Warning: " ...Event collection failed: Backup event log seek failed / Event log read failure...Error number: 0x80004005"

Email It to Me Print this Page
Symptoms You are getting one of the following warnings in your Change Summary emails:
  1. "Error occurred during logs collection: Failed to process DC: <Domain controller name> due to the following error: Event collection failed: Backup event log seek failed. Error details: The handle is invalid.. Error number: 0x80004005".
  2. "The following error occurred when collecting data from the System log: Event log read failure. Error details: The event log file is corrupted. (Error number: 0x80004005)".
  3. "The following error occurred when collecting data from the System log: Backup event log seek failed. Error details: The event log file is corrupted. (Code:1500) (Error number: 0x80004005)".
Cause These errors mean that the Security (in case of DC processing error) or System event log or one of event log backups were corrupted.
Resolution To resolve the issue, perform the following steps:
  • In case of the "Error occurred during logs collection: Failed to process DC..." error:
  1. Log on to a problematic DC.
  2. Navigate to Start -> Administrative Tools -> Event Viewer.
  3. Depending on the error, locate theSecurity event log, right-click it and select Clear Log.
  4. Navigate to Security Event Log Backups folder. By default it is: %SystemRoot%\System32\Winevt\Logs\
  5. Remove all Security Event Log Backups from this directory.
  • In case of  the "The following error occurred when collecting data from the System log..." errors:
  1. Log on to a problematic server.
  2. Navigate to Start -> Administrative Tools -> Event Viewer.
  3. Dependiing on the error, locate the System event log, right-click it and select Clear Log.
  4. Navigate to System Event Log Backups folder. By default it is: %SystemRoot%\System32\Winevt\Logs\
  5. Remove all System Event Log Backups from this directory.

Then re-run data collection for your domain:
    - In Netwrix Auditor 8.5 or older: navigate to Managed Objects -> <your_Managed_Object_name> and click Run in the right pane. 
    - In Netwrix Auditor 9.0 or newer: navigate to Monitoring Plans -> <your Monitoring Plan name> -> Active Directory data source > and click Update.
Was this information helpful?