Sunday 2 August 2015

Operations Manager & OMS - Unable to access AppLocker event log on Server Core

I was doing a bit of housekeeping today and I noticed a Warning alert from a monitor that Operations Manager Failed to Access the Windows Event Log.

Looking at the alert it showed that the Microsoft-Windows-AppLocker/EXE and DLL event log couldn't be accessed on my Hyper-V hosts.



When I checked manually, it wasn't surprising that the event log couldn't be accessed, because it didn't exist...



I use Server Core in my environment and doing a bit of initial digging it looks like AppLocker isn't supported on Server Core due to it having a requirement on the Application Identity Service.

This alert is generated in SCOM when you have it integrated with Microsoft Operations Management Suite (or the Operational Insights part) and are using the Security and Audit Solution.
http://www.microsoft.com/en-us/server-cloud/operations-management-suite/overview.aspx

 

For now, this is a quick thing to override.

  • In SCOM navigate to Authoring | Management Pack Objects | Rules
  • Click the Scope button and search for Microsoft System Center Advisor
  • Select the Microsoft System Center AdvisorWindows Server target


  • Use the Look for: filter to narrow down the rule to just AppLocker
  • Right click the Collect AppLocker Events and choose Overrides | Override the Rule | For a group...


  • Filter or scroll through the object list and find a group containing your Windows Server Core OS devices, I'm using the Windows Server 2012 R2 Core Computer Group


Now as default the override will show that it's already set at default, so why are we overriding it?
That's because this rule has an override that enables it for all members of the Microsoft System Center Advisor Monitoring Server Group which is the group that devices you add in SCOM to have data uploaded to Operational Insights get added to and rules/monitors for the Operational Insights management packs get targeted at usually.


Rather than mess with this one, as we still want it to gather AppLocker events for supported devices, we are going to override the rule with a value of False, but make sure the Enforce option is ticked so that it overrules the default Operational Insights override.


And that's it. SCOM should no longer try to run that rule, therefore not trying to access a non-existent event log on the members of the group you selected (Server 2012 R2 Core OS devices in my case).


4 comments:

custom thesis writing said...

I have witnessed a similar problem with AppLocker. The customer service could not understand the problem and I had to suffer for days. This is the perfect solution but is quite complicated.

Harry jacob said...

feliz año nuevo 2020 Thanks for sharing I like this post because we can get some useful information from your blog.

foureyes said...

As information and data is amassed on pretty much any subject you want to envision

Restaurants Near Me

Steven Salvatore said...

connecting hp deskjet 3520 printer wireless setup is made simple. The given information will hand you to connect printer on a wireless network.