SCOM 2012 Event Log Alarming

Similar Messages

• SCOM 2012 - Event log analyzing?

  Hey all,
  I am new in scom and have a question about event logs. it is possible to analyze the event logs of servers or can it only use for monitoring of events ?
  Did anybody have more information about that?
  Please help and thanks in advice.

  If you dump those logs on a server with a SCOM agent, you can create a monitor that will use the log reader module to parse through the log to find matching data and raise alerts.  The logs reader provider has a few different types of files it can read.
   Check it out.
  http://social.technet.microsoft.com/Forums/systemcenter/en-US/aa3ad3b8-9a28-48c2-959a-cb628db1d647/text-log-monitorrule-and-cleared-logfile?forum=operationsmanagerauthoring
  Regards, Blake Email: mengotto<at>hotmail.com Blog: http://discussitnow.wordpress.com/ If my response was helpful, please mark it as so, if it answered your question, then please also mark it accordingly. Thank you.

• SCOM 2012 - Event ID 6024 (Launching Restart Health Service. Health Service exceeded Process\Handle Count or Private Bytes threshhold.)

  I am getting event ID 6024 (LaunchRestartHealthService.js : Launching Restart Health Service. Health Service exceeded Process\Handle Count or Private Bytes threshhold.) within an interval ranging from 12-17 minutes.
  I am using SCOM (2012 SP1 and 2012 R2) on Windows Server (2008 R2 / 2012 / 2012 R2).
  This issue is occurring only on agent managed computer (acting as proxy and discover managed objects on other computers setting is enabled) which i am using for monitoring my device. All discovery scripts (powershell) and monitors are targeted on this agent
  managed computer.
  There are total 80 discoveries and 900 monitors. 55 discoveries and 550 monitors are enabled by default and rest all are disabled.
  I am seeing event id 6024 frequently only on agent managed computer. Can anyone help me to resolve this issue.
  Thanks,
  Mukul

  To fix issue 6024, you can follow below steps:
  1. Open SCOM console. Go to Monitors -> Agent -> Entity Health -> Performance -> Health Service Performance -> Health Service State.
  2. Double click Health Service Handle Count Threshold monitor and go to Overrides page.
  3. Click Override -> For a specific object of Class: Agent. Select the affected SCOM agent QMXServer.
  4. Check on the parameter Agent Performance Monitor Type - Threshold. Change the default value 2000 to an appropriate value, like 4000. You can check the Health service handle count alert in SCOM console to get the value when the alert is generated. You
  can also launch the health explorer against QMXServer to check the value when the monitor state is changed from healthy to critical.
  Also you can refer below links
  http://blogs.technet.com/b/omx/archive/2013/10/17/health-service-restarts-on-service-manager-servers-with-scom-agents.aspx
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Mai Ali | My blog: Technical | Twitter:
  Mai Ali

• SCOM 2012 R2 - Log or event

  Hi,
  Can any one let me know if we can check who and when a monitor or rule or task created in SCOM console.If someone creates a rule or monitor,will it be logged somewher.
  Thanks in advance
  Bunny

  For Log files that show who created rules, you can refer below link
  https://support.microsoft.com/kb/2691973?wa=wsignin1.0
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Mai Ali | My blog: Technical | Twitter:
  Mai Ali

• SCOM 2012 event id 10801 cluster disks don't discovered.

  Hello.
  I have errors in Operations Manager log:
  Discovery data couldn't be inserted to the database. This could have happened because  of one of the following reasons:
       - Discovery data is stale. The discovery data is generated by an MP recently deleted.
       - Database connectivity problems or database running out of space.
       - Discovery data received is not valid.
   The following details should help to further diagnose:
   DiscoveryId: 5a84ee62-20c2-46a2-10b9-3dedaff65df6
   HealthServiceId: 3aeaca7c-48de-c0fc-0441-ffd5ef7aa7c3
   Microsoft.EnterpriseManagement.Common.DiscoveryDataInvalidRelationshipTargetException,The relationship target specified in the discovery data item is not valid.
  Relationship target ID: 2478193e-1a5f-4087-1b5f-95459123321e
  Rule ID: 5a84ee62-20c2-46a2-10b9-3dedaff65df6
  Instance:
  <?xml version="1.0" encoding="utf-16"?><RelationshipInstance TypeId="{acfe2f40-0a73-6764-21a5-bf59c41b2844}" SourceTypeId="{00000000-0000-0000-0000-000000000000}" TargetTypeId="{00000000-0000-0000-0000-000000000000}"><Settings
  /><SourceRole><Settings><Setting><Name>5c324096-d928-76db-e9e7-e629dcc261b1</Name><Value>SQL-01</Value></Setting><Setting><Name>af13c36e-9197-95f7-393c-84aa6638fec9</Name><Value>\\.\PHYSICALDRIVE18</Value></Setting></Settings></SourceRole><TargetRole><Settings><Setting><Name>5c324096-d928-76db-e9e7-e629dcc261b1</Name><Value>PDC-S-SQL-01.sibgenco.local</Value></Setting><Setting><Name>af13c36e-9197-95f7-393c-84aa6638fec9</Name><Value>Disk
  #18, Partition #0</Value></Setting></Settings></TargetRole></RelationshipInstance>.
  SQL-01 is server with clusters disks, and cluster disks are don't discovered.

  Hi,
  Hope the below articles can be helpful:
  Cluster resource groups are not monitored! Is there anything I can do?
  http://blogs.msdn.com/b/mariussutara/archive/2008/05/03/cluster-resource-groups-are-not-monitored-is-there-anything-i-can-do.aspx
  Event ID 10801 and 33333 in Operations Manager log
  http://www.itbl0b.com/2014/02/event-id-10801-33333-operations-manager-log.html#.U-QwunmKBes
  Please Note: Since site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information the web.
  Regards, Yan Li

• SCOM 2012 Event ID 21006 and 21016

  I'm having a connection issue with a newly created gateway server to my management server, that sits in an untrusted DMZ. I have been able to get one gateway working from the DMZ but the one in question is receiving;
  Event ID 21006 :  The OpsMgr Connector could not connect to frw0725.gecio.corp.net:5723.  The error code is 11004L(The requested
  name is valid, but no data of the requested type was found.).  Please verify there is network connectivity, the server is running and has registered it's listening port, and there are no firewalls blocking traffic to the destination.
  Event ID 21016 : OpsMgr was unable to set up a communications channel to frw0725.gecio.corp.net and there are no failover hosts. 
  Communication will resume when frw0725.gecio.corp.net is available and communication from this computer is allowed.
  I have performed the following actions and verifications;
  Services have been restarted on both servers
  certimport has been completed and gatewayapproval has been completed.
  I was able to telnet from MS to GW and from GW to MS, so connection through the firewall is ok.
  DNS appears to be ok, ping’s issued from both servers and they resolve to the correct IP address, however they timeout which is expected
  Event ID 20053 is being received stating that the OpsMgr Connector has loaded the specified authentication certificate successfully.
  I checked the serial number for the personal certificate against what is listed in the registry (reversed) and it matches.
  The Private Key is in place and the cert path is correct
  I also verified in HKLM\Software\Microsoft\Microsoft Operations manager\3.0\Agent Management Groups\" that the correct configuration is being picked up
  I'm looking for some additional guidance or suggestions on what else I can check to get this gateway to show monitored from teh console. Thanks for the help.

  Please check if the certificate was stored in the GW server Computer Personal Store when you first installed it.
  Asuming that the certificate is ok since it is actually working in another GW, perhaps the certificate is in the wrong store (Current User Personal store instead of
  Computer's personal store). In that case you only need to move the certificate to the right store and run momcertimport.exe again. Check Link Below for a detailed step-by-step
  If you still want to clear certificates from the server's personal store, you can do it through both certificates mmc snap-in or certutil.exe -delstore command line
  Also you may want to check this great Step by Step article about installing an OpsMgr GW server:
  http://blogs.technet.com/b/pfesweplat/archive/2012/10/15/step-by-step-walkthrough-installing-an-operations-manager-2012-gateway.aspx 
    Regards

• SCOM 2012 SP1 UR4 management servers grey state

  Hi,
  My SCOM environment is made up of the below :-
  SCOM 2012 SP1 UR4.
  3 SCOM Management Servers all on Windows 2008 R2 SP1.
  Shared SQL 2008 cluster with 2 Windows nodes also on same OS.
  Just recently all our SCOM management servers have been flipping in and out from grey to green state.  Gateways/agents all look ok as showing green.  Alerting from agents appears normal as can see lots of them in console.
  Have flushed the health state cache folder on all 3 SCOM MS's and still the same issue.
  Appreciate any help on this one.

  Event id: 7011 - Was your server recently patched (Installed by any automatic updates) ?
  IS SCCM Configured in your MS? If Yes disable and check?
  Is Windows update service running ? Stop if for one or two days and check if this issue still appears
  Reference threads:
  http://social.technet.microsoft.com/Forums/en-US/b86e5a3d-0c2e-4d5e-9d3d-905da91fc982/scom-2012-event-id-7011-service-control-manager-error-when-fep-definition-updates-apply?forum=configmanagersecurity
  http://stefanroth.net/2012/09/26/scom-2012-event-id-7011-service-control-manager-error/
  Solution also available in: http://technet.microsoft.com/en-us/library/cc756319(v=ws.10).aspx
  ===========================================
  For Event id 20026 - 
  1. Does your Operationsmanager database have enough space ? Check that first.
  What is you DB size ?
  How much is the free space left ?
  2. Was there any resent change in the SCOM Action accoutn password ? Or has the password expired. Try re entering the SCOM Action password by re directing your self to Administration tab --> Run as Config -- > Accounts --> SCOM Action account.
  The description would be - This is the user account under which all rules run by default on the agent.
  Right click and go to properties and re enter the account name and password there and check.
  Refer the below screen shot
  Check this article as well:
  http://social.technet.microsoft.com/Forums/systemcenter/en-US/102d443c-db0e-4bf2-b0d6-31d7f9328537/all-agents-greyed-out-multiple-event-errors-with-ids-20026-20028?forum=operationsmanagergeneral
  ============================================
  Event id : 11904 - As per my knowledge appears due to incorrect Alrting string display name selected in any Rule or monitor.
  Also the description what you pasted in Event id : 11904 says Microsoft.SystemCenter.HealthService.ActionAccountConfigured.Error as highlighted below.
  Suggest to re enter the action account password and tell the results.
  Also is the Healthservice on the MS running using System account or Domain account ?
  =================================================================
  Description : The Microsoft Operations Manager Expression filter Module failed to query the delivered item, item was dropped.
  Property Expression: Reachability/State
  Error : 0XC00EE22
  One or more workflows were affected by this. Workflow
  name: Microsoft.SystemCenter.HealthService.ActionAccountConfigured.Error
  Gautam.75801

• SCOM 2012 R2 Exchange Correlation Service , we receive almost at every day in the Event log Application the Event720

  HI
  Since the SCOM was Upgrade to R2 
  Almost at every Day, we receive in the Event log application the Event 720 from the correlation service Source MSExchangeMonitoring Correlation
  This arrives always around 7:20AM, someday is at 7:19, other at 7:21. It is always approximately at the same hour, but we never have any problem during weekend
  The description of the Event
  Exceeded maximum time (15 minutes) to wait for completion of all CorrelateBatchTask threads.
  After that the correlation stop to work. At the Same time if we tried to open the SCOM Console on that server we was unable to open it. Also we was not able to open the SCOM PowerShell
  And also we cannot from that server to get which server is the RMS if we run get-SCOMRMSEmulator .  (This the RMS Server)
  When this arrive, the only thing we found, it to reboot the server or restart de SCOM service, after the Reboot the Correlation begin to work
  We got also many Event 714 Critical and after this Event 711 Warning
  Thank

  Have a look at: https://social.technet.microsoft.com/Forums/systemcenter/en-US/e75e84d9-0c9e-4d83-b3da-45a143757f85/exchange-2010-monitoring-with-scom-2012-correlation-service-issue
  One user reported an issue with the exchange correlation engine after upgrade and said that:
  I had issues with the corellation engine after upgrading scom 2012 to R2.
  The MomBidLdr.dll version changed in the SCOM directories, and needs to be updated in the:
  C:\Program Files\Microsoft\Exchange Server\v14\Bin directory.
  That seemed to stop the errors for me.
  Some troubleshooting steps listed here also:
  https://technet.microsoft.com/en-us/library/ff360495(v=exchg.140).aspx
  Cheers,
  Martin
  Blog:
  http://sustaslog.wordpress.com 
  LinkedIn:
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• How do "you" monitor event logs in SCOM 2012? Need opinions.

  Fairly new to SCOM. Do you monitor all event logs? Just warnings and critical? How do you filter out things you don't want to see?
  Looking for opinions here not just a "how-to".
  Thanks,

  Steps in creating a Event based Alerting Rule.
  1. Open the Operations Manager Console. 
  2. Go to Authoring. 
  3. Under Authoring - Management Pack Objects - Select Rules 
  4. Right click on Rules and select - Create a new rule 
  5. Select Alert Generating Rules - Event Based - NT Event Log (Alert) 
  6. On the same screen select your destination management pack and click Next 
  7. Give a name to your Rule and optionally give it a Description. 
  8. Rule Category can be anything you like. 
  9. Select the Rule Target as the class of your choice, normally it can be Windows Computer. 
  10. Make sure the Rule is Enabled and select Next. 
  11. Select the Event log name from where event will be monitored and click Next.  (for example Application or System
  or Security) 
  12. Build the Expression to filter the events with the below details: 
       a. Parameter Name = Event ID, Operator = Equals and Value = (any event id of your choice) 
       b. Parameter Name = Event Source, Operator = Equals and Value = (any source of your choice) (you
  may delete this filter if you want) 
       c. Click on Insert button at Top and it will put the cursor at Parameter Name, click square button
  with 3 dots [...] and it will popup another screen. 
       d. In that box, select the 3rd radio button named 'Use parameter name not specified above' and there
  manually type 'EventDescription' (without quotes) and click OK. 
       e. Then come back to filter screen, now here you will see Parameter Name = EventDescription, and
  for Operator select Contains and then for Value you can type any word you want to key on from the Event description. 
  13. After building the desired Expression, click Next. 
  14. Configure Alerts as you like and click the Create button.
  To get the Alerting event details. Go to Start menu and in Run window type eventvwr.
  And put the details on the wizard as per the below screenshot.
  Refer: http://blogs.technet.com/b/operationsmgr/archive/2008/11/12/opsmgr-2007-how-to-create-an-alert-rule-based-on-an-event-description.aspx
  Gautam.75801

• SCOM 2012 R2 error NTFS - Delayed Write Lost. Windows Event ID 11

  Hi, we seem to be getting a few alerts in our SCOM console regarding NTFS - Delayed Write Lost alerts. We are running HP ML350e Gen8 servers with Server 2012 R2 OS installed. In System event logs we receive event ID error 11.
  The driver detected a controller error on \Device\Harddisk1\DR1.
  The controller used is a Smart Array P420
  I've installed the latest HP Service Pack, installed the latest drivers for the P420, etc.
  No errors are showing in the HP Array diagnostics tools.
  Any help would be greatly appreciated.

  Hi,
  Description of the Event ID 50 Error Message
  http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.2.3790.1830&EvtID=50&EvtSrc=ntfs&LCID=1033
  According to information above, I think event ID 11, disk issues could be the culprit.
  I recommend you contact with HP to confirm the information.

• Event id 31551 in scom 2012 server

  Dear Team,
  We are getting continuously the following error event id 31551 on our SCOM 2012 SP1 server as below.
  Please let me know how to resolve this.
  Log Name:      Operations Manager
  Source:        Health Service Modules
  Date:          02/01/2015 13:52:42
  Event ID:      31551
  Task Category: Data Warehouse
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      LOXXXXXXX.XXXX
  Description:
  Failed to store data in the Data Warehouse. The operation will be retried.
  Exception 'SqlException': Cannot open database "OperationsManagerDW" requested by the login. The login failed.
  Login failed for user 'WREN\SVC-SC-OM12-DW'. 
  One or more workflows were affected by this.  
  Workflow name: Microsoft.SystemCenter.DataWarehouse.CollectEntityHealthStateChange 
  Instance name: LONSCOM001.wren.co.uk 
  Instance ID: {0F89A4D1-B7D5-8658-29A8-E0CAFAA602CF} 
  Management group: Brit Insurance
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Health Service Modules" />
      <EventID Qualifiers="49152">31551</EventID>
      <Level>2</Level>
      <Task>3</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2015-01-02T13:52:42.000000000Z" />
      <EventRecordID>933223</EventRecordID>
      <Channel>Operations Manager</Channel>
      <Computer>LOXXXXXXX.XXXX</Computer>
      <Security />
    </System>
    <EventData>
      <Data>Brit Insurance</Data>
      <Data>Microsoft.SystemCenter.DataWarehouse.CollectEntityHealthStateChange</Data>
      <Data>LONSCOM001.wren.co.uk</Data>
      <Data>{0F89A4D1-B7D5-8658-29A8-E0CAFAA602CF}</Data>
      <Data>SqlException</Data>
      <Data>Cannot open database "OperationsManagerDW" requested by the login. The login failed.
  Login failed for user 'WREN\SVC-SC-OM12-DW'.</Data>
    </EventData>
  </Event>
  Saravana Raja

  Hi,
  Based on the error message, the login failed for user 'WREN\SVC-SC-OM12-DW', have you changed its password? Please make sure the account can access the SQL server where your data warehouse installed.
  Or we may reset the account. And the article below should be helpful for changing password for data warehouse account:
  Changing Password on SCOM Data Warehouse run as accounts
  http://blogs.technet.com/b/randymonteleone/archive/2010/03/12/changing-password-on-scom-data-warehouse-run-as-accounts.aspx
  Regards,
  Yan Li
  Please remember to mark the replies as answers if they help and unmark them if they provide no help.

• "Allow log on locally" permission (SetInteractiveLogonRight) for SCOM 2012

  Hi Experts,
  Do we need to have  “Allow log on locally” permission (SetInteractiveLogonRight) for any of the SCOM accounts in 2012 R2?
  If yes why?
  Regards,
  Prajul Nambiar

  Yes, The default action account must have the following minimum privileges:
  • Member of the local Users group
  • Member of the local Performance Monitor Users group
  • Allow log-on-locally permission (SetInteractiveLogonRight)
  because SCOM provide you with monitoring for agents which need to access event viewer of this server to show you any issue that happened.
  Monitoring and collecting Windows event log data.
  Monitoring and collecting Windows performance counter data.
  Monitoring and collecting Windows Management Instrumentation (WMI) data.
  Running actions such as scripts or batches.
  Also you can refer below link
  https://technet.microsoft.com/en-us/library/hh212808.aspx
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"Mai Ali | My blog:
  Technical | Twitter:
  Mai Ali

• Does the SCOM 2012 agent "look back" in the logs before the service was started?

  Does the SCOM 2012 agent "look back" in the logs before the service was started?<o:p></o:p>
  We raised this question to our Microsoft rep back when we migrated to SCOM 2007. We wanted to know if SCOM would alert on errors generated before the Heath Service started. For example, errors
  logged before the service is started on reboot (which is when some critical errors are logged). We also wondered what happens when the service is restarted...would errors during the same window be missed?
  If I remember correctly the MS response was that the agent looks back on startup/restart based on a timestamp of some kind. We did some testing that seemed to confirm this information. I've
  recently encountered several instances of errors generated while the service was stopped (primarily during boot up) where SCOM failed to alert on the error.
  Can anyone confirm how the SCOM 2012 agent deals with errors generated before the service starts on boot and during service restarts?

  I would suspect it's with watermarks as it has been in the past.  What you should look into is if these alerts you were expecting are event based, and if there are rules set to alert for these conditions.  If so, and you don't get an alert,
  then you can bring that up with your msft rep.  However, they should be caught.
  Regards, Blake Email: mengotto<at>hotmail.com Blog: http://discussitnow.wordpress.com/ If my response was helpful, please mark it as so, if it answered your question, then please also mark it accordingly. Thank you.
  There is a watermark. If the agent has been down for a significant period of time, the watermark may not apply, as the log would have rolled - but the entire log will still be processed regardless of what has already been discarded in the log. This may cause
  some problems if a monitor picks up an unhealthy state, and the healthy state log entry has already been flushed. In this case, you need to reset health on that particular monitor, or just flush the cache on the agent to start anew.
  Jonathan Almquist | SCOMskills, LLC (http://scomskills.com)

• Is it possible to use SCOM 2012 R2 with the new Azure Managment Pack to monitor Aure Wadlog Events for azure sdk 2.5

  My operations team has been using MOM 2007 and has recently migrated to SCOM 2012 R2.
  Till now we are using Monitoring Pack management packs which were released way earlier (https://www.microsoft.com/en-us/download/details.aspx?id=11324),
  and had a dependency on diagonstics connection string being present in the cscfg of Azure package.
  This pack was allowing us to monitor the wad logs and events generated by applications.
  However we plan to move to newer Azure managemen pack (http://www.microsoft.com/en-us/download/details.aspx?id=38414), which allows for discoverability.
  I have 2 questions -
  Is it possible to monitor Diagonstics Event Log with the new Monitoring Pack released on 10/2014 ? Or will the users still require the earlier pack for monitoring diagnostics installed in parallel ?
  Azure SDK 2.5 got rid of diagonstics connection string. Is there any possible way to Monitor of Azure Diagonstics wadlogs using SCOM 2012 R2
  Thanks,
  Pratush

  Hi Pratush,
  I would like to suggest you go through the management pack guide to get details. And you should be able to create custom monitor to monitor event logs for Azure.
  Hope the below links be helpful for you regarding to monitoring Azure:
  How to monitor your Windows Azure application with System Center 2012 (Part 2)
  http://blogs.technet.com/b/dcaro/archive/2012/05/03/how-to-monitor-your-windows-azure-application-with-system-center-2012-part-2.aspx
  Windows Azure and SCOM 2012
  https://social.msdn.microsoft.com/Forums/azure/en-US/ecb409e2-8595-40e8-9a73-757b670b06db/windows-azure-and-scom-2012?forum=windowsazuremanagement
  Regards,
  Yan Li
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Event ID 26319 on SCOM 2012 R2 Management server with RMS emulator role

  Hi all,
  Two weeks ago we've setup a new SCOM 2012 R2 environment.
  We now have the problem that event 26319 is logged every 5 minutes.
  An exception was thrown while processing GetUserRolesForOperationAndUser for session ID uuid:dca9765e-37a4-40fc-bb9e-575f278447f9;id=63.
   Exception message: Value does not fall within the expected range.
   Full Exception: System.ArgumentException: Value does not fall within the expected range.
     at Microsoft.Interop.Security.AzRoles.IAzApplication2.InitializeClientContextFromStringSid(String SidString, Int32 lOptions, Object varReserved)
     at Microsoft.EnterpriseManagement.Mom.Sdk.Authorization.AzManHelper.GetScopedRoleAssignmentsForUser(Int32 operationNumericId, String userName)
     at Microsoft.EnterpriseManagement.Mom.Sdk.Authorization.AuthorizationService.GetUserRolesForOperationAndUser(Guid operationId, String userName)
     at Microsoft.EnterpriseManagement.ServiceDataLayer.SecurityConfigurationService.GetUserRolesForOperationAndUser(Guid operationId, String userName)
     at Microsoft.EnterpriseManagement.Mom.ServiceDataLayer.SdkDataAccessBackCompatProxy.GetUserRolesForOperationAndUser(Guid operationId, String userName)
  In the previous weeks I've imported some management packs and did some changes in the user roles.
  I've now deleted all custom created user roles but the event is still being logged.
  Where does the 'Value does not fall within the expected range.'
  message points to ?
  Is this related to a imported MP ? I've deleted the built-in administrator user and replaced it by an admin group.
  Where do I start to troubleshoot this issue ?
  Kind Regards,
  J. Monnens

  Yes, it's related to import MP.
  For this issue,  KB980862 - Event ID 26319 is logged when you import a management pack in Operations Manager 2007 R2
  Also you can check below link
  http://thoughtsonopsmgr.blogspot.com/2011/08/eventid-26319-exception-was-thrown.html
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Mai Ali | My blog: Technical | Twitter:
  Mai Ali