Security Log, Empty

EHWtech used Ask the Experts™

I am having a weird issue, that I haven't come across before.
The security log isn't logging anything.  So I checked the local policy and logging was disabled (auditing).
So I turned it on, checked the security log, it populated, then stopped.
Check the local policy again, it is disabled.
I tried enabling it with group policy, rsop says it is enabled.
When I do gpupdate /force, it enabled it and then disabled it again straight away.

I'm bit lost, not sure where to go from here.
System and Application logs don't mentioned any issues.  I did see a schannel issue in the system log, but couldn't reproduce it again.

I also checked the SCEnoapplylegacyauditpolicy, but it wasn't set.

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most likely you haven't had ant kind if audit correct? Installed new software that does any kind of manipulation to audit events? If not, this may be a serious issue. How long has this been going on? Are you monitoring incoming/outgoing traffic externally aka locked down router logs, IDS, etc? I also see you have network audit software as a keyword for this. That is why I ask if you have installed auditing software.
Is this behavior evident on only one server, a class of servers (All DCs, for example) or all servers?


Machine had Conficker infection on it.  I am not sure if this was the cause, but it was enough of a reason to do a reinstall.
Thanks for the help.
Sweep all the systems on the network to make sure it's really snuffed out, but good job!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial