When taking agent out of maintenance mode, old events are reprocessed and new alerts generated

We’ve been seeing a couple instances of this so I thought it would be worthy of a mention just in case any of you are running into the same thing.

Issue: When taking a System Center Operations Manager 2007 R2 agent out of maintenance mode, an agent with a large number of events in the application event log may have each of those events reprocessed, generating false or irrelevant alerts.

Resolution: There are three potential workarounds for this issue:

1. Clear the event log prior to putting a machine into Maintenance Mode.

2. Manually setup overrides to ignore the events.

3. Add the following registry key:

HKLM\Software\Microsoft\Microsoft Operations Manager\3.0\Modules\Global\NT Event Log DS

Create a DWord value named MaxEventBufferSize and set it to a decimal value of 500000.

Hope this helps,

Jeff Carter | Senior Support Engineer