If recovery occurs from a snapshot at the moment after which the agent has already read "new" log events. (those that appeared after the snapshot was taken) That is, the last eventid that the agent took and remembered is more than is the last at the time of the snapshot.
On the other hand since Windows has a 4-byte counter for eventid, it is very likely that the situation is "crossing" over 0 (eventid 9998,9999,1,2). In this case, the agent can re-read the log.
It is possible that the situation with the "rollback" of events before the "snapshot" is perceived by the agent as crossing over 0. These situations are difficult to distinguish
We cannot know which events from the log are already in Zabbix, and which ones appeared after recovery. The agent does not have 'clock' and 'eventid' for latest historical data. So there is just 2 options:
1. reread full log (as agent does)
2. try to skip existing events and collect only new ones. (but in this case we can lose some events - which appeared after recovery but before the Zabbix agent starts)