Failed Accessing Windows Event Log on Management Server – Warning State, Event ID: 26004

Recently new 2012 DHCP was deployed in our environment. After a while one of management servers went into warning state.

Unit monitor “Failed Accessing Windows Event Log” was in Warning state on one of management Servers

On same management server there were errors with Event ID 26004 from Health Service Modules.

Event looked something like this:

Log Name: Operations Manager; Source: Health Service Modules; Event ID: 26004; Level: Error

 The Windows Event Log Provider is still unable to open the DhcpAdminEvents event log on computer ‘servername1.contoso.local’. The Provider has been unable to open the DhcpAdminEvents event log for 123120 seconds. 

Most recent error details: Access is denied. 

One or more workflows were affected by this. 

Workflow name: Microsoft.Windows.DHCPServer.2012.FailoverServerWatcher.UnitMonitor.LostCommunicationWithfailoverPartnerServerInstance name: servername1.contoso.local servername2.contoso.local

Instance ID: {3B8A4DCA-F1A4-9A7C-C572-AB6FOL79022}

Management group: MGMTGROUPNAME

Then I started digging and found that the target for this monitor is Group. This means it runs on management server under SCOM Action Account. So I have done some debugging, network capture and found out that Management Server was trying to access DHCP server’s event log. Actually above Event is quite explanatory.

OK so what we need to do to solve this. The solution is quite simple.

Add SCOM action account on the server to the “Event Log Readers” Local group. In my case I would add Action account to mentioned group on: servername1 and servername2.

OK but what if this server is Domain Controller? Then you should add it into Domain Built in “Event Log Readers” group. So Action account “refreshes” its Kerberos ticket you should also reboot affected Management Server.

One of the ways how to test if User has rights to read events is to run:

wevtutil qe LogName /r:servername1 /u:contoso\SCOM.ActionAccount

Till next time


This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s