Solved

Security event log filling up and slowing the network down

Posted on 2009-04-10
5
311 Views
Last Modified: 2012-05-06
I've been noticing something lately. One of our domain controllers (also our network file server) has had its Security event log reaching the max size. When this happens, the network's performance becomes terrible: lots of slowness across the board, especially on our Citrix servers. Once I clear the event log on this server, performance returns to normal. The Security log isn't filling up with any errors. It's just the usual "Success Audit" entries (Privilege Use and Logon/Logoff). It just seems like it fills up very quickly. I last cleared it about an hour and a half ago, and it's already up to 25,144 entries.

Does anyone have any ideas as to why this is happening? Equally important, does anyone know a better solution than clearing the event log every day or two? It's starting to become understandably annoying. :)

There are three domain controllers and four Citrix servers. They are all running Windows Server 2003 SP2 (with the exception of the file server, which is running Windows Server 2003 SP1).
0
Comment
Question by:elorc
  • 3
5 Comments
 
LVL 6

Accepted Solution

by:
mickeyfan earned 250 total points
ID: 24115916
This is normal actually. You can do one of 3 things. continue what you are doing. or you can change the setting with in Event viewer to state over right events old than x amount of days or over right as needed. You can in crease the size of the log as well if you want to keep a longer event log.

right click security -> properties

You could also set the audit policy within the GPO to not track those events but i would not do that since you do want to track activity.
0
 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 250 total points
ID: 24115971
mickyfan is correct.

You can change what is audited and put into security logs. Some admins elect not to display successful audits.

Micky is also right that you can increase the log sizes.

He is also right that this is normal behavior to slow down the LAN.

More about your event logs:
http://msdn.microsoft.com/en-us/library/ms731669(VS.85).aspx

How to supress successful logons in event logs:
http://support.microsoft.com/kb/264769
0
 
LVL 1

Author Comment

by:elorc
ID: 24116002
I have it set to "Overwrite events as needed" currently. I don't know if it can't keep up or what, but the lag doesn't seem to improve until I actually clear the log. I increased the maximum log size to 150,016 to see if that will help.

0
 
LVL 1

Author Comment

by:elorc
ID: 24116077
Ok I tried increasing the size of the log, and I also set it to not show successful privilege use. I'll see if that makes a difference and take it from there. Thanks.
0
 
LVL 1

Author Closing Comment

by:elorc
ID: 31568913
This seems to have made a noticeable improvement. Thank you!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question