Welcome, Guest to: Public MPWiki ▼
Welcome to Management Pack Wiki! Your documentation pro for SCOM Management Packs
0 comment(s) Post a comment

Many Corrupt or Unreadable Windows Events Monitor

  • ID:  Microsoft.SystemCenter.HealthServiceModules.WindowsEventLog.CorruptOrUnreadableEvents
  • Description:  This monitor will check if the Windows Event Log module reads many corrupt events from any event log. If it encounters too many corrupt or unreadable events some period of time, it will set the state of this monitor to unhealthy.
  • Target:  Health Service
  • Enabled:  Yes

Operational States

Name State Description
Too Many Corrupt or Unreadable Events Warning  
Successfully Read an Event Success  

Alert Details

Monitor State Message Priority Severity Auto Resolution
Too Many Corrupt or Unreadable Events (Warning) Many Corrupt or Unreadable Windows Events Medium Warning Yes

Run As Profiles


Monitor Knowledgebase


This alert/monitor state indicates that there were many corrupt and unreadable events in the event log that was being monitored.

The Health Service attempted to read an event and a number of subsequent events in the event log were not readable. The default configuration of this monitor generates a warning state and alert when we encounter 21 consecutive events that the Health Service was not able to process within 5 minutes.

If the Health Service was able to process an event during or after that time, the monitor will transition to a green state and the original warning alert will be auto resolved.


This can be cause by numerous issues including:

  • Corrupt event log

  • Application logging bad events


You can use the below steps to determine if there is a low level problem with event log that was being processed:

1. Take note of the rule or monitor name from the alert or monitor context. This is the text after “Workflow name” in the context.

2. Look up this name in the console and bring up the properties for that rule or monitor.

3. In the monitor or rule properties, look at the tabs that begin with “Event Log ” (for example; “Event Log (Unhealthy Event)”.

4. After taking note of the event log where this monitor or rule is configured to monitor, look for a related tab named “ Event Expression” (for example; “Simple Event Expression” or “Repeated Event Expression”).

5. Take note of the criteria here. You will use these criteria to filter the target computers event log to search for the corrupted event.

6. Once you have the event log and the expression (for example; “Event ID equals 14384” AND “Event Source equals Health Service”) open the event viewer where this event originated from.

7. Click the event log that the monitor or rule was configured in Step 3.

8. Filter the event log to look for the same event that the rule or monitor was configured to in Step 5. You can do this in the event viewer by right clicking on the event log name and choosing the “View” context menu option, then “Filter ” From here you can filter by “Event Source” and “Event ID” similar to the expression from Step 5.

9. If any events show up in your view, open them in event viewer.

a. If you can successfully open the event, save the event log (“Action” menu, “Save Log File As).

b. Contact customer support service and provide; the monitor name and its current state, the steps you attempted to follow in the knowledge and the event log that you have saved for offline analysis.

External References
This monitor does not contain any external references.

See Also for System Center Library Management Pack

Downloads for System Center Library Management Pack

Post a comment