Monitors the ability of the Microsoft Audit Collector Service Collector to maintain client connections
This monitor and alert indicates that the ACS Collector is disconnecting forwarders in order to reduce incoming traffic and allocate resources to service a backlog of events that need to be processed and written to the database.
Below is a summary of the default configuration of this monitor:
Red state: Transition to red state if the collector begins to disconnect existing forwarder sessions in order to service the backlog in the database queue (AdtServer 4615)
Green state: Transition to green state if the collector begins to accept forwarders trying to connect again (AdtServer 4613).
The red state can indicate the following:
A managed computer that has many existing security events in the security event log (e.g. a domain controller), attempts to forward security events to an ACS collector for the first time. The forwarder on the managed computer will attempt to forward all of the events in the log to the collector very quickly, causing a buildup of events in the collector's database queue.
If the database is mounted on SQL Server Standard Edition, then during the daily database maintenance period when the database is performing indexing operations, the collector cannot write data to the database, causing backlog in the queue.
If this condition is persistent throughout the day, this may indicate the collector lacks capacity to manage the current number of forwarders.
You can use the below steps to resolve the issue:
Consider using SQL Server Enterprise Edition
Consider adding more ACS Collectors
Target | Microsoft.SystemCenter.ACS.Collector |
Parent Monitor | Microsoft.SystemCenter.ACS.Collector.AvailabilityHealthRollup |
Category | AvailabilityHealth |
Enabled | True |
Alert Generate | False |
Alert Auto Resolve | False |
Monitor Type | Microsoft.Windows.2SingleEventLog2StateMonitorType |
Remotable | True |
Accessibility | Internal |
RunAs | Default |
<UnitMonitor ID="Microsoft.SystemCenter.ACS.Collector.MaintainingClientConnections" Accessibility="Internal" Enabled="true" Target="Microsoft.SystemCenter.ACS.Collector" ParentMonitorID="Microsoft.SystemCenter.ACS.Collector.AvailabilityHealthRollup" Remotable="true" Priority="Normal" TypeID="Windows!Microsoft.Windows.2SingleEventLog2StateMonitorType" ConfirmDelivery="true">
<Category>AvailabilityHealth</Category>
<OperationalStates>
<OperationalState ID="AcceptingNewClientConnections" MonitorTypeStateID="SecondEventRaised" HealthState="Success"/>
<OperationalState ID="DisconnectingClientConnections" MonitorTypeStateID="FirstEventRaised" HealthState="Error"/>
</OperationalStates>
<Configuration>
<FirstComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</FirstComputerName>
<FirstLogName>Operations Manager</FirstLogName>
<FirstExpression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">4615</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">AdtServer</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</FirstExpression>
<SecondComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</SecondComputerName>
<SecondLogName>Operations Manager</SecondLogName>
<SecondExpression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">4613</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">AdtServer</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</SecondExpression>
</Configuration>
</UnitMonitor>