Jump to content


Photo

ALEService log grows out of control with errors

logon failure domain controller DC event

  • Please log in to reply
1 reply to this topic

#1 Sysadminnewb

Sysadminnewb

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 12 January 2017 - 01:39 PM

I never really got ALE to work properly, but started paying more attention to it recently. I'd love to get the remote unlock part to work and while troubleshooting in the ALEService log I found it was almost about 550MB in size :blink: I stopped the service, deleted the log, restarted and got a fresh log going.

 

Same errors every few seconds:

 

 

ALEService.exe Error: 0 : [TID: 22, Time: 1/12/2017 8:26:02 AM] MONITORING: Server: DC.contoso.com

System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)

at System.Management.ManagementScope.InitializeGuts(Object o)

at System.Management.ManagementScope.Initialize()

at System.Management.ManagementObjectSearcher.Initialize()

at System.Management.ManagementObjectSearcher.Get()

at ALService.EventWatch.DefaultManagementEventWatcher.ReadLog()

at ALService.EventWatch.DefaultManagementEventWatcher.Run()

at ALService.Entities.MonitoredServers.MonitoredServer.ConnectionLoop(Object stateObj)

ALEService.exe Information: 0 : [TID: 24, Time: 1/12/2017 8:26:02 AM] MONITORING: Init WMI Domain watcher, server: DC5.contoso.com

ALEService.exe Error: 0 : [TID: 24, Time: 1/12/2017 8:26:02 AM] MONITORING: Reading log WMI watcher. DC5.contoso.com:

System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)

at System.Management.ManagementScope.InitializeGuts(Object o)

at System.Management.ManagementScope.Initialize()

at System.Management.ManagementObjectSearcher.Initialize()

at System.Management.ManagementObjectSearcher.Get()

at ALService.EventWatch.DefaultManagementEventWatcher.ReadLog()

ALEService.exe Error: 0 : [TID: 24, Time: 1/12/2017 8:26:02 AM] MONITORING: Server: DC5.contoso.com

System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)

at System.Management.ManagementScope.InitializeGuts(Object o)

at System.Management.ManagementScope.Initialize()

at System.Management.ManagementObjectSearcher.Initialize()

at System.Management.ManagementObjectSearcher.Get()

at ALService.EventWatch.DefaultManagementEventWatcher.ReadLog()

at ALService.EventWatch.DefaultManagementEventWatcher.Run()

at ALService.Entities.MonitoredServers.MonitoredServer.ConnectionLoop(Object stateObj)

ALEService.exe Information: 0 : [TID: 11, Time: 1/12/2017 8:26:20 AM] EVENT WATCHING INFO: Logon failure event: #220456467 from DC4.contoso.com. sid NTAccount: S-1-5-21-2887211811-4004433610-1778173099-2838. Time generated: 1/12/2017 1:26:06 PM

ALEService.exe Information: 0 : [TID: 11, Time: 1/12/2017 8:26:54 AM] EVENT WATCHING INFO: Logon failure event: #220456533 from DC4.contoso.com. sid NTAccount: S-1-5-21-2887211811-4004433610-1778173099-2838. Time generated: 1/12/2017 1:26:41 PM

 

 

ALE is installed on DC4 if that makes a difference. This started happening when I enabled Success and Failure events in the DC GPO's like it instructs you to do in the admin guide and in the settings under domains. I know it's saying access is denied, which leads me to believe the admin account I put in the Netwrix service account isn't working? I've tried a few different users with domain admin privileges, but still doesn't work.  



#2 Sysadminnewb

Sysadminnewb

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 16 January 2017 - 09:04 PM

Don't worry guys! I got this...

 

I found the answer here:

https://www.netwrix.com/kb/1661

 

I didn't realize it was actually reporting from what it was finding in the event logs that a particular account was attempting to login and failing. The link above tells you how to reduce the refresh and constant reporting of the same login failures so it doesn't grow out of control.

 

I'm now going to hunt down where it's been failing to login or whatever it's problem is with the one user. I would have figured it would have locked the account? *shrug*






0 user(s) are reading this topic

0 members, guests, anonymous users