I wanted to monitor whether the groupmemebership of Domain Admins changes. So I created a rule that checks Windows Security Eventlog for Event ID 5136 and Parameter 9 containing Domain Admins.
I disabled this rule and made an override to activate it for my Domain Controller Group (containing 3 Domain Controllers Windows Server 2008). These Domain Controllers are in an untrusted site, connected via a SCOM Gateway Server.
Soon after I made the override I get this error on the SCOM Console: Processing Packlogged Events Taking a Long Time.
“The Windows Event Log Provider monitoring the Security Event Log is 2782 minutes behind in processing
events. This can occur when the provider is restarted after being offline for some time, or there
are too many events to be handled by the workflow.”
I checked the Security Eventlog on the Domain Controller Server 2008, there are a lot! Too many mayby for SCOM?
-Anyone has experience with monitoring Security Eventlogs on Server 2008? (I haven’t had this problems with Server 2003)
-Maybe this is a problem because it’s a remote site with a Gateway?
Thank you very much for any inputs :-)