access the Microsoft-Windows-TaskScheduler/Operational event log, and that event log doesn't exist in Windows 2003.
So you need to find what rules/monitors are trying to access the event log (should be written somewhere in the error events) and disable them for the windows 2003 servers.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ChuaLiangWei-4173 avatar image
0 Votes"
ChuaLiangWei-4173 answered ·

Microsoft-Windows-TaskScheduler/Operational event log this event log should exist by default?

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Only starting with Windows 2008 and the "new" event log format, not in windows 2003

0 Votes 0 ·
ChuaLiangWei-4173 avatar image
0 Votes"
ChuaLiangWei-4173 answered ·

it seem not wise to disable the monitoring as it is part of the core monitoring MP or we can't disable for specific log path also. We can't remove the monitoring by flush/delete "health service state" folder on the windows 2003 servers?

We only can recreate the path manually on the windows 2003 servers to get rid of the warning message?

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CyrilAzoulay avatar image
0 Votes"
CyrilAzoulay answered ·

As far as I know, the only "public" MPs that are trying to access to that event log are Raphael Burri's "Scheduled Tasks" MP ( https://rburri.wordpress.com/2014/08/12/scheduled-task-and-ps-scheduled-job-management-pack-1-2-0-500/ ) and Nathan Gau's "Security" MP ( https://nathangau.wordpress.com/2019/05/10/security-monitoring-1-6-management-pack-is-up/ )
These MP are not a "core monitoring MP", and they have not been authored with Windows 2003 in mind, since it has been unsupported for a while now.

However, the alert you are seeing does indeed come from a core MP : this single generic rule allows SCOM to alert you if any other rule or monitor from any MP tries to access to an event log that is not available.

So what you need to do is to override(disable) for windows server 2003 group whatever discovery/rule/monitor from these MPs that is trying to read the Microsoft-Windows-TaskScheduler/Operational event log, not the rule which trigger the alert. After that you won't see the alert showing up anymore.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ChuaLiangWei-4173 avatar image
0 Votes"
ChuaLiangWei-4173 answered ·

Based on the detailed error message, it is possible to verify the error come from which MP?

The Windows Event Log Provider was unable to open the Microsoft-Windows-TaskScheduler/Operational event log on computer '<hostname>' for reading. The provider will retry opening the log every 30 seconds. Most recent error details: The system cannot find the file specified. One or more workflows were affected by this. Workflow name: MomUIGeneratedRuleafc86050fc76455eab425ce588c73c7e Instance name: <hostname> Instance ID: {A13CAC3C-A6EC-3BF5-CA2B-5AB24F8799B0} Management group: <management group>

The Windows Event Log Provider is still unable to open the Microsoft-Windows-TaskScheduler/Operational event log on computer '<hostname>'. The Provider has been unable to open the Microsoft-Windows-TaskScheduler/Operational event log for 720 seconds. Most recent error details: Access is denied. One or more workflows were affected by this. Workflow name: MomUIGeneratedRuleafc86050fc76455eab425ce588c73c7e Instance name: <hostname> Instance ID: {25B4AC38-00F1-6B4D-BDF0-0A08E167A048} Management group: <management group>

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.