Microsoft NT Backup Event Logs

For the NT Backup Check we query the Windows Event Log on the local device over the preceding 24 hours to determine whether there are any occurrences of the monitored Events, 8001 (End Backup of 'System State') and 8019 (End Operation), reporting back their status.

From Agent 7.1.1 onwards we have also included the option to monitor where Verify data after backup (Event 8009) has been configured, alerting when failure events are recorded that are not reflected in the backup’s completion status but may affect the ability to restore from the backup set. Please note that Verify data after backup is now enabled by default.

Where the monitored NTBackup Event type is recorded as Information we will report this as passed and where the monitored NTBackup Event type is recorded as Error, or where none of the monitored Events are discovered, this is reported as failed.

We feel that it is prudent to alert to any failure events recorded in the backup, even where a success event is discovered, as this error may be an indication of a larger problem with the backup or the device.

Examples of the Informational and Error Events we monitor are included below:

Informational Events:

Error Events:

Event ID: 8001
Source NTBackup
Type Information
Description: End Backup of 'System State'

Event ID: 8001
Source NTBackup
Type Error
Description: End Backup of 'System State' 'Warnings or errors were encountered.'

Event ID: 8019
Source NTBackup
Type Information
Description: End Operation: 'The operation was successfully completed.'

Event ID: 8019
Source NTBackup
Type Error
Description: End Operation: Warnings or errors were encountered.

Event ID: 8009
Event Source NTBackup
Event Type: Information
Description: End Verify of 'N:' The operation was successfully completed.

Event ID: 8009
Event Source NTBackup
Event Type: Error
Description: End Verify of 'N:' 'Failed'.