MSSQL on Windows: Unable to re-open the local eventlog

Microsoft.SQLServer.Windows.CollectionRule.Agent.Unable_to_re_open_the_local_eventlog_1_5_Rule (Rule)

SQL Server Agent was unable to open the local event log.

Knowledge Base article:

Summary

SQL Server Agent was unable to open the local event log.

Note that this rule does not work if SQL Server on Windows instance is monitored agentlessly.

Resolutions

Upgrade to the latest service pack. If the error persists, contact Microsoft Customer Service and Support.

Overridable Parameters

Name

Description

Default Value

Allow Proxying

Specifies whether the module should collect events that do not originate from the computer that is specified in the ComputerName parameter.

No

Enabled

Enables or disables the workflow.

Yes

Priority

Defines Alert Priority.

1

Severity

Defines Alert Severity.

1

Element properties:

TargetMicrosoft.SQLServer.Windows.Agent
CategoryEventCollection
EnabledTrue
Alert GenerateTrue
Alert SeverityWarning
Alert PriorityNormal
RemotableTrue
Alert Message
MSSQL on Windows: Unable to re-open the local eventlog
Event ID: {2}. Unable to re-open the local eventlog.
CommentMom2017ID='{47214F8C-6FAD-4DEA-AB7B-1F9841768B6A}';MOM2017GroupID={467ECC75-C5DA-42BD-955C-A73BBB51AF74}

Member Modules:

ID Module Type TypeId RunAs 
_F6DA1507_12AF_11D3_AB21_00A0C98620CE_ DataSource Microsoft.SQLServer.Windows.EventProvider Default
GenerateAlert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.SQLServer.Windows.CollectionRule.Agent.Unable_to_re_open_the_local_eventlog_1_5_Rule" Target="SqlDiscW!Microsoft.SQLServer.Windows.Agent" Enabled="true" ConfirmDelivery="true" Remotable="true" Comment="Mom2017ID='{47214F8C-6FAD-4DEA-AB7B-1F9841768B6A}';MOM2017GroupID={467ECC75-C5DA-42BD-955C-A73BBB51AF74}">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="_F6DA1507_12AF_11D3_AB21_00A0C98620CE_" Comment="{F6DA1507-12AF-11D3-AB21-00A0C98620CE}" TypeID="Microsoft.SQLServer.Windows.EventProvider">
<ComputerName>$Target/Property[Type="SqlDiscW!Microsoft.SQLServer.Windows.Agent"]/ComputerName$</ComputerName>
<LogName>Application</LogName>
<AllowProxying>false</AllowProxying>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>Channel</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>Application</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>313</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>$Target/Property[Type="SqlDiscW!Microsoft.SQLServer.Windows.Agent"]/ServiceName$</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="Health!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>1</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.SQLServer.Windows.CollectionRule.Agent.Unable_to_re_open_the_local_eventlog_1_5_Rule.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Target/Host/Property[Type="SqlCoreLib!Microsoft.SQLServer.Core.DBEngine"]/MachineName$</AlertParameter1>
<AlertParameter2>$Target/Host/Property[Type="SqlCoreLib!Microsoft.SQLServer.Core.DBEngine"]/InstanceName$</AlertParameter2>
<AlertParameter3>$Data/EventDisplayNumber$</AlertParameter3>
</AlertParameters>
<Suppression>
<SuppressionValue/>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>