How to enable SCOM to monitor for alerts like ? Subject: Alert: RegistryValue Check - Crash On Audit Fail Alert: RegistryValue Check - Crash On Audit Fail Alert

David Kim 66 Reputation points
2021-03-23T00:07:17.05+00:00

Subject: Alert: RegistryValue Check - Crash On Audit Fail

Alert: RegistryValue Check - Crash On Audit Fail

Alert description: The crashonauditfail registry key value is not set to the desired value of 1. Investigate this issue immediately as this has caused system outages in the past.
XXXXXXXXXXXXXXX
The above alert was from our SCOM 2012 and we need to make sure the new SCOM 2019 can also monitor for this type of alert.
What MP, run as profile, ... do I need to configure to to enable for this type of alert in SCOM 2019?

Operations Manager
Operations Manager
A family of System Center products that provide infrastructure monitoring, help ensure the predictable performance and availability of vital applications, and offer comprehensive monitoring for datacenters and cloud, both private and public.
1,409 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Crystal-MSFT 41,761 Reputation points Microsoft Vendor
    2021-03-23T02:31:13.197+00:00

    @David Kim , Based on my research, The CrashOnAuditFail feature is a registry key that can be set to make sure that all auditable events are recorded in the security event log. When the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\CrashOnAuditFail is set to 1, anyone may log on if the system can audit the events and write the events to the security event log. If the security event log is full, the value for the CrashOnAuditFail key is changed to 2, and the server crashes. Here is a link with more detailed information for the reference:
    https://learn.microsoft.com/en-us/troubleshoot/iis/users-cannot-access-web-sites-when-log-full

    When the value is changed, event id 4906 is generated:
    https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4906

    Here, we can create an event monitor in SCOM 2019 to monitor event id 4906. We can see more details in the following link:
    https://social.technet.microsoft.com/wiki/contents/articles/51547.scom-monitor-a-specific-windows-event.aspx

    Hope it can help.


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. System Center guy 686 Reputation points
    2021-03-23T02:44:33.307+00:00

    You may check the rule or monitor for generating this alert by view its details.

    Roger

    0 comments No comments

  3. CyrAz 5,176 Reputation points
    2021-03-25T08:16:10.337+00:00

    If that used to work in SCOM 2012 and you still have that environment available, find the alert there, open its rule or monitor properties, check in what MP it's stored and import it in SCOM 2019.