Ruling out SCOM as the cause of SCHANNEL events


Ruling out SCOM notifications as the cause of SCHANNEL events



Still getting SCHANNEL error events and want to rule out SCOM

Management pack SQL events

SCHANNEL ciphers debugged


What command Channels are setup for notifications?



Validate Subscriptions aren't the cause for email/text

Exchange 2013 and above typically use S/MIME to digitally sign/encrypt messages


Email communication can cause System 36871 events

Do the events correlate with emailed alerts?
Tracing Notifications


SCOM ETL traces

Run traces on suspect MS

2012R2 MS (adjust drive letter according to drive SCOM install)
cd "D:\Program Files\Microsoft System Center 2012 R2\Operations Manager\Server\Tools"
2012R2 GW (adjust drive letter according to drive SCOM install)
cd "C:\Program Files\System Center Operations Manager\Gateway\Tools"
2016 MS
cd 'C:\Program Files\Microsoft System Center 2016\Operations Manager\Server\Tools\'

# Stop Tracing
# Clean up old files
remove-item C:\windows\Logs\OpsMgrTrace\*

# Start Traces

StartTracing.cmd VER

TraceLogSM.exe -stop TracingGuidsNative

TraceLogSM.exe -stop TracingGuidsUI

# Wait until notification fires and validate if 36871 SCHANNEL event ID is logged

# Stop and format the trace

# Review txt files from C:\windows\Logs\OpsMgrTrace