Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Windows Security Log
Windows Security Log [message #157323] Mon, 06 July 2009 12:27 Go to next message
dontinou  is currently offline dontinou  United States
Messages: 11
Registered: May 2009
Junior Member
Hi,

I keep running into this and now its really causing me headaches.
When I log into my server, I get the message that "..the Security Log
is full". So I look at my settings, and I have a GPO that enforces
1GB for the Maximum security log size (and overwrite older than 30
days), which is correctly set. Then I look at the actual size of the
file on the filesystem, and its only 350MB!! Why am I getting this
message when the log is no where near its limit? Do I need to compact/
defrag the file or something? I've had this happen on multiple
servers now.

Obviously if I change the overwrite setting to "overwrite events as
needed", I no longer get the message.. but company policy does not
allow me to do this, nor do I want to.

Any insight as to why the server is reporting the wrong log size to
itself?
Re: Windows Security Log [message #157326 is a reply to message #157323] Mon, 06 July 2009 13:05 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"dontinou" <johndads@gmail.com> wrote in message news:ff6299c9-ee68-46b3-a968-d9ed79b25a32@y7g2000yqa.googlegroups.com...
> Hi,
>
> I keep running into this and now its really causing me headaches.
> When I log into my server, I get the message that "..the Security Log
> is full". So I look at my settings, and I have a GPO that enforces
> 1GB for the Maximum security log size (and overwrite older than 30
> days), which is correctly set. Then I look at the actual size of the
> file on the filesystem, and its only 350MB!! Why am I getting this
> message when the log is no where near its limit? Do I need to compact/
> defrag the file or something? I've had this happen on multiple
> servers now.
>
> Obviously if I change the overwrite setting to "overwrite events as
> needed", I no longer get the message.. but company policy does not
> allow me to do this, nor do I want to.
>
> Any insight as to why the server is reporting the wrong log size to
> itself?


How did you define the 1 GB limit in GPO? It must be in multiples of 64KB:

"A user-defined number of kilobytes from 64 through 4,194,240; however, it must be a multiple of 64."
From:
Event Log Policy Settings: Security PolicyAlthough you can specify values as large as 4 GB in Group Policy Object Editor and ... that you should be able to configure up to 1 GB for all the event logs, ..... It is advisable to set Event log retention method for all three event ...
http://technet.microsoft.com/en-us/library/cc778402(WS.10).aspx

Also, have you confirmed with an RSOP and gpresults the machine is getting the policy?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org
http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
Re: Windows Security Log [message #157328 is a reply to message #157326] Mon, 06 July 2009 13:28 Go to previous messageGo to next message
dontinou  is currently offline dontinou  United States
Messages: 11
Registered: May 2009
Junior Member
Hi,

I just put 1000000 in the GPO field for security log size. Yes I've
done an RSOP, and it shows correctly.
Re: Windows Security Log [message #157330 is a reply to message #157328] Mon, 06 July 2009 13:39 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"dontinou" <johndads@gmail.com> wrote in message news:6b3f381a-115c-4c34-a584-d6deea074915@t21g2000yqi.googlegroups.com...
> Hi,
>
> I just put 1000000 in the GPO field for security log size. Yes I've
> done an RSOP, and it shows correctly.

1000000 is not a multiple of 64KB, as I've stated as well as the link I've provided, stated that it must be set as, or it will ignore it and go with whatever the default is or the prior setting was on the machine

Try entering it as 1,024,000,000, the run a gpupdate:

gpupdate /force

Ace
Re: Windows Security Log [message #157331 is a reply to message #157330] Mon, 06 July 2009 14:04 Go to previous messageGo to next message
dontinou  is currently offline dontinou  United States
Messages: 11
Registered: May 2009
Junior Member
OK, did that, Security Log Max Size now shows: 1024000KB, still the
same error message on login :(

"The security log on this system is full."

Both the filesystem and eventvwr.msc shows the actual size of the .evt
file to be ~320MB

thanks for your help so far..
Re: Windows Security Log [message #157336 is a reply to message #157331] Mon, 06 July 2009 15:48 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"dontinou" <johndads@gmail.com> wrote in message news:b6af1ea3-b343-411b-ae1d-0e9b82d22b3d@n11g2000yqb.googlegroups.com...
> OK, did that, Security Log Max Size now shows: 1024000KB, still the
> same error message on login :(
>
> "The security log on this system is full."
>
> Both the filesystem and eventvwr.msc shows the actual size of the .evt
> file to be ~320MB
>
> thanks for your help so far..


Is this a DC?
What is the GPO applied to? All DCs and all servers or one or the other?
Do the others exhibit the same issue?

Ace
Re: Windows Security Log [message #157338 is a reply to message #157336] Mon, 06 July 2009 16:59 Go to previous messageGo to next message
dontinou  is currently offline dontinou  United States
Messages: 11
Registered: May 2009
Junior Member
One of the problematic servers is a DC, the other is just a member
server. There are two GPOs in action, one for DCs and one for member
servers. The other servers that are not having an issue I can't say
are affected or not, the security logs aren't as full to hit the
"limit" yet..
Re: Windows Security Log [message #157341 is a reply to message #157338] Mon, 06 July 2009 17:41 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"dontinou" <johndads@gmail.com> wrote in message news:e938f90a-ec58-4e26-943d-c4b48c5bd01a@c36g2000yqn.googlegroups.com...
> One of the problematic servers is a DC, the other is just a member
> server. There are two GPOs in action, one for DCs and one for member
> servers. The other servers that are not having an issue I can't say
> are affected or not, the security logs aren't as full to hit the
> "limit" yet..

Is the other GPO set to 1000000KB or 1024000KB? I have a feeling it won't work on the other one if not set to multiples of 64KB. I usually use 1024 as the multiplying factor to figure out the KB entry.

Anyway, after I re-read that article I previously posted, it appears that 300mb is the practical limit for an event log max due to the way Windows 'maps' the memory that all of the event logs share. Kind of surprised me, hence why you are experiencing this issue. Please re-read that article closely, specifically the second paragraph under the section titled, "Maximum event log size (settings for application, security and system logs)."

You may want to read Tony Murray's blog on this, indicating the same thing, which also references the link I previously provided.

Event logs and the "Maximum security log size" Group Policy setting
http://blogs.dirteam.com/blogs/tonymurray/archive/2006/09/01 /Security-logs-and-the-_2200_Maximum-event-log-size_2200_-Gr oup-Policy-setting.aspx

Ace
Re: Windows Security Log [message #157354 is a reply to message #157323] Tue, 07 July 2009 03:07 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello dontinou,

If i remember correct there was a problem as higher you set the size of the
event log. So i suggest you set a smaller log, save and delete(take care
of company policies) your logfiles for archive.

For example, when you configure the GPO setting, "shutdown server when security
log is full" this happens also when the size is not reached. I realized this
myself some years ago.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi,
>
> I keep running into this and now its really causing me headaches.
> When I log into my server, I get the message that "..the Security Log
> is full". So I look at my settings, and I have a GPO that enforces
> 1GB for the Maximum security log size (and overwrite older than 30
> days), which is correctly set. Then I look at the actual size of the
> file on the filesystem, and its only 350MB!! Why am I getting this
> message when the log is no where near its limit? Do I need to
> compact/
> defrag the file or something? I've had this happen on multiple
> servers now.
> Obviously if I change the overwrite setting to "overwrite events as
> needed", I no longer get the message.. but company policy does not
> allow me to do this, nor do I want to.
>
> Any insight as to why the server is reporting the wrong log size to
> itself?
>
Re: Windows Security Log [message #157378 is a reply to message #157341] Tue, 07 July 2009 08:43 Go to previous messageGo to next message
dontinou  is currently offline dontinou  United States
Messages: 11
Registered: May 2009
Junior Member
Very interesting guys, at least now I know I'm not going crazy.

Thanks for all your efforts, it really is appreciated!!
Re: Windows Security Log [message #157423 is a reply to message #157378] Tue, 07 July 2009 11:08 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"dontinou" <johndads@gmail.com> wrote in message news:50089488-2c07-4018-99eb-0206a482b4f7@n11g2000yqb.googlegroups.com...
> Very interesting guys, at least now I know I'm not going crazy.
>
> Thanks for all your efforts, it really is appreciated!!


My pleasure!

Ace
Previous Topic:Rejoining Computers to domain
Next Topic:Re: Actvie Directory Database Corruption >Event ID 467 > Index of table datatable is corrupted
Goto Forum:
  


Current Time: Wed Oct 18 01:29:21 EDT 2017

Total time taken to generate the page: 0.05661 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software