KBI 311319 Failed Logon Audit Events On Remote Machine When Running Performance Rules Using Other Credential
Version
Argent Advanced Technology all versions
Date
Friday, 24 April 2015
Summary
Argent AT has to use other credential to monitor a remote machine if either of following is true:
- Machine is not in the same domain as Argent AT Engine
For example, it is in a workgroup in DMZ
- Argent AT service account has insufficient privileges to run Rules
For example, the service account is not a local Administrator
When running a Performance Rule with Use Other Credentials, the performance metrics can be retrieved successfully
However, if audit for failed logon is turned ON in local audit policy at the remote machine, the failed logon Audit Event will show up in the Security Log every time the Performance Rule is executed
Technical Background
Argent AT uses the Microsoft PDH (Performance Data Helper) library to read Windows performance metrics
The PDH API always first tries the current logon identity, which is the Argent AT service account, before using specified other credential
As a result, the failed Logon Audit Event is generated
PDH library is part of Windows OS
The behavior may change in future Windows OS versions
It is more a nuisance than an issue
The point that must be emphasized is that it does not affect the performance data being monitored correctly
Resolution
The failed Logon Audit Event can be avoided if the logon failure audit is turned OFF in local security policy
Of course, it is more about hiding the issue instead of solving it
If security audit must be turned ON and the failed logon Events must be prevented at all cost, local Trusted Agent can be installed to run the Performance Rules
Because local Trusted Agent runs under local administrator account, it will be able to access the Performance counters
In this case, the ‘Other Credential’ is no longer necessary for the remote machine