This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 51%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
Hello Folks,
I'm getting the alert" Operations Manager Failed to Access the Windows Event Log" frequently. However the Event Source which is referring as Unable is actually not present in the event log. Could you please help.
Regards
SK
Hi @Sai Kumar M ,
If SCOM is unable to access the event log because the event log/source doesn't exist, then it's a valid alert.
Can you please post the full alert description?
Does this happen on one or many servers?
----------
(If the reply was helpful please don't forget to upvote or accept as answer, thank you)
Best regards,
Leon
Its on multiple servers. Here is the full alert. If there is no such event source how would SCOM monitor, that's my concern is.
The Windows Event Log Provider is still unable to open the OSIsoft-Search/Admin event log on computer
The Provider has been unable to open the OSIsoft-Search/Admin event log for 720 seconds.
Most recent error details: The specified channel could not be found. Check channel configuration.
But does this event log (OSIsoft-Search/Admin) in question exists on the affected servers? The event logs sound like a custom/third-party application, you probably have custom rules monitoring this event log, can you verify this?
Yes event Log is third party application. But the monitor is the from the System Center Core Monitoring which is looking for event ids 26002, 26004.25002,25004 in unhealthy expression.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 31%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Looks like someone created an event rule or monitor on a custom event log and targeted it a Windows Computers, so it runs everywhere even though that custom event log only exists on specific servers.
So now you need to find that monitor or rule, and then you have two options :
As mentioned in my above comments, monitor is not third party and is from System Center Core Monitoring. Monitor Target is health service. Monitor Name is "Failed Accessing Windows Event Log" and alert name is "Operations Manager Failed to Access the Windows Event Log".
I know, but my answer is still valid.
Some rule or monitor tries to access to an event log that doesn't exist > the agent can't open that event log and generates a generic error > that generic error is picked up by a generic SCOM rule to let you know there is some kind of issue.
But the rule or monitor that try to access the event log is obviously a custom one, given the name of that event log.
So How do I resolve that no false alerts are generated
Did you try any of what I explained in my first answer?
Someone pls help on how to overcome the situation.
Did you try any of what I explained in my first answer?