• Management Pack:  SCOM 2016
  • MP Version:  1.0
  • Released:  10/19/2018
  • Publisher:  Microsoft

Processing Backlogged Events Taking a Long Time Monitor

  • ID:  Microsoft.SystemCenter.HealthServiceModules.WindowsEventLog.ProcessingBackLoggedEventsTooLong
  • Description:  This monitor checks the if the Windows Event Log module is processing backlogged events for a period of time.
  • Target:  Health Service
  • Enabled:  Yes

Operational States

Name State Description
Finished Processing Backlogged Events Success  
Still Processing Backlogged Events (Warning) Warning  
Still Processing Backlogged Events (Error) Error  

Alert Details

Monitor State Message Priority Severity Auto Resolution
Still Processing Backlogged Events (Error) (Error) Processing Backlogged Events Taking a Long Time Medium Match Monitor Health Yes

Run As Profiles

Name
Default

Monitor Knowledgebase

Summary

This monitor and alert indicates that the System Center Management Health Service has been processing older events for a particular event log longer than expected.

Below is a summary of the default configuration of this monitor:

  • Warning state: Transition to warning state if Operations Manager is still processing backlogged events after 10 minutes. This means that Operations Manager processed Event 25017 (started processing backlogged events), but has not reached the current record (indicated by event 25018).

  • Critical state: Transition from warning state to critical state if after 20 minutes, Operations Manager is still processing backlogged events. This means in addition to the 10 minutes that the System Center Management Health Service has already been processing backlogged events, an additional 10 minutes has passed, for a total of 20 minutes since Event 25017 has passed.

Causes

Both the warning and critical state can indicate the following may be happening on the agent:

  • The computer where this event was raised is logging hundreds to thousands of events per minute that all need to be processed for monitoring.

  • The computer may be low on available resources (for example; memory).

  • The System Center Management Health Service was stopped for an extended period of time and must process all events from the last one it successfully processed.
Resolutions

You can perform the following checks to further determine the root cause of the problem:

1. Open the event viewer on the computer where for this alert or monitor state.

2. Check to see if there is an application or event source that seems to be logging many events per minute to the event log

3. If there is no clear indication of the application that may be logging these events, check the resource utilization on this computer. If there is an application that is consuming large amounts of memory or CPU, check with the application owner or administrator if this is expected behavior.

4. If you are not concerned with the loss of monitoring from the existing events, you can clear the event log.

Note: Clearing the event log when the System Center Management Health Service is still processing backlogged events will result in loss of monitoring.

External References
This monitor does not contain any external references.

See Also for SCOM 2016 Management Pack


Downloads for SCOM 2016 Management Pack

Back to top
AZURE OPTIMIZATION ASSESSMENT GET STARTED
MIGRATION TO AZURE GET STARTED
SYSTEM CENTER MIGRATION TO AZURE GET STARTED
MIGRATION TO AZURE FOR SQL AND WINDOWS 2008 GET STARTED