Sunday, 2 August 2015

Operations Manager & OMS - Unable to access AppLocker event log on Server Core

I was doing a bit of housekeeping today and I noticed a Warning alert from a monitor that Operations Manager Failed to Access the Windows Event Log.

Looking at the alert it showed that the Microsoft-Windows-AppLocker/EXE and DLL event log couldn't be accessed on my Hyper-V hosts.



When I checked manually, it wasn't surprising that the event log couldn't be accessed, because it didn't exist...



I use Server Core in my environment and doing a bit of initial digging it looks like AppLocker isn't supported on Server Core due to it having a requirement on the Application Identity Service.

This alert is generated in SCOM when you have it integrated with Microsoft Operations Management Suite (or the Operational Insights part) and are using the Security and Audit Solution.
http://www.microsoft.com/en-us/server-cloud/operations-management-suite/overview.aspx

 

For now, this is a quick thing to override.

  • In SCOM navigate to Authoring | Management Pack Objects | Rules
  • Click the Scope button and search for Microsoft System Center Advisor
  • Select the Microsoft System Center AdvisorWindows Server target


  • Use the Look for: filter to narrow down the rule to just AppLocker
  • Right click the Collect AppLocker Events and choose Overrides | Override the Rule | For a group...


  • Filter or scroll through the object list and find a group containing your Windows Server Core OS devices, I'm using the Windows Server 2012 R2 Core Computer Group


Now as default the override will show that it's already set at default, so why are we overriding it?
That's because this rule has an override that enables it for all members of the Microsoft System Center Advisor Monitoring Server Group which is the group that devices you add in SCOM to have data uploaded to Operational Insights get added to and rules/monitors for the Operational Insights management packs get targeted at usually.


Rather than mess with this one, as we still want it to gather AppLocker events for supported devices, we are going to override the rule with a value of False, but make sure the Enforce option is ticked so that it overrules the default Operational Insights override.


And that's it. SCOM should no longer try to run that rule, therefore not trying to access a non-existent event log on the members of the group you selected (Server 2012 R2 Core OS devices in my case).


No comments: