SCOM Monitor – Failed Accessing Windows Event Log => Microsoft-Windows-AppLocker/EXE and DLL

Hi All,

A few day ago I bumped into an issue..

Failed Accessing Windows Event Log Monitors went into warning state on particular servers. Event Log that could not be accessed was: Microsoft-Windows-AppLocker/EXE and DLL

Soon I found out that this was happening only on 2008 Servers. AppLocker functionality was introduced with 2008 R2 so it seems like something was not properly targeted.

At first we could say:

“Monitor which is causing this issue is Failed Accessing Windows Event Log.” But he plead not guilty. And he is right. He is just a messenger collecting 26004 Event Ids from Operations Manager log.

So who is it to blame? Well the one that is causing this event log entries and that is..

In the Microsoft.IntelligencePacks.SecurityScomOverride Management pack there is an override for AppLockerEvent for group: “Microsoft System center Advisor Monitoring Server Group” to enable Collect AppLocker Events.

Actual Rule is in: Microsoft.IntelligencePacks.SecurityEvent MP and it is targeting Windows Computer Class”

Rule what are you saying, Rule cannot change State of Computer.

Well this rule is only collects Events from AppLocker Log. This rule uses Microsoft.Windows.EventProvider. “Event Log Provider” triggers Error event Log with ID 26004 if it cannot access targeted event Log. “Failed Accessing Windows Event Log” Monitoring is collecting 26004 Events from Operations Manager log. So this is why we get Computer State Change.

So, to cut the long story short we go to Authoring View => Change Scope to Windows Computer and Look for: Collect AppLocker Events => Override for a specific object of a class: Windows Computer => Select computer => Select Override Checkbox and save it into desired Management Pack.

CollectAppLockerEvents

OverrideAppLocker

Because order of precedence for Override is:

  1. Class overrides are applied first,
  2. Overrides that apply to a group second,
  3. Overrides that apply to a specific object are applied last.

we do not need to use Enforced Checkbox

It seems like this rule is coming from System Center Advisor, oh sorry Azure Operational Insights, no I mean Microsoft Operations Management Suite Security and Audit Solution 🙂

C U Soon

Jure

Advertisements
This entry was posted in Management Pack, Operations Manager, Troubleshooting and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s