• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 322
  • Last Modified:

Security event log filling up and slowing the network down

I've been noticing something lately. One of our domain controllers (also our network file server) has had its Security event log reaching the max size. When this happens, the network's performance becomes terrible: lots of slowness across the board, especially on our Citrix servers. Once I clear the event log on this server, performance returns to normal. The Security log isn't filling up with any errors. It's just the usual "Success Audit" entries (Privilege Use and Logon/Logoff). It just seems like it fills up very quickly. I last cleared it about an hour and a half ago, and it's already up to 25,144 entries.

Does anyone have any ideas as to why this is happening? Equally important, does anyone know a better solution than clearing the event log every day or two? It's starting to become understandably annoying. :)

There are three domain controllers and four Citrix servers. They are all running Windows Server 2003 SP2 (with the exception of the file server, which is running Windows Server 2003 SP1).
0
elorc
Asked:
elorc
  • 3
2 Solutions
 
mickeyfanCommented:
This is normal actually. You can do one of 3 things. continue what you are doing. or you can change the setting with in Event viewer to state over right events old than x amount of days or over right as needed. You can in crease the size of the log as well if you want to keep a longer event log.

right click security -> properties

You could also set the audit policy within the GPO to not track those events but i would not do that since you do want to track activity.
0
 
ChiefITCommented:
mickyfan is correct.

You can change what is audited and put into security logs. Some admins elect not to display successful audits.

Micky is also right that you can increase the log sizes.

He is also right that this is normal behavior to slow down the LAN.

More about your event logs:
http://msdn.microsoft.com/en-us/library/ms731669(VS.85).aspx

How to supress successful logons in event logs:
http://support.microsoft.com/kb/264769
0
 
elorcAuthor Commented:
I have it set to "Overwrite events as needed" currently. I don't know if it can't keep up or what, but the lag doesn't seem to improve until I actually clear the log. I increased the maximum log size to 150,016 to see if that will help.

0
 
elorcAuthor Commented:
Ok I tried increasing the size of the log, and I also set it to not show successful privilege use. I'll see if that makes a difference and take it from there. Thanks.
0
 
elorcAuthor Commented:
This seems to have made a noticeable improvement. Thank you!
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now