1108 The event logging service encountered an error
Written when the event logging service hits an error while processing an incoming event. A malformed or incomplete event is often present just before it.
Overview
The subcategory is Other Events and the source is Microsoft-Windows-Eventlog. It occurs when the service could not write an event to the log correctly, or when required parameters were not passed. In most cases a defective or inconsistent event sits right before the 1108. The original docs give the example of a 1108 following an incorrect 4703.
How it is triggered
- When a provider (an event publisher) submits an event whose format is broken.
- The field
%1holds the name of the publisher (security event source) of the event that failed processing. Registered sources can be checked underHKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security.
Security review points
- Monitoring all 1108 events and checking the cause is recommended.
- It can be a sign of event tampering or of tricks aimed at the logging mechanism (sending malformed events to disrupt recording), so investigate it together with the preceding event.
Notes for log review
- Read it as a pair with the “broken event” that lines up just before, not on its own. Which source (
%1) it occurred on is the starting point for triage. - If it recurs for a specific source, separate a genuine fault in that provider from deliberate manipulation.
Key fields
| Field | Meaning |
|---|---|
%1 | The name of the publisher (security event source) of the event that failed processing |