I should have expanded on this. Aside from what you mentioned (which can be fixed by resetting the event logs state to clean, usually quicker than parsing it yourself), I've had a few cases where for some reason the data in the logs were corrupted/truncated to the extent that I couldn't fix or parse them. I thought i'd throw it in as an extra caveat -)
I'd have to see them…Event Logs on Windows NT, 2000, XP, and 2003 are maintained in a circular buffer, and there are cases in which part of the event record will be written at the end of the file, and part of that same record will be found beginning at byte 49, right after the Event Log header.
I have also seen cases where the Event Log itself reports to the Event Viewer that it has 3207 records, but parsing it reveals 3208 records. This was due to the fact that there was an area near the middle of the file where the EOF marker was maintained (at the time that the system image was acquired) and there was an extra event record visible.
Tim,
Anything more about those logs?
H
http//