Hello,We have had a couple of server failures over the last couple of months and each time we get the server back online theSystem Event Log appears to be truncated in Event Viewer showing only the entries since the server came online. However, the actual SysEvent.Evt file is over 200mb, so I decided to open it in a hex viewer and I can see that there are vastly more entries than Event Viewer is actually showing. I'm assuming that there is a corrupt entry from when the server failed and Event Viewer cannot show entries before this time.How can I view the previous entries? I need to know what has caused the server to fail.It is a Windows Server 2003 machine.Thank you,Stephen

Check if minidump files were created under %SystemRoot%\Minidump if you have the dump files you can try reading them, to find the source of the problem http://support.microsoft.com/kb/315263

Thank you for your reply.Unfortunately there are no minidump files.Stephen

Try this: 1. Check the permissions on the .evt files themselves (the files that event are logged in). See if somehow the permission got changed, and maybe that's why you can't view the events. 2. Do a virus scan with the latest definitions if you have not done so already. Maybe there is a virus that is interferring with the event viewing in an attempt to hide itself. 3. Try right clicking on the individual Events and "Clear All Events". Maybe this will rebuild the .evt files and start properly logging events. 4. The .evt files may be corrupt beyond repair and need to be deleted so that they can be recreated. The following URL is Microsoft's directions on how to delete .evt files. Use at your own risk. http://support.microsoft.com/?kbid=172156 taken from: http://www.computing.net/answers/windows-2000/event-viewer-no-event-logs/51158.html

Thank you for your reply.I have checked the permissions and these are not causing a problem as I can read the entries up to the point the system failed. Also, we have done a full virus scan of the server and nothing major showed up. The server is now logging events just fine. It is just that there are thousands of entries that we cannot read. From my research, this is a common side effect of a hard shutdown, which is annoying as when the server unexpectedly shuts down I imagine the first thing anyone would want to do is to view the event logs to see what was going on leading up to the failure. I am sure that there must be a way to retrieve the events. I have been looking at the structure of the event log in WinHEX and I can see that what probably happened is that the header for the last entry in the event log was not completed when the server failed, meaning that event viewer can only read events up to this 'corrupt' entry. I am currently working on identifying the corrupt entry bytes in an attempt to repair or simply removethem, but it is a long and tricky process. I am just thinking that surely someone must have done this already!?Stephen