Last weekend a server crashed, during the investigation I noticed that in the immediate run up to the failure we saw a large number of a specific event in the application log. In an attempt to understand what was occurring I attached a task to that event to send me an email if it occurred again.
I've been receiving emails all weekend, some 200 emails received since Friday evening, and they are still arriving.
This morning I've logged onto the server and opened event viewer and I cannot see any new instances of that event in the log viewer.
If i filter by event ID I can see the series of events from last week but nothing since then.
Get-Eventlog shows the same as the GUI viewer, ie no record of these events, and yet I am still getting the emails generated.
Everything else seems to be being logged as expected, as far as I can tell.
This is a Server 2008 R2 box runnin in an ESXi cluster, latest updates etc. Tools is up to date with ESXi (although I am going to move to 10.0.5 I think).
EDIT: WEVTUTIL qe APPLICATION >>ApplicationLog.log
I can now see the logs triggering hte event. Still no idea why these are not showing in the viewer.
It is most likely the Default setting for EventLog dropping off old items.
See my answer at: https://superuser.com/questions/1414698/does-windows-eventlog-drops-off-old-items-as-new-items-are-added