EPM reports "Windows Event Log System Failure Error" with no matching error found in server log

Jan 3, 2013 at 5:22 PM
Edited Jan 3, 2013 at 6:01 PM

I just added a new server to my existing EPM system.  EPM is reporting that it found several problems in the Windows log.  For example:

> Category - MS BP: Win Log
> Policy Name - Windows Event Log System Failure Error
> Policy Status - ERROR 
> Policy Target - DEFAULT
> Date Created Created By Date Modified Modified By
> 12/8/2011 2:27:33 PM khemmerling 12/22/2011 10:21:26 AM svcsql_2008EPM
> Detects Error Event ID 6008 in the System Log.

This error goes back over a year (12/8/2011) as today is 1/3/2013.  When I check the System Log on the server, I don't see any entries going back that far.  How do I clean this up to stop what appears to be a meaningless error?

Any help would be greatly appreciated.





Jan 3, 2013 at 5:59 PM

The error was misleading.  When I checked the powershell results directory ("D:\MSSQL10.CMS\EPM\Results" on my installation), I found the XML files for each of the policies and buried within those I found the following:

<DMF:Exception type="string">
Exception encountered while executing policy 'Windows Event Log System Failure Error'.
---> System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

 So my problem is with security permissions.  Here's what I did to fix it:

In order to monitor Windows log files on remote server we need to make the following security changes. Connect to the remote server, and perform the following steps to grant access to the WMI:

Start > Run > wmimgmt.msc

In the tree view on the left, right-click on WMI Control (Local) and select Properties.

Click on the Security tab, expand the tree and click on CIMV2 to highlight it.

Click on the Security button.

Click Add, type in <monitoring_account> and click on Check.Names.

Click OK. Now grant <monitoring_account> additional access by putting a checkmark in “Execute Methods”, “Full Write”, “Partial Write”, “Provider Write”, “Remote Enable” and “Read Security”. Make sure that “Edit Security” remains unchecked.  Click Apply and OK.

Repeat the same steps for the “ms_409” branch directly under CIMV2.

Click on ms_409 > Security > Add > <monitoring_account> > Check Names > OK > Checkmarks on Execute Methods, Full Write, Partial Write, Provider Write, Enable Account (checked by default), Remote Enable and Read Security. Make sure Edit Security is not checked. Click Apply > OK > OK.

The grants to the WMI is now complete, close the WMI management console.

The next step is to grant access to DCOM.

1.Click Start > Run > DCOMCNFG > OK.

2.In the treeview on the left, expand Component Services, expand Computers, and then right-click My Computer and click Properties.

 3.In the My Computer Properties dialog box, click the COM Security tab.

4.Under Launch and Activation Permissions, click Edit Limits to open the “Launch and Activation Permissions” dialog box.

Click Add and enter <monitoring_account> and click Check Names then click OK

Leave the Allow check on “Local Launch” and place checks on “Remote Launch” and “Remote Activation” as well. Click OK when done.

Click Apply and OK. Close the component service application as DCOM security changes are now complete.


Feb 13, 2013 at 12:48 PM
Excellent, glad you found and fix and thank you for posting for others to learn from.