Discussion:
How to fix SCOM falsly detecting corrupted system event log?
(too old to reply)
Chad
2008-11-13 17:41:00 UTC
Permalink
I've got a few machines reporting errors like this following fragment

<quote>
The EventLog service reported that the System event log on computer
'<snipped>' is corrupt. The Windows Event Log Provider will attempt to
recover by re-opening log.

One or more workflows were affected by this.
</quote>

Many times a simple restart of the Health service resolves it. I have a few
servers that we are unable to resolve the issue on. We've rebooted and
reinstalled the agent to no avail. The event log is not corrupt but SCOM is
unable retrieve it and this leaves me with servers that monitoring is
severely impacted on.

Anybody have any ideas on a resolution?
Anders Bengtsson [MVP]
2008-11-14 06:34:33 UTC
Permalink
Hi Chad,

If you look at the rule or monitor generating that alert, is it only picking
up events or is it doing some kind of own test, like a vbscript?
If it is only picking up events, then the problem is on the server generating
these events, and not in ops mgr.
--
Anders Bengtsson
Microsoft MVP - Operations Manager
Microsoft Certified Trainer (MCT)
http://www.contoso.se
Post by Chad
The EventLog service reported that the System event log on computer
e***@gmail.com
2008-11-17 23:00:37 UTC
Permalink
The Alert is the standard alert titled "Unable to Process Windows
Event Log" that is defined to monitor the "Operations Manager" event
log looking for event ids 26011 or 25011 from Event Source "Health
Service Modules". These appear to be the tracks left from the
healthservice reporting it can't read the system event log.

The problem seems to be limited strictly to the healthservice as
either local or remote event viewer is fully capable of reading the
system event log.

Thanks
Chad
Post by Anders Bengtsson [MVP]
Hi Chad,
If you look at the rule or monitor generating that alert, is it only picking
up events or is it doing some kind of own test, like a vbscript?
If it is only picking up events, then the problem is on the server generating
these events, and not in ops mgr.
--
Anders Bengtsson
Microsoft MVP - Operations Manager
Microsoft Certified Trainer (MCT)http://www.contoso.se
The EventLog service reported that the System event log on computer- Hide quoted text -
- Show quoted text -
Steven Yeung
2008-11-18 03:43:40 UTC
Permalink
Hi,

This problem is caused by Windows fail to generate the healthy event
afterwards due to the time between is too short. If you can access the
Event Viewer, you can simply reset the monitor. This is suggested by
our Microsoft Consultant.

Regards,
Steven
Post by e***@gmail.com
The Alert is the standard alert titled "Unable to Process Windows
Event Log" that is defined to monitor the "Operations Manager" event
log looking for event ids 26011 or 25011 from Event Source "Health
Service Modules". These appear to be the tracks left from the
healthservice reporting it can't read the system event log.
The problem seems to be limited strictly to the healthservice as
either local or remote event viewer is fully capable of reading the
system event log.
Thanks
Chad
Post by Anders Bengtsson [MVP]
Hi Chad,
If you look at the rule or monitor generating that alert, is it only picking
up events or is it doing some kind of own test, like a vbscript?
If it is only picking up events, then the problem is on the server generating
these events, and not in ops mgr.
--
Anders Bengtsson
Microsoft MVP - Operations Manager
Microsoft Certified Trainer (MCT)http://www.contoso.se
The EventLog service reported that the System event log on computer- Hide quoted text -
- Show quoted text -- 隱藏被引用文字 -
- 顯示被引用文字 -
Loading...