KBI 311780 Suppress False Positive Alerts Regarding An Expiring Exchange Server Certificate


Argent Advanced Technology – All Versions


Thursday, 3 October 2019


This article is about how to suppress false alerts regarding an expiring Exchange Server certificate

Technical Background

Customers using Argent for Compliance to monitor the Application Event Log for Exchange Events may receive false positive Alerts stating that an Exchange Server certificate will expire soon

These false positive Alerts are caused by legitimate Events recorded as Event IDs 12017 and 12018 in the Windows Application Event Logs

Examples can be seen below

Event IDs 12017 and 12018 are relevant to Exchange 2010, 2013, and 2016

Relevancy to Exchange 2019 is still to be confirmed

Example of Event ID: 12017

Date: 30/09/2019

Time: 12:24:15

Event Log Name: Application

Event Log Type: Error

Source: MSExchangeTransport

Category: TransportService

Event ID: 12017

User (If Applicable): N/A

Computer: server.domain.com

Event Description: An internal transport certificate will expire soon. A41370EEC5510BD5D5F3D1DB4A8D27846F045A2C, hours remaining: 664


To suppress false alerts for expiring Exchange Server certificates, customers can update the relevant Windows Event Log Rule in Argent for Compliance by adding an Event log filter

The common phrase “certificate will expire soon” in the Event ID 12017 and 12018 messages can be used for the exclusion

Example screenshots can be seen below

Please keep in mind that if the Rule is applied to multiple Nodes, the monitoring exclusion will affect all of those Nodes

The exclusion is done at the Argent level, and no change is made to the Exchange environment