A few day ago I bumped into an issue..
Failed Accessing Windows Event Log Monitors went into warning state on particular servers. Event Log that could not be accessed was: Microsoft-Windows-AppLocker/EXE and DLL
Soon I found out that this was happening only on 2008 Servers. AppLocker functionality was introduced with 2008 R2 so it seems like something was not properly targeted.
At first we could say:
“Monitor which is causing this issue is Failed Accessing Windows Event Log.” But he plead not guilty. And he is right. He is just a messenger collecting 26004 Event Ids from Operations Manager log.
So who is it to blame? Well the one that is causing this event log entries and that is..
In the Microsoft.IntelligencePacks.SecurityScomOverride Management pack there is an override for AppLockerEvent for group: “Microsoft System center Advisor Monitoring Server Group” to enable Collect AppLocker Events.
Actual Rule is in: Microsoft.IntelligencePacks.SecurityEvent MP and it is targeting Windows Computer Class”
Rule what are you saying, Rule cannot change State of Computer.
Well this rule is only collects Events from AppLocker Log. This rule uses Microsoft.Windows.EventProvider. “Event Log Provider” triggers Error event Log with ID 26004 if it cannot access targeted event Log. “Failed Accessing Windows Event Log” Monitoring is collecting 26004 Events from Operations Manager log. So this is why we get Computer State Change.
So, to cut the long story short we go to Authoring View => Change Scope to Windows Computer and Look for: Collect AppLocker Events => Override for a specific object of a class: Windows Computer => Select computer => Select Override Checkbox and save it into desired Management Pack.
Because order of precedence for Override is:
- Class overrides are applied first,
- Overrides that apply to a group second,
- Overrides that apply to a specific object are applied last.
we do not need to use Enforced Checkbox
It seems like this rule is coming from System Center Advisor, oh sorry Azure Operational Insights, no I mean Microsoft Operations Management Suite Security and Audit Solution 🙂
C U Soon