I'm Blind - I MUST BE! - Security Log FULL!!

Posted on 2009-02-23
Last Modified: 2013-12-04
I have a number of servers that have full security logs.  So no further entries are being logged {wonderful for compliance}.  I understand how to fix thsi.
We are undergoing compliance improvements and will be standardizing all logs.
I've been seaching and can't seem to find my answer.....

I am looking for:
1) An eventID # that I can scan each system for to determine IF the Security {or any} Event Log is full.
2) A script that will allow me to scan each system to determine if the event log is full.

I should be able to write the script if I just have something to search for.
But, hey if someone already has something written I am a firm believer in NOT reinventing the wheel!

Is there a REG Key I can look for which 0=not full 1=full?
Via script, Is there an easy way to determine if the Security {or any} event log is full/

I searched and found a question that states an entry is made to the application log when the security log if full but that link is dead and i can't seem to find the event # that is generated.

Question by:MAJAEJ
    LVL 11

    Expert Comment

    Event id 6000 is what's registered when you have a full event log file:  

    I don't know of a registry key that's set in a case like this, but I've never tested.  One option would be to spin up a VM, fill up its log file (you'd probably wanna set the capacity size really low) then monitor registry writes using Microsoft Process Monitor (

    Author Comment

    Hmm... Great Idea on the VM.
    But it's still SysInternals in my old eyes!!
    Thanks - I'll check that out..
    However, the 6000 entry appears to refer to the Application and System. My primary concern {compliancy} at the moment is the SECURITY Event log...

    LVL 11

    Accepted Solution

    I'm still getting used to putting "Microsoft" in front of Sysinternals, too :)

    It looks like event id 6000 pertains to any event log per this TechNet article:  

    Author Comment

    However, here's my problem.
    I have a server with a Full Security Log.
    I've verified the max size and actual size.  -- 499 BM
    The event log goes from 2/7/09 - 2/18/09
    I've scanned the System log and there are no entries for 6000 what so ever.  
    System log dates back to  8/18/2008 through current.

    Hmm... What now batman?
    LVL 11

    Expert Comment

    Hmmm, good point.  I'm not sure why the entry isn't appearing.

    Another thought:  What about monitoring the size of the event log files via script?  On Windows Server 2003, event logs are stored in C:\Windows\System32\Config by default.  
    LVL 8

    Assisted Solution

    I would just use a script that checks the current size vs the max size and take action based on that

    Author Closing Comment

    Thanks - Sorry for the delay - Busy week...  

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    You can of course define an array to hold data that is of a particular type like an array of Strings to hold customer names or an array of Doubles to hold customer sales, but what do you do if you want to coordinate that data? This article describes…
    Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
    Get people started with the process of using Access VBA to control Outlook using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Microsoft Outlook. Using automation, an Access applic…
    Get people started with the utilization of class modules. Class modules can be a powerful tool in Microsoft Access. They allow you to create self-contained objects that encapsulate functionality. They can easily hide the complexity of a process from…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now