none
Operations Manger Event Error 26008 from Scomt Agent - The Security event log on computer 'server1' is still corrupt RRS feed

  • Question

  • Hi Together

    Have a following Problem on the DCs 2019 in Operations Manager Eventlog.

    Getting every Minute following error .

    It happens since we defined a rule for highg Privileg Group (Domain Admin, Shema Admins, Enterpries Admin) Monitoring...

    As soon as we disable the rule Errors are not coming any more.

    The rule is working fine and we get alert by Group Change. Security Log is not corrupt and it is possible to open it or send query by powershell.

    Do you have any solution for this.

    EventMessage

    "Event Code: 26008 Message: The Security event log on computer 'server1' is still corrupt. The Event Log Provider will attempt to recover by skipping over a possible bad record. The Provider may skip up to two records. "

    Tuesday, November 19, 2019 12:41 PM

Answers

All replies

  • Hi,
     
    We can try the method in the following link to find out the corrupt event log

    https://systemcenter.wiki/?GetElement=Microsoft.SystemCenter.HealthServiceModules.WindowsEventLog.CorruptOrUnreadableEvents&Type=UnitMonitor&ManagementPack=Microsoft.SystemCenter.2007&Version=7.3.13142.0

    Note: this is just for your reference.
     
    Hope it can help.
     
    Best regards.
    Crystal

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 20, 2019 2:09 AM
  • Hi,

    How's everthing going? if there's any update, please let us know.

    Best regards.
    Crystal


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 22, 2019 7:40 AM
  • You could try to delete the event ID which has this issue or if the entire security log is corrupt look into repairing or recreating it if possible

    Website: www.walshamsolutions.com Technical Blog: https://www.walshamsolutions.com/technical-blog Personal Blog: https://www.walshamsolutions.com/personal-blog Twitter: Dwalshampro

    Friday, November 22, 2019 9:16 AM
  • Hi,

    Long time not heard from you. Is there's any progress of our issue? if yes, feel free to let us know.

    Best regards.

    Crystal


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 27, 2019 7:39 AM
  • Sorry did not have time...

    As already mentiond...The log is not corrupt and rule i created is working fine.

    If i Change a Group member i am getting alert in scom.

    The Problem is that Operations Manager Event log is filled with Messages that securtiy log is corrupt.

    I am able to see every log and nothing is corrupt.

    As soon as i disable this rule no Errors in Operation Manager about corrupted Log anymore..

    This is my rule created by my self and which is working fine.


    • Edited by todomati Thursday, November 28, 2019 4:16 PM
    Thursday, November 28, 2019 4:15 PM
  • Hi.
     
    Thanks for your reply. As you are busy these days, feel free to reply when you are available.
     
    Before going on, would confirm something to understand our issue better:
    1. When we configure the filter on the picture, the alert will not generate?
    2. when we change a group member, the alert will generate? If so, could you make an example when we change a group member?
     
    Thanks and have a nice day!
     
    Best regards.
    Crystal

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 29, 2019 7:34 AM
  • Hi Crystal

    A SCOM Alert will be Generated on SCOM Server when we Change Group Member what is actually purpose of this Rule.

    The Problem are those Events on all Domain Controllers wrtten localy in Operations Manager Log which are coming every minute "Event Code: 26008 Message: The Security event log on computer 'DomainController1' is still corrupt"

    They are coming every minute as soon as this Rule is enabled independent if you Change Group Member or not.

    Despite this EventLogs on DCs, Scom alerting works and I get alert if a group has been changed what is actually a paradox if scom Agent think that SecurityLog is corrupt...

    Greetings...


    • Edited by todomati Friday, November 29, 2019 7:53 AM
    Friday, November 29, 2019 7:51 AM
  • Hi,

    There's a feedback submitted about this similar issue, although it concerns SCOM it was submitted in the wrong uservoice I believe... Fix Operations Manager Health Service Modules Event ID 26007

    It should be submitted to the Operations Manager uservoice over here:
    https://systemcenterom.uservoice.com/forums/293064-general-operations-manager-feedback

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Friday, November 29, 2019 8:09 AM
  • Hi Leon

    Does this mean that the wrong behaviour of the Scom Agent is known in this respect but has not yet been corrected?

    I dont see any solution...


    • Edited by todomati Friday, November 29, 2019 8:21 AM
    Friday, November 29, 2019 8:20 AM
  • There are quite some votes, so it appears to be an issue.

    I would however feedback this to the correct product group, and this is related to Operations Manager so the feedback should be given to them over here: https://systemcenterom.uservoice.com/forums/293064-general-operations-manager-feedback


    Blog: https://thesystemcenterblog.com LinkedIn:

    Friday, November 29, 2019 8:26 AM
  • Ok

    Then I'll check in a while if a solution has been worked out

    Friday, November 29, 2019 8:29 AM