Entries disappearing from Win2K3 Server event logs

I noticed two days ago that entries seem to be missing from my event logs.  I usually look at the Appplication log and many user entries are missing from 4-12-2005 to the present, so in addition to old entries disappearing, it looks like new entries are not being recorded.

My Security log file was corrupted so I cleared that file today and started a new log.

Does anyone know what might be happening?  Any recommendations?  I have never cleared any of my logs.  Even though I am responsible for the server, my networking and server experience is limited and I am learning as I go along, so if this is a simple maintenance issue, I would like to know that, also.

The machine is running Win2K3 Server and I am using Terminal Services.
dingmaehAsked:
Who is Participating?
 
rindiConnect With a Mentor Commented:
By rightclicking on the different sections of your eventlog viewer, you can set / unset some log filters. You can also use security policy and Group policy editor to fine tune what should get logged and what should not get logged. Check the "Auditing sections" to turn on or off what whould be logged.
0
 
rindiCommented:
Don't let the logs get too large. Limit their size (or it cold happen that your disk fills up and the OS stops running!), You can always save their entries by exporting them to a file.
0
 
gpriceeeCommented:
Hi.  
On the log, such as application, right click --> properties --> general tab
You can adjust the maximum size of the log.
Also, you can set it to Overwrite events as needed, Overwrite events older than X days, or Do not overwrite events.

You log is set to one of the Overwrite options.

You can keep it that way and just save the logs periodically--but if an event occurs that writes to the log every 12 nanoseconds, your log history will disappear pretty quickly.

Take note of the log directory location and adjust the size of the log in accordance with disk space.  You can always set the log to overwrite events older than X days and copy them prior to the overwrite.

Just set a reminder for yourself to export the log files so that you can open them later if you wish.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
dingmaehAuthor Commented:
rindi & gpriceee,

Thanks for the tips on log size and cleanup.  I checked the logs and they have plenty of space, and I have plenty of free disk space.  Also, I have the overwrite options set to replace the oldest entry.

My biggest concern is that no new entries seem to be writing to the logs and that old entries disappeared.  Should I just recreate the Application and System logs?  I don't want to spend a lot of time tracking down an unimportant situation, but I use the logs regularly to troubleshoot different things and monitor what is going on with the server.  I would like to think I can depend on them.

Any ideas about the odd logging activity?
0
 
rindiCommented:
The logs are still being written, you just can't read them (you could export them to a file and then you should also be able to read them. There is an issue like yours somewhere, I just don't exactly remember what theremedy was. If I find it, i'll be back.
0
 
rindiCommented:
0
 
dingmaehAuthor Commented:
rindi,

I have saved and cleared my logs.  I exported the Application log to another format so I could see what was in the log and entries are definitely missing.  In addition, no entries are going in to the log now.

The link you suggested is for Windows 2000 Server and I am running W2K3 Server.  In your experience, does Microsoft leave a problem like this unfixed from version to version?  
0
 
rindiCommented:
Worse even, from my experiance M$ sometimes even unfixes previously fixed errors in servicepacks...

;-)

You could try disabling the evemtvwr service in your services, then reboot and delete or move the *.evt files from \System32\config. Now enable the service again and check if the logs are working. If that helps I suggest you plan some server down time and run chkdsk <driveletter> /F /R /X, as there might be areas on your disks that need fixing. The server will not be able to run this in normal mode, so it will ask you if it should plan running chkdsk next time you boot. Answer with yes. This, depending on the size of your diskspace can take a very long time.
0
 
dingmaehAuthor Commented:
Hmmm...

I have removed the event files and rebooted.  The system log and security log seem to be getting entries.  The Application log is getting sporadic entries.  I am looking for userlog on/off information but that information is not being recorded.  After removing and rebooting, the only thing in the Application log file now is this information message "lsass (672) The database engine 5.02.3790.1830 started."  Earlier, before removing and rebooting, I got some entries from the Veritas backup software.

Does something else control log on/off activity entries?
0
 
dingmaehAuthor Commented:
rindi,

The default auditing that has always been on is still on.  The user logon/off is still not logging anywhere.  I suspect I have done something I can't remember, but I have also seen Windows seem to spontaneously reset things for no apparent reason.

Even though I still think it needs to be resolved, I think I have to put this problem on a back burner.

Thanks for all your help;  I appreciate you hanging in there so long.  You have given me valuable information and helped me understand a bit more about auditing and event logs.  Even though my problem has not been solved, I think you have earned the points for this question.
0
 
rindiCommented:
Thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.