none
some forwarders cannot Communicate with collector in SCOM 2007 R2 (0×000004C7) RRS feed

  • Question

  • Hello,

    when I try to enable Audit collection for some of the forwders an error is dispalyed in the event view:

    forwarder was shut down reason code 0×000004C7

    Reason description: the operation was canceled by the user

    FYI: the adtagent is started in the concerned servers

    Thank you for your help

    BR

    Friday, July 12, 2019 1:39 PM

Answers

  • Hello,

    To start forwarding the security events from agent, you enable audit collection and then adtagent service starts on that server which will now act as forwarder.

    In your case, have you already started the adtagent service and then are you trying to run task enable audit collection?

    Check this blog for detailed steps, it may help-

    https://blogs.technet.microsoft.com/fesiro/2013/01/08/how-to-deploy-audit-collection-services-acs-in-scom-2012/

    Steps are almost same for 2012 and 2007 R2.

    • Marked as answer by INTM Monday, July 15, 2019 10:34 AM
    Friday, July 12, 2019 2:45 PM
  • Hello,

    yes the adtagent is already started and when i run the task enbale audit collection its status is success

    in the vent view of the concerned forwarder is shown that the forwarder was shut down (in data tag of the xml view show "the operation was canceled by the user")

    BR

    • Marked as answer by INTM Monday, July 15, 2019 10:34 AM
    Friday, July 12, 2019 4:24 PM
  • Hi,

    For your issue, I want to confirm if DataSource on Reporting Service is created and configured.

    Best regards.

    Crystal


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by INTM Monday, July 15, 2019 10:34 AM
    Monday, July 15, 2019 6:42 AM

All replies

  • Hello,

    To start forwarding the security events from agent, you enable audit collection and then adtagent service starts on that server which will now act as forwarder.

    In your case, have you already started the adtagent service and then are you trying to run task enable audit collection?

    Check this blog for detailed steps, it may help-

    https://blogs.technet.microsoft.com/fesiro/2013/01/08/how-to-deploy-audit-collection-services-acs-in-scom-2012/

    Steps are almost same for 2012 and 2007 R2.

    • Marked as answer by INTM Monday, July 15, 2019 10:34 AM
    Friday, July 12, 2019 2:45 PM
  • Hello,

    yes the adtagent is already started and when i run the task enbale audit collection its status is success

    in the vent view of the concerned forwarder is shown that the forwarder was shut down (in data tag of the xml view show "the operation was canceled by the user")

    BR

    • Marked as answer by INTM Monday, July 15, 2019 10:34 AM
    Friday, July 12, 2019 4:24 PM
  •                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          

    this alert dispalys in the event forwarder when i'm enable Audit collection task

    adtserver is running and listening on the specified port 51909(telnet on the collector is ok)

    netstat on the relevant forwarders show that the connection is not established with the collector on port 51909, but the rest of the forwarders of the INFRA is ok

    i don't think the TCP connectivity to adtserver machine is blocked by firewall

    but if you can explain to me what doas mean adtserver on the machine(s) listed actively refused the connection( due to policy or current activity load)?

    belew the detail of the warning alert SCOM

    [Info   ]ReadEventLogLoggingLevel(): The eventlog logging level is 0x00000002 

    [Info   ]AgentLdr: ServiceCtrlHandler(0x1738): trying to exit...  

    [Warning]ReportCollectorEvent(): SendNotifyV3() returned 0x000004CD.  
                                                          [Info   ]AgentRun(): Wait: Stop event received.  

    [Info   ]AgentRun(): Run(0x177C) exits with 0x00000000.    

    [Info   ]AgentLdr: ServiceMain(0x177C): AdtLdrRun() returned 0x00000000. 
                                                       [Info   ]*** Agent starting up ***    

    [Info   ]AgentLdr: ServiceMain(0x1754). 

    [Info   ]ReadEventLogLoggingLevel(): The eventlog logging level is 0x00000002  

    [Error  ]LoadCert: LoadHash() returned 0x00000002.         

    [Info   ]IoServer::Run(0x918): Worker thread starting up.  


    [Info   ]LookupServersReg(): Found gateway:51909.       

    [Warning]IoConnectCtxt::OnConnectComplete(0x677E50): Received error 0x000004C9 for context 0xA86990.  

    [Error  ]AgentClient::Connect(): Connection status 0x000004C9.    

    [Warning]ConnectToServer(): Calling Disconnect() with error 0x000004C9.     

    [Info   ]LookupServersReg(): Found gateway:51909.     

    [Warning]IoConnectCtxt::OnConnectComplete(0x677E50): Received error 0x000004C9 for context 0xA86990. 

    [Error  ]AgentClient::Connect(): Connection status 0x000004C9.   

    [Warning]ConnectToServer(): Calling Disconnect() with error 0x000004C9. 

    [Info   ]LookupServersReg(): Found gateway:51909.  

    [Warning]IoConnectCtxt::OnConnectComplete(0x677E50): Received error 0x000004C9 for context 0xA86990.  

    [Error  ]AgentClient::Connect(): Connection status 0x000004C9.   

    [Warning]ConnectToServer(): Calling Disconnect() with error 0x000004C9.

    Could you please help me on that?


    • Marked as answer by INTM Monday, July 15, 2019 5:57 PM
    • Unmarked as answer by INTM Monday, July 15, 2019 5:57 PM
    Friday, July 12, 2019 10:44 PM
  • Hi,

    For your issue, I want to confirm if DataSource on Reporting Service is created and configured.

    Best regards.

    Crystal


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by INTM Monday, July 15, 2019 10:34 AM
    Monday, July 15, 2019 6:42 AM
  • Hello,

    normally before, the concerned forwarders sends the events to the collector

    How i can check if a DataSource on Reporting Service is created and configured?

    Best regards

    Monday, July 15, 2019 1:48 PM
  • yes it is well configured

    I have access to the SQL server reporting services (http://<myReportingServerName>/Reports_<ServiceName>)

    datasource folder is also created (audit reports)



    • Edited by INTM Monday, July 15, 2019 6:04 PM add a comment
    Monday, July 15, 2019 5:50 PM
  • Hi,

    How about the following registry key setting?
    HKEY_LOCAL_MACHINE\Software\ODBC\ODBC.INI\OpsMgrAC

    Did it use a named instance of SQL server, like <server name>\<instance>.? If not , change to this format.

    Also, check if SQL mixed authentication mode was enabled. If yes, changed the authentication mode to Windows authentication The location is as below:
    1. In SQL Server Management Studio Object Explorer, right-click the server, and then click Properties.
    2. On the Security page, under Server authentication, check if only Windows Authentication mode is enable, if not, change it and then click OK.
    3. In the SQL Server Management Studio dialog box, click OK to acknowledge the requirement to restart SQL Server.

    Please check the above information, if any update, please let us know.

    Best regards.

    Crystal


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 16, 2019 6:52 AM
  • Hello,

    Regitry and sql mixed authentication have been checked and all are configured as advised

    you think something is missing on the SCOM configuration?

    BR.

    Wednesday, July 17, 2019 2:09 PM
  • Hi

    From the log you provided, it shows error when load certificate and connect to gateway server:51909. So I suggest to check the configuration to see if anything is wrong. As you mentioned the authentication and instance are all correct. I think we need to check from other sides also.

    Is there other gateway server in our environment? If we change to another gateway server, will the issue be fixed. Also check the certificate on the gateway server if it is there and is working well. Meanwhile, please confirm if these ACS forwarders are in an untrusted domain. If yes, follow the following article to configure:

    https://blogs.technet.microsoft.com/cliveeastwood/2007/05/11/how-to-configure-audit-collection-system-acs-to-use-certificate-based-authentication/

    Please check the above information and if any update, please let us know.

    Best regards.

    Crystal


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 18, 2019 7:40 AM