This monitor and alert indicates that the Health Service has been processing older events for a particular event log longer than expected.
Below is a summary of the default configuration of this monitor:
Warning state: Transition to warning state if we are still processing back logged events after 10 minutes. This means that we processed Event 25017 (started processing back logged events), but we have not reached the current record (indicated by event 25018).
Critical state: Transition from warning state to critical state if after 20 minutes, we are still processing back logged events. This means in addition to the 10 minutes that the Health Service has already been processing back logged events, an additional 10 minutes has passed for a total of 20 minutes since we processed Event 25017 has passed.
Both the warning and critical state can indicate the following may be happening on the agent:
The computer where this event was raised is logging hundreds to thousands of events per minute that all need to be processed for monitoring.
The computer may be low on available resources (for example; memory).
The Health Service was stopped for an extended period of time and must process all events from the last one it successfully processed.
You can perform the following checks to further determine the root cause of the problem:
1. Open the event viewer on the computer where for this alert or monitor state.
2. Check to see if there is an application or event source that seems to be logging many events per minute to the event log
3. If there is no clear indication of the application that may be logging these events, check the resource utilization on this computer. If there is an application that is consuming large amounts of memory or CPU, check with the application owner or administrator if this is expected behavior.
4. If you are not concerned with the loss of monitoring from the existing events, you can clear the event log.
Note: Clearing the event log when the Health Service is still processing back logged events will result in loss of monitoring.