Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 34 Source: VolSnap

The shadow copies of volume <volume> were aborted because of a failure to ensure crash dump or hibernate consistency.
Based on my research, this event is logged if the IO queue depth that is the number of bytes outstanding from all applications at any time, is too large for the current free space in the "diff area" file. This event will not be logged unless the "diff area" volume is being snapshotted. Best practices suggest to isolate all of the "diff area" files on volumes that are not going to participate in the snapshot set. If you have other drives such as D: or E:, please configure the shadow copy of C: to put the shadow copy storage area on D: or E:, and then disable shadow copy of D: or E:. To do this, please refer to the following steps:

1. Open My Computer or Windows Explorer, right click on drive C:, and then click Properties.
2. Click Shadow Copies tab, click Volume C:\, and then click Disable button.
3. Click Settings button, change the location to D:\, and then click OK.
4. Click Enable button to enable shadow copy of drive C:"

It is also recommended to create a registry entry for HKLM\SYSTEM\CurrentControlSet\Services\VolSnap\MinDiffAreaFileSize and give it a decimal value of MBs to cache. (Default is 300, which may be insufficient for many installations). Setting this to a high value (3000 or 3GB) may resolve VolSnap errors.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.