When taking agent out of maintenance mode, old events are reprocessed and new alerts generated

We’ve been seeing a couple instances of this so I thought it would be worthy of a mention just in case any of you are running into the same thing.

Issue: When taking a System Center Operations Manager 2007 R2 agent out of maintenance mode, an agent with a large number of events in the application event log may have each of those events reprocessed, generating false or irrelevant alerts.

Resolution: There are three potential workarounds for this issue:

1. Clear the event log prior to putting a machine into Maintenance Mode.

2. Manually setup overrides to ignore the events.

3. Add the following registry key:

HKLM\Software\Microsoft\Microsoft Operations Manager\3.0\Modules\Global\NT Event Log DS

Create a DWord value named MaxEventBufferSize and set it to a decimal value of 500000.

Hope this helps,

Jeff Carter | Senior Support Engineer

Comments

• Anonymous
  January 01, 2003
  This workaround works for Windows Event Log based monitoring, but what about other type of log monitoring? I have the Unisys ES7000 Management pack installed, and have this same issue with alerts from it. The rule name is:  Unisys.ES7000.AlertMonitor.Slapi.Rule Any idea how to prevent the duplicates from it?

• Anonymous
  December 03, 2015
  The comment has been removed