KBI 311780 Suppress False Positive Alerts Regarding An Expiring Exchange Server Certificate
Version
Argent Advanced Technology – All Versions
Date
Thursday, 3 October 2019
Summary
This article is about how to suppress false alerts regarding an expiring Exchange Server certificate
Technical Background
Customers using Argent for Compliance to monitor the Application Event Log for Exchange Events may receive false positive Alerts stating that an Exchange Server certificate will expire soon
These false positive Alerts are caused by legitimate Events recorded as Event IDs 12017 and 12018 in the Windows Application Event Logs
Examples can be seen below
Event IDs 12017 and 12018 are relevant to Exchange 2010, 2013, and 2016
Relevancy to Exchange 2019 is still to be confirmed
Example of Event ID: 12017
Date: 30/09/2019
Time: 12:24:15
Event Log Name: Application
Event Log Type: Error
Source: MSExchangeTransport
Category: TransportService
Event ID: 12017
User (If Applicable): N/A
Computer: server.domain.com
Event Description: An internal transport certificate will expire soon. A41370EEC5510BD5D5F3D1DB4A8D27846F045A2C, hours remaining: 664
Resolution
To suppress false alerts for expiring Exchange Server certificates, customers can update the relevant Windows Event Log Rule in Argent for Compliance by adding an Event log filter
The common phrase “certificate will expire soon” in the Event ID 12017 and 12018 messages can be used for the exclusion
Example screenshots can be seen below
Please keep in mind that if the Rule is applied to multiple Nodes, the monitoring exclusion will affect all of those Nodes
The exclusion is done at the Argent level, and no change is made to the Exchange environment