This alert/monitor state indicates that there were many corrupt and unreadable events in the event log that was being monitored.
The Health Service attempted to read an event and a number of subsequent events in the event log were not readable. The default configuration of this monitor generates a warning state and alert when we encounter 21 consecutive events that the Health Service was not able to process within 5 minutes.
If the Health Service was able to process an event during or after that time, the monitor will transition to a green state and the original warning alert will be auto resolved.
This can be cause by numerous issues including:
Corrupt event log
Application logging bad events
You can use the below steps to determine if there is a low level problem with event log that was being processed:
1. Take note of the rule or monitor name from the alert or monitor context. This is the text after Workflow name in the context.
2. Look up this name in the console and bring up the properties for that rule or monitor.
3. In the monitor or rule properties, look at the tabs that begin with Event Log
(for example; Event Log (Unhealthy Event).
4. After taking note of the event log where this monitor or rule is configured to monitor, look for a related tab named
Event Expression (for example; Simple Event Expression or Repeated Event Expression).
5. Take note of the criteria here. You will use these criteria to filter the target computers event log to search for the corrupted event.
6. Once you have the event log and the expression (for example; Event ID equals 14384 AND Event Source equals Health Service) open the event viewer where this event originated from.
7. Click the event log that the monitor or rule was configured in Step 3.
8. Filter the event log to look for the same event that the rule or monitor was configured to in Step 5. You can do this in the event viewer by right clicking on the event log name and choosing the View context menu option, then Filter
From here you can filter by Event Source and Event ID similar to the expression from Step 5.
9. If any events show up in your view, open them in event viewer.
a. If you can successfully open the event, save the event log (Action menu, Save Log File As).
b. Contact customer support service and provide; the monitor name and its current state, the steps you attempted to follow in the knowledge and the event log that you have saved for offline analysis.