Event Log Rules
Applies To: Operations Manager 2007
The following tables display information about the event log rules for Windows Server 2003 and Windows Server 2008 cluster deployments in this management pack.
Event Log Rules: Windows Server 2003 Cluster
The following list applies to the event log rules in this table:
All are enabled by default
All generate an alert
Target: Windows 2003 Monitoring Cluster Service
Event Source: ClusSvc
Event Log: System
Alert Severity: Error (unless otherwise noted)
| Name | Event ID | Note |
|---|---|---|
Account Deletion Problem |
1191, 1192 |
|
Active Directory Problem |
1211, 1212, 1218, 1219, 1220, 1221 |
|
Communication Failure |
1156, 1157, 1158, 1075, 1083, 1109 |
|
Disk Mount Error |
1035, 1037 |
|
Disk Mount Point Error |
1161, 1162, 1163, 1208, 1167 |
|
Disk Mount Point Warning |
1165, 1166 |
Alert Severity: Warning |
Disk not responding to SCSI command |
1036 |
|
Disk Signature Mismatch |
1034 |
|
Disk Space Alert |
1170, 1171, 1172, 1021, 1022, 1080 |
|
DNS Record Deleted |
1149, 1150, 1151, 1152 |
Alert Severity: Warning |
DNS Registration Error |
1195,1196 |
|
File Share Check Failed |
1055 |
|
File Share Failed |
1053, 1054, 1068 |
|
Generic Script Error |
1232, 1233 |
|
Generic Service Failed |
1040, 1041, 1042 |
|
Invalid Command Line |
1008 |
|
IP Address Conflict |
1049 |
|
IP Address Failed |
1223, 1047, 1045, 1046, 1077, 1044 |
|
Kerberos Authentication Error |
1210, 1225 |
|
Kerberos Error |
1226, 1227 |
|
NetBIOS Error |
1078 |
|
Network Adapter Alert |
1096 |
|
Network Communication Failure |
1123, 1124, 1126, 1127, 1130, 1144 |
Alert Severity: Warning |
Network Name Failed |
1214, 1052, 1051, 1050, 1116, 1140 |
|
Network Name Not Registered |
1215 |
|
Network Partitioned |
1215 |
Alert Severity: Warning |
Node Communication Failure |
1106, 1107 |
|
Password Update Failed |
1188 |
|
Permission Error |
1193, 1194, 1206, 1207 |
|
Reservation for a cluster disk has been lost |
1038 |
|
Resource Group Failed |
1205, 1069, 1065, 1145 |
|
Resource load or init problem |
1058, 1059 |
|
Resource offline failed |
1182, 1117 |
|
Resource online failed |
1181 |
Event Log Rules: Windows Server 2008 and Windows Server 2008 R2 Failover Cluster services
The following list applies to the event log rules in this table:
All are enabled by default (unless otherwise noted)
All generate an alert
Target: Windows 2008 Monitoring Cluster Service
Event Source: Microsoft-Windows-FailoverClustering
Event Log: System (unless otherwise noted)
| Name | Event ID | Alert Severity | Note |
|---|---|---|---|
Attempting to use IPv4 for network adapter failed due to a failure to disable auto-configuration and DHCP |
1555 |
Warning |
|
Cluster backup aborted |
1541 |
Error |
|
Cluster configuration information is missing or corrupt |
1057, 1090, 1575 |
Error |
|
Cluster disk resource found the disk identifier to be stale |
1568 |
Warning |
Event Log: Microsoft-Windows-FailoverClustering/Operational |
Cluster File Share cannot be brought online due to a share creation error |
1068,1053 |
Error |
|
Cluster file share resource has detected shared folder conflicts |
1560 |
Warning |
|
Cluster IP address resource cannot be brought online because of a duplicate IP address |
1049 |
Error |
|
Cluster IP address resource cannot be brought online because the address value is invalid |
1047 |
Error |
|
Cluster IP address resource cannot be brought online because the cluster network is not configured to allow client access |
1223 |
Warning |
|
Cluster IP address resource cannot be brought online because the subnet mask value is invalid |
1046 |
Error |
|
Cluster IP address resource cannot be brought online because WINS registration failed |
1078 |
Error |
|
Cluster IP address resource encountered an error with a leased address |
1240, 1243, 1245 |
Warning |
|
Cluster IP address resource failed to come online |
1360 |
Error |
|
Cluster IP address resource failed to come online due to a configuration problem |
1362, 1048 |
Error |
|
Cluster network interface for cluster node failed |
1127 |
Warning |
Disabled by default. Note that this rule may generate many alerts if you decide to enable it. |
Cluster network interface is unreachable by at least one other cluster node attached to the network |
1126 |
Warning |
|
Cluster network is down |
1130 |
Warning |
|
Cluster network is partitioned |
1129 |
Warning |
|
Cluster network name resource cannot be brought online due to a timeout |
1566 |
Error |
Event Log: Microsoft-Windows-FailoverClustering/Operational |
Cluster network name resource failed a health check |
1215 |
Error |
|
Cluster network name resource failed to create its associated computer object |
1193, 1194 |
Error |
|
Cluster network name resource failed to delete its associated computer object |
1192, 1191 |
Error |
|
Cluster network name resource failed to register DNS name |
1196, 1195, 1119 |
Error |
|
Cluster node cleanup error |
4624, 4622, 4620, 4618, 4615, 4613, 4611, 4609 |
Error |
|
Cluster node cleanup warning |
4625, 4616 |
Warning |
|
Cluster node has been evicted from the failover cluster |
1011 |
Warning |
|
Cluster node network connectivity problem detected |
1553, 1554, 1572 |
Error |
|
Cluster physical disk resource cannot be brought online because the associated disk could not be found |
1034 |
Error |
|
Cluster resource failed |
1069 |
Error |
|
Cluster service account is missing one or more from the required set of privileges |
1234 |
Error |
|
Cluster service cannot identify a node as a member of failover cluster |
1093 |
Error |
|
Cluster service could not write to a file |
1080 |
Warning |
|
Cluster service failed to change the trace log size |
1567 |
Warning |
Event Log: Microsoft-Windows-FailoverClustering/Operational |
Cluster service failed to start the cluster log trace session |
4868 |
Warning |
|
Cluster service has determined that this node does not have the latest copy of cluster configuration data |
1561 |
Error |
|
Cluster service suffered an unexpected fatal error |
1000 |
Error |
|
Computer object associated with a network name resource could not be updated |
1206, 1207 |
Error |
|
Disabled network is the only possible network that the node can communicate with other nodes |
1569 |
Warning |
|
Disabling version compatibility checking is not supported |
1550, 1551 |
Warning |
|
Encountered a failure when attempting to create a new NetBIOS interface while bringing a resource online |
1044 |
Warning |
|
Encrypted settings for cluster resource could not be successfully applied |
1121 |
Error |
|
Failed to add required credentials to the LSA |
1227, 1226 |
Error |
Local Security Authority (LSA) |
Failed to join or form a cluster |
1070, 1092 |
Error |
|
Generic application could not be brought online due to a service startup error |
1041 |
Error |
|
Generic application could not be brought online due to process creation error |
1039 |
Error |
|
Generic script resource error |
1233, 1232 |
Warning |
|
Generic service could not be brought online due to an error attempting to open the service |
1040 |
Error |
|
Generic service failed |
1042 |
Error |
|
Health check for file share resource failed |
1054 |
Error |
|
Health check for file share resource failed as the share does not exist |
1055 |
Error |
|
Health check for IP interface failed |
1077 |
Warning |
|
IPv6 tunnel address resource failed to come online |
1363 |
Error |
|
IPv6 Tunnel address resource failed to come online because it does not depend on an IP Address (IPv4) resource |
1361 |
Error |
|
Lease of IP address associated with cluster IP address resource cannot be renewed |
1242 |
Error |
|
No matching network interface found for IP address |
1045 |
Warning |
|
One or more cluster disk volumes may be corrupt |
1066, 1037 |
Error |
|
Ownership of cluster disk has been unexpectedly lost |
1038 |
Warning |
|
Potentially incompatible versions of cluster service |
1546, 1547, 1548, 1570, 1571 |
Error |
|
The backup operation for the cluster configuration data has been canceled due to an abort request |
1544 |
Warning |
|
The cluster service encountered an unexpected problem and will be shut down |
1556 |
Error |
|
The cluster service failed to start due a miniport adapter initialization failure |
4871 |
Error |
|
The Cluster service is shutting down because quorum was lost |
1177 |
Error |
|
The failover cluster database could not be unloaded |
1574 |
Error |
|
The failover cluster virtual adapter failed to generate a unique MAC address |
4872 |
Error |
|
The restore operation for the cluster configuration data has failed due to insufficient privileges |
1545 |
Error |
|
The restore operation of the cluster configuration data has failed |
1542, 1543 |
Error |
|
Unable to access witness resource |
1557, 1558, 1562, 1563, 1564, 1573 |
Error |
|
User mode health monitoring has detected that the system is not being responsive |
4870, 4869 |
Error |
|
Volume shadow copy service task resource failed |
4867, 4866, 4865, 4864 |
Warning |
The following rules apply to Windows Server 2008 R2 clusters only.
| Name | Event ID | Alert Severity |
|---|---|---|
Attempt to disable connection security failed |
1583 |
Warning |
Cluster network name resource failed to register dynamic updates for DNS name |
1578 |
Warning |
Cluster network name resource failed to register in a secure DNS zone because record was already registered and owned |
1576 |
Warning |
Cluster network name resource failed to register in a secure DNS zone because registration was refused |
1580 |
Error |
Cluster network name resource failed to update the DNS A record |
1579 |
Warning |
Cluster Service failed to create a cluster identity token for Cluster Shared Volumes |
5200 |
Error |
Cluster Service failed to create root directory to host shared volumes |
5123 |
Error |
Cluster Service failed to set permissions on Cluster Shared Volume directory |
5134 |
Warning |
Cluster Service failed to move cluster hive |
1581 |
Warning |
Cluster Service moved previously existing files in newly-created shared volume directory to new location |
5124 |
Warning |
Cluster Shared Volume is no longer accessible from cluster node |
5142 |
Error |
Cluster Shared Volume redirected access was turned on |
5136 |
Warning |
Communication was lost and reestablished between cluster nodes |
1592 |
Warning |
Error occurred while bringing file server resource online |
1588 |
Warning |
Filter driver(s) are preventing direct I/O on Cluster Shared Volume |
5125 |
Warning |
Health check for file server resource has failed |
1585 |
Error |
Cluster network name resource cannot be brought online due to a timeout |
1566 |
Error |
Cluster service failed to change the trace log size |
1567 |
Warning |
Original cluster disk drive letter(s) are already in use and cannot be restored |
5133 |
Warning |
Physical disk resource does not allow disabling short name generation |
5128 |
Warning |
Resource has registered DNS entries that are not providers |
1589 |
Warning |
Shared Volume IO is paused |
5120 |
Error |
Shared Volume IO is resumed in no-direct-io mode |
5121 |
Error |
Volume flush-and-hold IOCTL was detected on clustered shared volume |
1584 |
Error |