ReSearch This KB – Operations Manager Failed to Access the Windows Event Log

Alert: Operations Manager Failed to Access the Windows Event Log

Management Pack Name:  System Center Core Monitoring

Management Pack Version: 7.0.9538.0

Rule or Monitor: Monitor

Rule or Monitor Name: Failed Accessing Windows Event Log

Rule or Monitor Notes: This monitor alerts when a rule or monitor attempts to read from an event log which does not exist on a system.

Issue: These issues occur most often when a rule or monitor is not targeted correctly. In this case, there was a targeting issue where Hyper-V 2012 systems were getting rules designed for Hyper-V 2008. The details on the alert included the following text.

The Windows Event Log Provider is still unable to open the Microsoft-Windows-Hyper-V-Network-Admin event log on computer ‘xyz’.
The Provider has been unable to open the Microsoft-Windows-Hyper-V-Network-Admin event log for 720 seconds.

Kevin summarized the situation well as “The end result is that you will constantly have your Hyper-V 2012 agents showing up with a warning state in the SCOM console.”

Resolution: Kevin Greene blogged on this issue at: http://kevingreeneitblog.blogspot.com/2013/02/scom-opsmgr-hyper-v-2008-mp-issue.html which we took under advisement. We created a group with each of the 2012 servers that were having the issue, and then we disabled each of the monitors which were causing the problem in our environment. We searched the XML for each of the management packs on the management server and found the following references to this event log:

The following monitors which are using this log file:

Microsoft.Windows.HyperV.2008.VirtualNetwork.PortConnectionMonitor

Microsoft.Windows.HyperV.2008.VirtualNetwork.PortDisconnectionMonitor

Microsoft.Windows.HyperV.2008.VirtualNetworkAdapter.InvalidDynamicAddressMonitor

Microsoft.Windows.HyperV.2008.VirtualNetworkAdapter.InvalidStaticAddressMonitor

Microsoft.Windows.HyperV.2008.VirtualNetworkAdapter.MacAddressAvailabilityMonitor

Which were all part of the Microsoft.Windows.HyperV.2008.Monitoring management pack.

Using Kevin’s blog post, we disabled each of these monitors for the group that we created and then we reset the health state for these monitors (if required) using the following PowerShell variation from Curtiss (thank you for this!)

 

ipmo OperationsManager

New-SCOMManagementGroupConnection -ComputerName [insert.your.MS]

$FragMonitors=Get-SCOMMonitor | where {$_.DisplayName –eq ‘Failed Accessing Windows Event Log’}

foreach ($FragMonitor in $FragMonitors) {

get-scomclass -name $FragMonitor.target.identifier.path |

Get-SCOMClassInstance | where {$_.HealthState.value__ -gt 1} |

foreach {$_.ResetMonitoringState($FragMonitor)}

    }

 

A second option if the above approach does not work is to just create the event log on the system where the error is occurring. I know it’s better to fix the fact that it’s looking on a system for something that it will never find but sometimes we just do we have to do to move forward.  Another OpsMgr SME took the above approach and documented the creation for the event logs at: https://www.avianwaves.com/Blog/entryid/186/operations-manager-failed-to-access-the-windows-event-log-after-installing-hyper-v-management-packs.aspx

The PowerShell syntax that we used to create this event log on a system where it was required was:

 

New-eventlog Microsoft-Windows-Hyper-V-Network-Admin –source Microsoft-Windows-Hyper-V-Network-Admin

One thought on “ReSearch This KB – Operations Manager Failed to Access the Windows Event Log

  1. Pingback: ReSearch This updates for July 2013 | Catapult Systems

Leave a Reply