Windows Event Log: Entries to Safely Ignore

Topic

Which Windows event log entries can I safely ignore?

Environment

  • Datto SIRIS
  • Datto ALTO

Description

About Microsoft Event Viewer

Microsoft Windows Event Viewer displays important system event information. It is used to find and troubleshoot anomalies on Microsoft Windows machines.

NOTE  If the current event logs do not extend back far enough in time, you can mount a file restore from a previous recovery point, and extract the earlier event logs.

Default save path for Event Viewer logs

  • Event viewer logs are stored at C:\Windows\System 32\winevt\Logs
  • Event Viewer log files end in .evtx


Figure 1: Event logs in the Event Viewer, listed as .evtx files

Windows Event Log types

Windows logs fall into three categories:

  • Setup: System installation and transaction logs. You will not typically need these for backup troubleshooting.
  • Application: Contains logs and error messages regarding application-level processes on the machine.
    • These logs track the execution of application processes (such as DWA).
    • Application logs are useful for troubleshooting if or why an agent is not running correctly.
  • System: Logs important actions such as system errors, warnings, user locks, and process management.
    • These record full system events such as OS management and hardware/kernel communications.
    • System logs are useful for determining that the server or system is stable enough to run the Datto agents.

Log entries Datto Windows Agent


Figure 2: Event properties log

  • Initializing Vista+ VSS: This is the normal establishment of the VSS writers.
  • VSS Service is shutting down due to idle timeout: This is safe to ignore unless the Event Viewer is flooded with instances, which could indicate a corrupt volume.

Datto Windows Agent

Windows Event ID 55: Windows briefly recognizes the Datto Windows Agent snapshot device as a bad filesystem.

Encrypted Datto Windows Agent


Figure 3: Event Log, encrypted DWA

  • Cryptographic Service failed while processing the Onidentity() call in the System Writer Object: Click here for more information on this error event.

Datto Windows Agent on vmWare ESX systems

  • Source Disk, Event ID 11, The driver detected a controller error on
    \Device\Harddisk#\DR#: This error appears during shutdown.


Figure 4: Event log, controller error