none
How to check if Windows Backup completed Successfully?

    Question

  • I have used Windows Backup to back up a Windows Server 2008 R2. Now I would like to be notified if the bakup is not successful.
    I have created a Scheduled Task to trigger ONEVENT when an EventID 4 is logged to the log Microsoft-Windows-Backup/Operational.
    EventID 4 is when a backup is successful. What EventID do I need to check for to be notified when a backup is unsuccessful?

    Do I have to check for all the EventIDs that signifies an error?
    http://technet.microsoft.com/en-us/library/dd364735%28WS.10%29.aspx
    I can see that there is gaps in the list so I would like to know if there is a single EventID that is logged whenever a backup don't complete.

    Regards
    Supergoof
    • Moved by Tim QuanModerator Wednesday, October 21, 2009 2:11 AM (From:Windows Server 2008 R2 General)
    Tuesday, October 20, 2009 3:10 PM

Answers

  • As you listed above, Windows Backup when succeeds, publishes event-id 4. But it can fail due to multiple reasons (user cancellation, another operation in progress, generic failure etc.). Windows Backup throws individual error events for all such scenarios, there is no single EventID for a failed backup.

    There can be two ways to check if the backup had failed from the events:

    1. For every backup run, successful or failed, event-id 14 is generated. The event-data for this ID contains the overall status of the backup in the field 'HRESULT'. This should be 0 for a successful backup, non-zero otherwise.

    2. You can configure the Task Scheduler to trigger ONEVENT when any of the failing events is published. They are all the other event-ids (except id 4) in the link you provided above.

    HTH
    Sandeep [MSFT]


    This posting is provided "AS IS" with no warranties, and confers no rights
    Wednesday, October 21, 2009 4:55 AM

All replies

  • As you listed above, Windows Backup when succeeds, publishes event-id 4. But it can fail due to multiple reasons (user cancellation, another operation in progress, generic failure etc.). Windows Backup throws individual error events for all such scenarios, there is no single EventID for a failed backup.

    There can be two ways to check if the backup had failed from the events:

    1. For every backup run, successful or failed, event-id 14 is generated. The event-data for this ID contains the overall status of the backup in the field 'HRESULT'. This should be 0 for a successful backup, non-zero otherwise.

    2. You can configure the Task Scheduler to trigger ONEVENT when any of the failing events is published. They are all the other event-ids (except id 4) in the link you provided above.

    HTH
    Sandeep [MSFT]


    This posting is provided "AS IS" with no warranties, and confers no rights
    Wednesday, October 21, 2009 4:55 AM
  • Thanks for the ansver.

    Is there some easy way to check the HRESULT field that can be used?

    Regards
    Supergoof
    Wednesday, October 21, 2009 2:36 PM
  • You can use an XPATH query with the util wevtutil to get the data:

        wevtutil qe Microsoft-Windows-Backup /f:text /q:"*[System/EventID=14] and *[EventData/Data[@Name='HRESULT']='0']"

    The above query run will fetch all the events in the Backup channel with id=14 and with HRESULT=0. You can modify this query for your own usage.

    Thanks
    Sandeep [MSFT]
    This posting is provided "AS IS" with no warranties, and confers no rights
    Thursday, October 22, 2009 3:58 AM
  • Hello Sandeep

    exellent reply.

    I guess this is one of the new command line tools in Windows Server 2008.

    I have tried to modify your suggestion but I haven't had that much luck. My goal is to only look at the last 2 days events.

    I didn't find any options that would filter by date only by number of events in the wevutil documentation. So I've tried to accomplish this by using the function starts-with. This is where I'm at so far but it doesn't work yet.

    wevtutil qe Microsoft-Windows-Backup /f:text /rd:true /q:"*[System/EventID=14] and *[EventData/Data[@Name='HRESULT']='0'] and *[EventData/Data[starts-with([@Name='BackupTime'],'2009')]"

    I guess it is just a matter of where to put the starts-with function.
    Thursday, October 22, 2009 1:16 PM
  • I found the answer myself....kinda.

    I was inspired by this post http://blogs.msdn.com/ntdebugging/archive/2009/09/08/exploring-and-decoding-etw-providers-using-event-log-channels.aspx

    When you use the "Filter Current Log..." action it displays the XPath query it uses in the XML tab. Setting a filter to show only the last 24 hours of events produced this query:

    *[System[(Level=4 or Level=0) and (EventID=14) and TimeCreated[timediff(@SystemTime) <= 86400000]]]

    Notice the way it writes "less than" as &lt;. Just replace the &lt; with < and the query works in wevutil as well. I'm not sure why the System/Level is filtered though.

    Thursday, October 22, 2009 3:40 PM
  • I have now set up two Scheduled Tasks.

    Check for Error: ONEVENT, with Custom Event Filer:
    System[Provider[@Name='Microsoft-Windows-Backup'] and (Level=4 or Level=0) and (EventID=14)]] and *[EventData/Data[@Name='HRESULT']!='0']

    Check for Success: ONEVENT, with Custom Event Filer:
    System[Provider[@Name='Microsoft-Windows-Backup'] and (Level=4 or Level=0) and (EventID=14)]] and *[EventData/Data[@Name='HRESULT']='0']

    The Success event works and sends an e-mail when backup completes successfully. Is there a way to force a backup to err so I can test the Error event as well?
    • Proposed as answer by Doug_Ivison Tuesday, October 23, 2012 1:45 PM
    Friday, October 23, 2009 8:11 AM
  • You can abort a running backup midway using wbadmin stop job to generate a failure event (backup-cancelled).
    This posting is provided "AS IS" with no warranties, and confers no rights
    Friday, October 23, 2009 10:11 AM
  • It works

    Thanks alot.
    Friday, October 23, 2009 10:28 AM
  • Just wanted to say thanks to both of you.  I have just used your solution to create alerts for my backups.

    Many thanks!

    Friday, April 02, 2010 2:08 PM
  • just wondering if there is any simpler way to do this now? ( as of June 2011)

    this is one of the most fundamental things about computing... a simple email facility to tell you whether or not the backup has run successfully and it is utterly in-excusable that it is so convoluted and so complicated to get this set up -COMPLETELY RIDICULOUS ACTUALLY

    what the hell are you thinking Microsoft?

    regards

    Gary


    Friday, June 10, 2011 5:38 PM
  • Hi!

    It appears that this way of being notified about the backup status has a flaw. I have a Windows Server 2008 R2 Standard SP2 running and when the backup-drive is offline I don't get an event with ID 4 from source Backup in my event log at all and therefore I am not informed about the problem.

    The only log entries from source backup I see are 561, 49, 546, and 19.

    For now I attached another trigger to event 561 but of course there might be more cases that need to be checked seperatly. So my question is: does anybody know a safe way of being informed about backup failures?

     

    Regards

    Dominik

    Sunday, July 10, 2011 1:42 PM
  • Hi! can you put the complete query (from wevtutil....) And how trigg the email? until now, only can put the result of the query into a log file, but not into a variable. So I could use something like:

    If %backupstatus%=0 goto backup-ok

    Thanks!

    Wednesday, July 09, 2014 2:11 PM
  • Hi! can you put the complete query (from wevtutil....) And how trigg the email? until now, only can put the result of the query into a log file, but not into a variable. So I could use something like:

    If %backupstatus%=0 goto backup-ok

    Thanks!

    Events filter for the last 24h

    Here is the xml query for eventlog:

    <QueryList>
      <Query Id="0" Path="Microsoft-Windows-Backup">
        <Select Path="Microsoft-Windows-Backup">*[System[(EventID=14) and TimeCreated[timediff(@SystemTime) &lt;= 86400000]]] and *[EventData[Data[@Name='HRESULT']!='0']]</Select>
      </Query>
    </QueryList>

    and this is for cmd:

    wevtutil qe Microsoft-Windows-Backup /rd:true /f:text /q:"*[System[(EventID=14)and TimeCreated[timediff(@SystemTime) <= 86400000]]] and *[EventData[Data[@Name='HRESULT']!='0']]"

    Wednesday, September 10, 2014 10:50 AM