I am having a weird issue, that I haven't come across before.
The security log isn't logging anything. So I checked the local policy and logging was disabled (auditing).
So I turned it on, checked the security log, it populated, then stopped.
Check the local policy again, it is disabled.
I tried enabling it with group policy, rsop says it is enabled.
When I do gpupdate /force, it enabled it and then disabled it again straight away.
I'm bit lost, not sure where to go from here.
System and Application logs don't mentioned any issues. I did see a schannel issue in the system log, but couldn't reproduce it again.
I also checked the SCEnoapplylegacyauditpolicy, but it wasn't set.