Tag: logging

SCHANNEL event logging

First, my thanks to Bhuvnesh Kumar for his help!

 

Time to figure out what’s going on behind the curtain!

 

 

Are you seeing System Event Log, Event ID 36871 events?

 

Why does this matter?

 

Depending on OS versions and patches, the TLS Cipher Suites may not match on the various SCOM servers.

  1. If you’re setting up TLS1.2, you need the SCOM servers to talk
  2. The bad part, is this isn’t logged much on the GW but log more often on MS
  3. Sometimes the 36871 events come with 36874, but in my experience they occur after Event Logging is enabled.

 

The unanswered question is “why are we seeing the 36871 events?”

 

In my example, the events only happened once a day, roughly 24 hours

 

Event Viewer

 

Are events related to the Cipher Suite, or is it a MP trying to run the old SQLOLEDB method?

 

This article will focus on verifying Cipher Suite on a server

See this article for MP analysis for SQL methods

 

 

 

SCHANNEL event logging setup

 

From Holman’s blog

DecimalDescription
0Do not log
1Log Error messages
2Log Warnings
3Log Error and Warning messages
4Log Informational and Success events
5Log Error, Informational and Success events
6Log Warnings, Informational and Success events
7Log Everything (Warnings, Errors, Informational and Success events

 

I’d recommend setting it to 3 to see errors and warnings, or 7 to see everything.

Remember to set this back to 1 when done resolving any issues.

 

Add

From Command Prompt or PowerShell (as administrator)

reg add “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL” /v “EventLogging” /t REG_DWORD /d 7 /f

Disable

reg delete “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL” /v “EventLogging”

Verification

reg query “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL” /v “EventLogging”

 

PowerShell verification

RegEdit Verification

Time to reboot!

 

 

Verify SCHANNEL events

Look at the System Event log, and filter for 36880 and 36874 events for clues

 

36880 provides Cipher Suite details

 

Event ID 36874 definitely describes the scenario

 

The easy answer to solve the cipher suite is to ask – is this server patched with latest security and .NET patches?

After all this, in my example, we confirmed that simple step was assumed, and inaccurate.

 

 

 

 

References
36871 event https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786445(v=ws.11)

SCHANNEL events https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786445(v=ws.11)

SChannel error codes https://docs.microsoft.com/en-us/windows/win32/secauthn/schannel-error-codes-for-tls-and-ssl-alerts

SChannel events https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786445(v=ws.11)

SSL errors https://www.experts-exchange.com/questions/28996780/event-id-36871-Schannel.html

Troubleshooting https://docs.microsoft.com/en-us/iis/troubleshoot/security-issues/troubleshooting-ssl-related-issues-server-certificate

SharePoint 2013 disk cleanup

Not having a problem with Windows Server 2012 R2?

Windows Server 2012 R2 has several mechanisms to automatically cleanup previous versions of Windows Update files and uses compression for unused binaries.

 

If on win2k8 or win2k8R2, this will continue to grow as the OS ages and patches continue to be released.

 

Cleanup OS = Win2k8R2

Easiest – start with the Disk Cleanup wizard

KB2852386 https://support.microsoft.com/en-us/help/2852386/disk-cleanup-wizard-addon-lets-users-delete-outdated-windows-updates-o

 

Download and run this PowerShell script from TechNet Gallery

https://gallery.technet.microsoft.com/scriptcenter/CleanMgrexeKB2852386-83d7a1ae

 

Final Results

 

WinSxS is huge on win2k8R2, and the

 

Start with what’s in C:\Windows\SoftwareDistribution\Download)

Delete logs, everywhere. Keep the most recent, but delete or backup any older logs.

     SharePoint logs: C:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\LOGS

     Windows Event logs

Delete Internet Explorer’s browsing history

Clean up Temp directory

Example C:\Users\Administrator\AppData\Local\Temp

Do you have SQL on the SharePoint Server? if so, do backups or otherwise compact the databases.

Reduce the size of your Windows swap file.

Optionally move to another disk like d:

Delete installation files can be downloaded again when needed. (check your downloads folder)

 

 

 

 

References

AskCore https://blogs.technet.microsoft.com/askcore/2008/09/17/what-is-the-winsxs-directory-in-windows-2008-and-windows-vista-and-why-is-it-so-large/

AskPFE https://blogs.technet.microsoft.com/askpfeplat/2014/05/13/how-to-clean-up-the-winsxs-directory-and-free-up-disk-space-on-windows-server-2008-r2-with-new-update/

Clean up WinSxS folder https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/dn251565(v=win.10)

TechNet https://social.technet.microsoft.com/Forums/office/en-US/84387164-0488-46ee-894b-86c28588b245/how-to-make-space-in-c-drive-on-sharepoint-server?forum=sharepointadmin

Configure Diagnostic Logging in SharePoint https://technet.microsoft.com/en-us/library/ee748619(v=office.14).aspx?ranMID=24542&ranEAID=TnL5HPStwNw&ranSiteID=TnL5HPStwNw-8bUDdCvIXBhE7RsUncKgCw&tduid=(988dd788212d36221791baa597407ab9)(256380)(2459594)(TnL5HPStwNw-8bUDdCvIXBhE7RsUncKgCw)()

Rita’s blog https://blogs.msdn.microsoft.com/ritazh/2012/04/04/process-to-free-up-space-on-c-drive/

Vignesh’s blog https://vigneshsharepointthoughts.com/2015/11/25/cleaning-up-disk-space-in-sharepoint-servers/

Configure diagnostic logging https://docs.microsoft.com/en-us/previous-versions/office/sharepoint-foundation-2010/ee748619(v=office.14)