SCOM 2007 Audit Report Access_Violation_-_Unsuccessful_Logon_Attempts wont produce any data.

Posted on 2008-11-13
Last Modified: 2013-11-21
We have SCOM 2007 SP 1 deployed with ACS functional.  All other ACS default reports are producing results and agent to connector to database connectivity is verified.  This one report, will not produce any results.  
When the time frame is narrowed down to just an hour, the following returns:
An internal error occurred on the report server.  See the error log for more details.  
Otherwise, if the report does run, it never shows any logon attempts and shows the following filter at the bottom of the blank results window:
Filter: DV Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted), Any of (Event Id from 529 to 537, Event Id = 539))
We have verified that our Domain Controller Security Policy is auditing success and failure events so are other machines being monitored.  
Any advice on how to troubleshoot this default report that comes with ACS reporting and any suggestions on what to look at next would be very appreciated.
Question by:tc100years
    LVL 15

    Accepted Solution

    Try reducing the number of collected events. The big numbers collected could be a problem for the reporting service.

    Author Comment

    Do you have any suggestions on how to reduce the number of collected events?  The report does not appear editable through the SCOM Console...
    LVL 15

    Expert Comment

    no, can't you change the ANY ((Event Id from 529 to 537, Event Id = 539)) in the smart parameter header?

    Author Comment

    Limiting the parameters to just a 30 minute or 60 minute period returns:  "An internal error occured on the report server.   See the error log for more details."  I don't see a smart parameter to alter the event ids this report queries and since it is a pre-canned report, I don't know how to edit it...

    Author Comment

    The resolutioon to this problem was related to setting the adtadmin filter query as described here:
    After adjusting the filter to not exclude 'system' events with the unsuccessful login eventids, data is populating as expected.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Suggested Solutions

    I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
    If, like me, you have a lot of Dell servers in the estate you manage this article should save you a little time. When attempting to login to iDrac on any server I would be presented with two errors. The first reads "Do you want to run this applicati…
    This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
    To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now