Problem description
During a VMware Virtual Machine backup, the Data Anomalies Scan fails, and the following error message is displayed in the Druva Management Console:
Snapshot not scanned for Data Anomalies as the USN journal size is lesser than the required size.
While the primary backup job itself may complete successfully, the Ransomware Recovery / Data Anomaly status is reported as Failed or Incomplete. This prevents the Druva Ransomware Recovery feature from thoroughly analyzing file-level changes for potential security threats during that backup window.
Symptoms:
The Ransomware Recovery dashboard flags the snapshot status as Not Scanned or Failed.
Guest agent logs or job details capture the following error:
Error: (1181, 'DeviceIoControl', 'The journal entry has been deleted from the journal.') drive:C:\High file churn is observed on the affected volume within the log data (e.g., tens of thousands of file creations, modifications, or deletions during the cycle).
Cause
This issue occurs because the Windows Update Sequence Number (USN) Journal on the guest operating system's specified volume (typically the
C:drive) is too small to retain the history of file changes between backup iterations.The USN Journal is a fixed-size log maintained by NTFS that records changes made to files and directories. In high-churn environments—such as active database servers, application servers generating voluminous logs, or batch processing systems—the log fills up rapidly.
When it reaches its capacity, it "wraps," meaning older entries are permanently purged to allocate space for new records. If the Druva agent attempts to query a historical journal entry that has already been purged, the OS returns Error 1181, causing the anomaly scan to fail.
Traceback
Error: (1181, 'DeviceIoControl', 'The journal entry has been deleted from the journal.') drive:C:\
Resolution
To resolve this issue, you must manually increase the USN Journal size on the impacted guest Virtual Machine to ensure it can retain a sufficient history of changes for the Data Anomalies scan to complete successfully.
Step 1: Increase the USN Journal Size
Log in to the impacted Windows Virtual Machine.
Open an Elevated Command Prompt (Run as Administrator).
Execute the following command to allocate more space. For high-churn environments, Druva recommends increasing this capacity to 4 GB:
fsutil usn createjournal m=4294967296 a=536870912 C:
m=4294967296: Sets the maximum size to 4 GB (in bytes).a=536870912: Sets the allocation delta to 512 MB (in bytes).C:: Replace this with the specific drive letter identified in your error logs.
📝 Note: A server reboot is not required for these changes to take effect; the OS adjusts the journal size dynamically.
Verification
Step 1: Verify the Configuration Change
In the same elevated command prompt on the guest VM, run the following command to verify the updated journal settings:
fsutil usn queryjournal C:
Verify that the Maximum Size matches or closely aligns with the new 4 GB allocation limit.
Step 2: Monitor the Next Backup Cycle
Navigate to the Druva Management Console.
Manually trigger an manual backup for the impacted VMware VM, or wait for the next scheduled backup window.
Review the job details to confirm that the Data Anomaly scan completes with a successful status.