I'm Blind - I MUST BE! - Security Log FULL!!

Posted on 2009-02-23
Medium Priority
Last Modified: 2013-12-04
I have a number of servers that have full security logs.  So no further entries are being logged {wonderful for compliance}.  I understand how to fix thsi.
We are undergoing compliance improvements and will be standardizing all logs.
I've been seaching and can't seem to find my answer.....

I am looking for:
1) An eventID # that I can scan each system for to determine IF the Security {or any} Event Log is full.
2) A script that will allow me to scan each system to determine if the event log is full.

I should be able to write the script if I just have something to search for.
But, hey if someone already has something written I am a firm believer in NOT reinventing the wheel!

Is there a REG Key I can look for which 0=not full 1=full?
Via script, Is there an easy way to determine if the Security {or any} event log is full/

I searched and found a question that states an entry is made to the application log when the security log if full but that link is dead and i can't seem to find the event # that is generated.

Question by:MAJAEJ
  • 3
  • 3
LVL 11

Expert Comment

ID: 23711588
Event id 6000 is what's registered when you have a full event log file:  http://www.eventid.net/display.asp?qsc0=0&eventid=6000&source=source&x=0&y=0.  

I don't know of a registry key that's set in a case like this, but I've never tested.  One option would be to spin up a VM, fill up its log file (you'd probably wanna set the capacity size really low) then monitor registry writes using Microsoft Process Monitor (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx).

Author Comment

ID: 23712271
Hmm... Great Idea on the VM.
But it's still SysInternals in my old eyes!!
Thanks - I'll check that out..
However, the 6000 entry appears to refer to the Application and System. My primary concern {compliancy} at the moment is the SECURITY Event log...

LVL 11

Accepted Solution

snoopfrogg earned 1000 total points
ID: 23712396
I'm still getting used to putting "Microsoft" in front of Sysinternals, too :)

It looks like event id 6000 pertains to any event log per this TechNet article:  http://technet.microsoft.com/en-us/library/cc774976.aspx.  
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 23713574
However, here's my problem.
I have a server with a Full Security Log.
I've verified the max size and actual size.  -- 499 BM
The event log goes from 2/7/09 - 2/18/09
I've scanned the System log and there are no entries for 6000 what so ever.  
System log dates back to  8/18/2008 through current.

Hmm... What now batman?
LVL 11

Expert Comment

ID: 23715498
Hmmm, good point.  I'm not sure why the entry isn't appearing.

Another thought:  What about monitoring the size of the event log files via script?  On Windows Server 2003, event logs are stored in C:\Windows\System32\Config by default.  

Assisted Solution

jwarnken earned 1000 total points
ID: 23723449
I would just use a script that checks the current size vs the max size and take action based on that


Author Closing Comment

ID: 31550090
Thanks - Sorry for the delay - Busy week...  

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since upgrading to Office 2013 or higher installing the Smart Indenter addin will fail. This article will explain how to install it so it will work regardless of the Office version installed.
Learn about cloud computing and its benefits for small business owners.
Get people started with the process of using Access VBA to control Excel using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Excel. Using automation, an Access application can laun…
Get people started with the utilization of class modules. Class modules can be a powerful tool in Microsoft Access. They allow you to create self-contained objects that encapsulate functionality. They can easily hide the complexity of a process from…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question