SCOM 2007 Audit Report Access_Violation_-_Unsuccessful_Logon_Attempts wont produce any data.

We have SCOM 2007 SP 1 deployed with ACS functional.  All other ACS default reports are producing results and agent to connector to database connectivity is verified.  This one report, will not produce any results.  
When the time frame is narrowed down to just an hour, the following returns:
An internal error occurred on the report server.  See the error log for more details.  
Otherwise, if the report does run, it never shows any logon attempts and shows the following filter at the bottom of the blank results window:
Filter: DV Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted), Any of (Event Id from 529 to 537, Event Id = 539))
We have verified that our Domain Controller Security Policy is auditing success and failure events so are other machines being monitored.  
Any advice on how to troubleshoot this default report that comes with ACS reporting and any suggestions on what to look at next would be very appreciated.
tc100yearsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

wwwallyCommented:
Try reducing the number of collected events. The big numbers collected could be a problem for the reporting service.
Regards,
Walter
http://weblogwally.spaces.live.com
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tc100yearsAuthor Commented:
Do you have any suggestions on how to reduce the number of collected events?  The report does not appear editable through the SCOM Console...
0
wwwallyCommented:
no, can't you change the ANY ((Event Id from 529 to 537, Event Id = 539)) in the smart parameter header?
0
tc100yearsAuthor Commented:
Limiting the parameters to just a 30 minute or 60 minute period returns:  "An internal error occured on the report server.   See the error log for more details."  I don't see a smart parameter to alter the event ids this report queries and since it is a pre-canned report, I don't know how to edit it...
0
tc100yearsAuthor Commented:
The resolutioon to this problem was related to setting the adtadmin filter query as described here:
http://technet.microsoft.com/en-us/library/bb381343.aspx 
After adjusting the filter to not exclude 'system' events with the unsuccessful login eventids, data is populating as expected.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.