none
Event 262 - Red Hat 7.2 RRS feed

  • Question

  • A new issue has occurred that has both my Linux guy and me puzzled.
    EventID 262
    Source: Cross Platform Modules
    SCOM server is part of Resource Pool, with verified accounts associated, had been successfully working prior to July 14, 2019. SCOM version 10.19.10050.0 with Red Hat 7 MP 10.19.1008.0

    The alerts are as follows:
    Error scanning logfile <Path>/server.log on host <RH Server> as user <SCXUser><UserId>xxxxx</UserId><Elev>sudo</Elev></SCXUser>; An internal error occurred.

    Error scanning logfile <Path>/server.log on host <RH Server> as user <SCXUser><UserId>xxxxx</UserId><Elev>sudo</Elev></SCXUser>; The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".

    Error scanning logfile /var/log/secure on host <RH Server> as user <SCXUser><UserId>xxxxx</UserId><Elev>sudo</Elev></SCXUser>; The I/O operation has been aborted because of either a thread exit or an application request.

    Some of the troubleshooting that we have performed:
    Emulated accounts and successfully opened each log file.
    Verified the sizes of the log files
    Tested Connectivity: winrm enumerate http://schemas.microsoft.com/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem?__cimnamespace=root/scx -username:xxxxx -remote:https://<FQDN>:1270/wsman -auth:basic -skipCACheck -encoding:utf-8 -format:#pretty
    Migrated Linux Agent to older SCOM 7.2.11719.0 and Red Hat MP 7.6.1089: Same Error Messages

    Any thoughts?

    Monday, July 29, 2019 2:05 PM

Answers

  • Update:
    After deep diving all of the Custom MP Rules that are known to interact with the servers; and the Linux Engineer reviewing the actual log files we found the source of the issue.

    An application developer had turned on debug logging level for the application, resulting in strings of non-standard characters being included in the logs. As soon as the developer turned off the debug, the strings stopped appearing in the logs; and the event 262 Cross Platform Modules appear to have decreased in frequency.

    Another reason for me to try and get the Fluent.D log monitoring working in SCOM 2019.
    Has anyone successfully set this up?

    • Marked as answer by GordonO Tuesday, August 6, 2019 1:26 PM
    Tuesday, August 6, 2019 1:25 PM

All replies

  • Some additional information:
    SCOM Linux Agent Versions: 1.6.0-163 & 1.6.3-793
    The following patches did get applied; but a review of them do not indicate any possible interaction with the Agent process:
    [RHSA-2019:1294-01] Important: bind security update
    [RHSA-2019:1265-01] Critical: firefox security update
    [RHSA-2019:1178-01] Important: qemu-kvm security update
    [RHSA-2019:1168-01] Important: kernel security update
    [RHSA-2019:1228-01] Important: wget security update

    We are not seeing any errors from Red Hat 7.6 and Red Hat 6.x servers.

    Monday, July 29, 2019 2:25 PM
  • Hi,

    WSMan utilizes tcp port 1270 for the communication. Please check (in the Linux side) if port 1270 is listening and allowed in the firewall, as well as any external firewall between the Linux server and the management server, if there is any.

    Have we made any changes in the firewall settings on July 14, 2019?




    Hope the above information helps.

    Regards,

    Alex Zhu
    -----------------------------------------------
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Tuesday, July 30, 2019 1:17 AM
  • Thanks Alex,

    Servers are on the same subnet with no physical / logical firewall between; I have verified with the Linux Admin that the port and process are running and can even see the connection on the SCOM server.

    The confusing part, is how it is intermittent. In this current example I am focusing on the 4 log files that are currently being monitored; with checks occurring every 5 minutes. Below is a screenshot from the Operations Manager event log. These 4 entries are for the same RH7.2 server; with two of the entries for the same log and the other two entries for two different logs.
    There are other 262 events for other RH 7.2 servers as well, but I have yet to find a single entry for any RH 6.x, RH7.5+, and CentOS7.0 servers.

    

    There are no other Warning/Error events on the SCOM server indicating any delay in communications; or actions.
    Because these specific RH servers are in a managed hosted site, the ability to change to a new version of RH is not available; and we have engaged with their support team to investigate any core changes on their side.

    I have begun investigating using the Fluent for alternate log monitoring for SCOM, and while I understand the configuration file; I have yet to get the Operations Manager OMED event log to show up after enabling the service via the console. Any additional information, other than this URL would be helpful, as this does not provide any information on how to verify the Management Server is actually listening for agent events.

    https://docs.microsoft.com/en-us/system-center/scom/manage-linux-logfiles?view=sc-om-2019

    Tuesday, July 30, 2019 12:31 PM
  • Update:
    After deep diving all of the Custom MP Rules that are known to interact with the servers; and the Linux Engineer reviewing the actual log files we found the source of the issue.

    An application developer had turned on debug logging level for the application, resulting in strings of non-standard characters being included in the logs. As soon as the developer turned off the debug, the strings stopped appearing in the logs; and the event 262 Cross Platform Modules appear to have decreased in frequency.

    Another reason for me to try and get the Fluent.D log monitoring working in SCOM 2019.
    Has anyone successfully set this up?

    • Marked as answer by GordonO Tuesday, August 6, 2019 1:26 PM
    Tuesday, August 6, 2019 1:25 PM