Tuning tip – turning off some over-collection of events
<!--[if lt IE 9]>
<![endif]-->
Comments
Anonymous
January 01, 2003
To: Dinesh That is because this query is not for the warehouse database. It is for the Operations database.Anonymous
January 01, 2003
Re: DHCP Yes - thats a very old MP. That makes sense now. I would normally say go upgrade that MP.... but if you are happy with the monitoring it provides - you might just keep it. The current updated Native DHCP MP 6.0.6452.0 has some significant monitoring limitations, due to some advanced monitoring that it performs, and I am not 100% sure those limitations are present in the conversion MP. I just dont know. Like I said - if you are happy, I'd probably stick with it.Anonymous
January 01, 2003
Hello, I found this ... http://technet.microsoft.com/en-us/library/cc655729.aspx#BKMK_ApplicationProviderPath For these rules to work, you need to create the %SMS_INSTALL_DIR_PATH% environment variable on your site server with the installation path that was specified for your site installation. The environment variable path should not end in a backslash. Each Configuration Manager 2007 server with a sender must be a managed computer. http://technet.microsoft.com/en-us/library/cc755616(WS.10).aspx Is it what is missing ONLY? Thanks, DomAnonymous
January 01, 2003
Great post Kevin, thanks. I made a slight change that may be useful to others: I added the Channel field which - in SCOM 2012 - shows the event log the events are from. Saves a lot of time digging :) The query on my side now is: SELECT top 20 Number as EventID, COUNT(*) AS TotalEvents, Publishername as EventSource, Channel as EventLogName FROM EventAllView eav with (nolock) GROUP BY Number, Publishername, Channel ORDER BY TotalEvents DESCAnonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
Thanks Marco - The 31707 is a known issue - from you not configuring your SMS MP according to the guide. There is a variable for the SMS logs path in the MP - and you need to set this variable on ALL your SMS servers. I would STRONGLY recommend you set this up correctly - otherwise you arent monitoring your logs, and you are flooding opsmgr with these events. I dont have any 1501 events - what are they when you create the view to look at those? The others are known issues - and I would diable them.Anonymous
January 01, 2003
I searched the XML of all the current DHCP MP's - and 1501 is not in them. What DHCP MP are you using, what OS version is your DHCP server, and what is the EXACT rule or monitor name, and target, that is responsible for inserting the 1501?Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
Dom: Which MP are you running - the SCCM MP, or the SMS MP? Or both?Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
Dom: As for the other events - you should follw exactly what the blog posts says - create views for them in "My Workspace" - look at them and see if this is indicative of a big problem - or something you just wanna turn off. Several of the ones in your list are ones I turn off collection rules for. The others that are not in my list... I would investigate.Anonymous
January 01, 2003
If the TEST event is your largest event - you just dont have anything goin on yet. :-) (but yeah - I'd disable it if it was my top event and showed me no value)Anonymous
November 26, 2009
Hi Kevin, thanks for sharing this Information. To give you some feedback on the Events i see in our Environment: Top1 (1.8 Million! Events) - EventID 31707 (Error monitoring parent directory. Directory = %SMS_INSTALL_DIR_PATH%) followed by Event 1501, 10409, 21024, 10403 with about 200k each. So maybe 31707 is an issue for other environments too. Regards MarcoAnonymous
November 27, 2009
Event 1501 is from the DHCP Scope Monitoring, collecting the address status. From the Product Knowledge of the Rule: Summary This rule collects the following DHCP related information: DHCP superscopes and scopes DHCP superscope and scope relationships DHCP superscopes and scope utilization Caution: Disabling this rule prevents the DHCP server superscope and scope monitoring and reports from functioning.Anonymous
November 27, 2009
I ran you little query and this is the result: TotalEvents EventID EventSource 1155157 1206 HealthService 136169 117 nworksSource 38788 21024 OpsMgr Connector 15032 29102 OpsMgr Config Service 14846 29103 OpsMgr Config Service 14481 21025 OpsMgr Connector 13551 1210 HealthService 13144 74 nworksSource 12354 77 nworksSource 10575 10378 Health Service Modules 9824 72 nworksSource 9737 68 nworksSource 6154 89 nworksSource 5689 10376 Health Service Modules 5614 10403 Health Service Modules 4505 1102 HealthService 3783 10102 Health Service Modules 2355 31901 Health Service Modules 2248 6022 Health Service Script 2225 31902 Health Service Modules The Top 5 matches your favorites :-) The nworksSource is from the VMware MP by Veeam, will start checking these out. Cheers, SergeAnonymous
November 27, 2009
Hi Kevin, I've checked and figured out the 1206. Apparently 1 (ONE!) server was going ballistic a couple of days ago. Unfortunately it was an nWorks Virtual Infrastructure Collector. These servers collect all info on VM Hosts & Guests. Typically I saw all kinds of Events like this one: Rule/Monitor "nworks.VMware.VEM.VC2Alarm.VMGUEST.CPU.toRed", running for instance "_Total" with id:"{C5AC8DDB-DE26-A276-9177-1D9E5D854400}" failed, got unloaded and reached the failure limit that prevents automatic reload. The 117 is also an interesting one :-) According to Veeam: This is intended as an update "hint" to the mom/scom MP. This event drives the performance data consumer in the MP. The description contains this kind of info: SV110 Performance data for 'VMDiskProperties' class published in WMI Guess I'm gonna drop the guys at nworks a couple of questions. Cheers, SergeAnonymous
November 28, 2009
Hi Kevin, regarding the 1501 Events. We currently have about ~170 DHCP Servers included in our SCOM Monitoring, running Windows Server 2003. The exact Rule Name is "DHCP Scope Monitoring", the Rule Target is "Microsoft Windows 2003 DHCP Servers Installation". The MP is V6.0.5000.33, probably a rather old Version.Anonymous
December 10, 2009
The comment has been removedAnonymous
December 21, 2009
The comment has been removedAnonymous
December 28, 2009
The comment has been removedAnonymous
December 28, 2009
Hello, Which SMS MP guide are you referring to? I have checked the Microsoft System Center Configuration Manager 2007 Guide unsucessfully as I could not see any SMS MP name ... should I install one on top of my existing configuration? Does it have another name in SCOM 2007? Thanks, DomAnonymous
January 19, 2010
Dom, Try this :- Variable: SMS_INSTALL_DIR_PATH Value: your installation Drive:SMS my case : F:SMSAnonymous
February 01, 2010
Most common event in my OpsDB so far (which is not that long) is: Source: Health Service Script Generating Rule: Collect Distributed Workflow Test Event Event Number: 6022 Level: Information Description: LogEndToEndEvent.js : This event is logged to the Windows Event Log periodically to test a event collection. Seems like a decent candidate for disabling but I didn't see it anyones list here. Thoughts?Anonymous
April 02, 2010
Hello, So I'm trying to create overrides for some of the top events in our database. For instance, Event 21402 and 21403 which you also list in your list of common events to disable. This rule (Collect Batch Response Module Events) is targeted to Health Service and when I right click the event to create an override it shows "Override the rule... For all objects of class: Health Service". I select this target, put a check mark in the "override" field, change Override Value to "False", select a custom MP to store the override in and click OK. I can even view the override using the Summary link. But, the events keep coming in... several days later, so it's not that I'm just not waiting long enough for the new configuration to take effect. I've found that overrides I create for rules that target something other than "Health Service" work fine... but they seem to never work for Health Service. Is there something I'm missing here? Should I be targeting a different class? Thanks.Anonymous
March 26, 2012
The comment has been removedAnonymous
September 16, 2013
Hi, We are getting following error on our SCOM management servers, no cause is given, looks like its cut off after "Cause", no additional details in xml view: Log Name: Operations Manager Source: Health Service Script Date: 9/15/2013 3:09:22 PM Event ID: 3000 Description: AgentMinRequiredVersionCheck.vbs : An error occurred while reading the registry. Cause: Would appreciate any ideas!Anonymous
November 21, 2013
Do we have any method to delete the collected events from OperationsManager DB.Anonymous
January 20, 2016
Hi Kevin,
one of my server is in Not Monitored state and check connection of the server it is pinging and i check the event log i find a warning event id 1207 and i done the cache flush but the still the server is in Not Monitored State onlyAnonymous
April 01, 2016
Hi I have 5,45,320 entries of Event ID 7001. Is it OK to disable it for the entire "windows Operating System" Class ??ThanksAnonymous
October 25, 2016
Hi KevinIn our environment I see most of the events are like below.EventID TotalEvents EventSource4009 634880 Apm PerfCounterMonitor1118 634573 Apm Agent6398 8085 Microsoft-SharePoint Products-SharePoint Foundation2159 4919 Microsoft-SharePoint Products-SharePoint Foundation1318 3232 Apm Agent4139 3063 Apm Agent4140 3055 Apm AgentDo you think our APM settings have gone for a toss? Any suggestions please?ThanksAnonymous
December 28, 2016
ThanksAnonymous
August 08, 2018
Hi,Is it me or we cannot override a specific event in the DHCP MP?Because the replication process is awful for the number of event logs. See below.EventID TotalEvents EventSource106 169522 Microsoft-Windows-DHCP-Server107 169451 Microsoft-Windows-DHCP-Server17 90449 Health Service Script108 50343 Microsoft-Windows-DHCP-Server73 43848 Microsoft-Windows-DHCP-Server74 43846 Microsoft-Windows-DHCP-ServerWhile on the main there are only 2-3 change events on the main, the replicate seems to flush and re-write every reservation.So I came across that post because I wish to remove the events 106-108 from the replica. But the override option I see is only to disable all collection.And under Data source, I only have the view option.Thanks- Anonymous
August 08, 2018
MP: Microsoft.Windows.2008R2.DHCP.ServerVersion: 6.0.6709.0Rule name: Rule for event collection - DHCP server configuration changesRule Target: Microsoft.Windows.2008R2.DHCP.Server.Role- Anonymous
August 08, 2018
- That MP is really poorly written, and you should remove it ASAP. Upgrade your DHCP servers and get them off of WS2008R2, which is ending extended support lifecycle soon.2. You should disable all the event collection rules in that MP if you want to keep it.That MP should have never been shipped in the way it was. It is nothing but a TON of event and performance collection which serves very little purpose, and almost ALL the monitors are terrible:a. They are almost all manual reset which is a worst practice.b. They are event log monitors which are a bad idea in the first place. Event based monitors are unreliable.I'd seriously recommend disabling every rule in that MP.The DHCP MP's for Windows Server 2012 and 2016 are WAY better MP's.
- Anonymous
August 08, 2018
Hi,Thanks for the reply, I think the majority if not all of our DHCP are already at 2012 R2, but strangely it`s still that MP that was trapping the events. Following your comment, I will work with my team to remove it ASAP.Thanks again for the quick reply and have a nice day. :)- Anonymous
August 08, 2018
The comment has been removed
- Anonymous
- Anonymous
- Anonymous
- Anonymous