Windows Event Log: Entries to Safely Ignore

Follow

Topic:

Which Windows event log entries can I safely ignore?

Environment

  • Datto ALTO
  • Datto SIRIS

Overview

About Microsoft Event Viewer

Microsoft Windows Event Viewer displays important system event information, and is frequently used for troubleshooting or finding anomalies on Microsoft Windows machines.

If the current event logs do not extend back far enough in time, you can mount a file restore from a previous recovery point, and extract the earlier event logs. 

Default save path for Event Viewer logs

C:\Windows\System 32\winevt\Logs

Event Viewer log files end in .evtx

+
Figure 1: event logs in the Event Viewer, listed as .evtx fliles

About Windows Event Logs

Windows logs fall into 3 main categories:

  • Setup: System installation and transaction logs. These are not normally needed for backup troubleshooting.
  • Application: Contains logs and error messages pertaining to application-level processes on the machine. 
    • These logs track the execution of application processes (such as DWA or ShadowSnap agents).
    • Application logs are useful for troubleshooting if or why an agent is not running properly.
  • System: Logs important actions such as system errors, warnings, user locks and process management.
    • These record full system events such as OS management and hardware/kernel communications. 
    • System logs are useful for determining that the Server or system is stable enough to run the Agents.

Log entries that are safe to ignore

Datto Windows Agent


Figure 2: Event properties log

  • Initializing Vista+ VSS. This is the normal establishment of the VSS writers.
  • VSS Service is shutting down due to idle timeout. This is safe to ignore unless the Event Viewer is flooded with instances, which could indicate a corrupt volume.

Encrypted Datto Windows Agent


Figure 3: Event Log, encrypted DWA

  • Cryptographic Service failed while processing the Onidentity() call in the System Writer Object. Click here for more information on this error event. 

Datto Windows Agent on vmWare ESX systems

  • Source Disk, Event ID 11, The driver detected a controller error on
    \Device\Harddisk#\DR#. This error appears during shutdown, and may be safely ignored.

Figure 4: Event log, controller error

Shadowsnap/Encrypted ShadowSnap over iSCSI

Event logs generally correspond with what DWA would display, but the agent itself is contingent on the Storagecraft parts of the software. VSS Writers still getting called would display the same Event Viewer logs.

Event ID 129 from source iScsiPrt cannot be found. Ignore as long as iSCSI is properly installed (some legacy versions of Windows do not come with the iSCSI initiator pre-installed) and there are no frame errors on the network's switches. This could reside from the following scenarios:

  • Legacy OS or corrupted install of iSCSI initiator (client).
  • Dropped Frames / Packets from a switch / router level.

Follow the networking requirements article, and be sure agent(s) are up to date and able to communicate through standard networking tests. Also, ensure the iSCSI Initiator is updated to the latest version.

Connection to the target was lost. The initiator will attempt to retry 
the connection 

or 

Login request failed. The login response packet is given in the dump data

or

Disk # has been surprise removed.

These three events happen at the end of an encrypted ShadowSnap backup, are expected behavior, and can safely be ignored.


Was this article helpful?

0 out of 0 found this helpful

You must sign in before voting on this article.

Calling all Partners! We want to hear your feedback! Please participate in this quick survey and help us build a better, more-relevant Knowledge Base!

Want to talk about it? Head on over to our Community Forum!