| You can use the following steps to determine if there is a problem with event log that was being processed:
1. Take note of the rule or monitor name from the alert or monitor context. This is the text after Workflow name in the context.
2. Look up this name in the console and bring up the properties for that rule or monitor.
3. In the monitor or rule properties, look at the tabs that begin with Event Log (for example, "Event Log (Unhealthy Event))".
4. After taking note of the event log where this monitor or rule is configured to monitor, look for a related tab named Event Expression (for example, "Simple Event Expression" or "Repeated Event Expression").
5. Take note of the criteria here. You will use these criteria to filter the target computers event log to search for the corrupted event.
6. Once you have the event log and the expression (for example, Event ID equals 14384 AND Event Source equals Health Service) open the event viewer where this event originated from.
7. Click the event log identified in Step 3.
8. Filter the event log to look for the same event that the rule or monitor was configured to in Step 5. You can do this in the event viewer by right clicking on the event log name and choosing the View context menu option, then Filter From here you can filter by "Event Source" and "Event ID" similar to the expression from Step 5.
9. If any events show up in your view, open them in event viewer.
a. If you can successfully open the event, save the event log (Action menu, Save Log File As).
b. Contact customer support service and provide the monitor name and its current state, the steps you attempted to follow in the knowledge and the event log that you have saved for offline analysis.
|