Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1203
  • Last Modified:

SCOM 2007 Audit Report Access_Violation_-_Unsuccessful_Logon_Attempts wont produce any data.

We have SCOM 2007 SP 1 deployed with ACS functional.  All other ACS default reports are producing results and agent to connector to database connectivity is verified.  This one report, will not produce any results.  
When the time frame is narrowed down to just an hour, the following returns:
An internal error occurred on the report server.  See the error log for more details.  
Otherwise, if the report does run, it never shows any logon attempts and shows the following filter at the bottom of the blank results window:
Filter: DV Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted), Any of (Event Id from 529 to 537, Event Id = 539))
We have verified that our Domain Controller Security Policy is auditing success and failure events so are other machines being monitored.  
Any advice on how to troubleshoot this default report that comes with ACS reporting and any suggestions on what to look at next would be very appreciated.
0
tc100years
Asked:
tc100years
  • 3
  • 2
1 Solution
 
wwwallyCommented:
Try reducing the number of collected events. The big numbers collected could be a problem for the reporting service.
Regards,
Walter
http://weblogwally.spaces.live.com
0
 
tc100yearsAuthor Commented:
Do you have any suggestions on how to reduce the number of collected events?  The report does not appear editable through the SCOM Console...
0
 
wwwallyCommented:
no, can't you change the ANY ((Event Id from 529 to 537, Event Id = 539)) in the smart parameter header?
0
 
tc100yearsAuthor Commented:
Limiting the parameters to just a 30 minute or 60 minute period returns:  "An internal error occured on the report server.   See the error log for more details."  I don't see a smart parameter to alter the event ids this report queries and since it is a pre-canned report, I don't know how to edit it...
0
 
tc100yearsAuthor Commented:
The resolutioon to this problem was related to setting the adtadmin filter query as described here:
http://technet.microsoft.com/en-us/library/bb381343.aspx 
After adjusting the filter to not exclude 'system' events with the unsuccessful login eventids, data is populating as expected.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now