This monitor and alert indicates that the ACS Collector detected a gap from the incoming event stream from an ACS forwarder. This means some events may be missing due to event log wrapping or someone clearing the event log on the managed computer.
The alert is raised when the rule detects event: Source = AdtServer and ID = 4635.
The alert can indicate the following may be happening on the agent:
Someone cleared the event log when the forwarder lost connection to the collector
The event log wrapped when the forwarder lost connection to the collector
Run the "System Integrity - Audit Log Cleared" report to see if anyone had cleared the security log.
Ensure the security log size is large enough to queue events to endure a routine system maintenance or a typical troubleshooting duration.
Target | Microsoft.SystemCenter.ACS.Collector | ||
Category | Alert | ||
Enabled | True | ||
Event_ID | 4635 | ||
Event Source | AdtServer | ||
Alert Generate | True | ||
Alert Severity | Warning | ||
Alert Priority | Normal | ||
Remotable | True | ||
Alert Message |
| ||
Event Log | Operations Manager |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
DS | DataSource | Microsoft.Windows.EventProvider | Default |
Alert | WriteAction | System.Health.GenerateAlert | Default |
<Rule ID="Microsoft.SystemCenter.ACS.Collector.EventStreamGap" Enabled="true" Target="Microsoft.SystemCenter.ACS.Collector" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>Alert</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Operations Manager</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">4635</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">AdtServer</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>1</Severity>
<AlertName/>
<AlertDescription/>
<AlertOwner/>
<AlertMessageId>$MPElement[Name="Microsoft.SystemCenter.ACS.Collector.EventStreamGap.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/Params/Param[1]$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/EventDisplayNumber$</SuppressionValue>
<SuppressionValue>$Data/PublisherName$</SuppressionValue>
<SuppressionValue>$Data/LoggingComputer$</SuppressionValue>
<SuppressionValue>$Data/Params/Param[1]$</SuppressionValue>
</Suppression>
<Custom1>$Data/Params/Param[1]$</Custom1>
<Custom2/>
<Custom3/>
<Custom4/>
<Custom5/>
<Custom6/>
<Custom7/>
<Custom8/>
<Custom9/>
<Custom10/>
</WriteAction>
</WriteActions>
</Rule>