Server security logs filling up regardless of overwrite settings

When I try to login locally or through mstsc, I get the message that my security log is full.  I have made appropriate log size changes, allowed overwrite, and saved the current logs and then cleared it to start from 0 bytes again.  In less than a day it fills up again.

I had spice works but the box is not implemented right now, and this has been happening since before spice works was implemented (i know there is an issue with spiceworks hammering the log / http requests).

Is this effecting anyone else or has anyone found a resolution to this?
lpadmin1Asked:
Who is Participating?
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
I think you're looking at the Local Computer Policy through the Group Policy editor rather than editing a group policy.  
(And, I apologize, but I haven't seen that interface in several years now... The new editor is Group Policy Management... so I can't give exact steps.)
Hopefully there is a way in that editor to create a new policy.  Confirm that policy does have the Event Log entries that you're expecting.

Assuming that checks out okay, open Active Directory Users and Computers, and I'd start at the OU that contains this server in question.  Pull up the properties for the OU, and the last tab should be Group Policy.  I'd look to see if there is an affecting group policy there... and if not there... step up to see if there is a policy on the parent OU(s) all the way up to the domain.  (And I don't often see them, but it's also possible that someone set a site policy, but I can't imagine anyone setting a site policy for event logs...  Okay, I can imagine it, I just wouldn't advocate it.)

(Oh, and if the Group Policy tab defers you to the Group Policy Management tool with a button... that's not necessarily a bad thing!)
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
When I try to login locally or through mstsc, I get the message that my security log is full.  I have made appropriate log size changes, allowed overwrite, and saved the current logs and then cleared it to start from 0 bytes again.  In less than a day it fills up again - Is there any advanced logging enabled as normally it wouldnt create so many events. What is the size of the Sys logs ?

Maybe we can try to find Spiceworks in registry and disable any logging for it :)

- Rancy
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Confirm that there isn't a group policy or some other mechanism that is changing the options you are setting for the logs.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
lpadmin1Author Commented:
Well the spiceworks box is not even on the network anymore..  Also the issue was happening before we installed spiceworks.  

Regarding group policy, I tried to see if that was the issue as I feel it might be.  However I do not have the entry for \Computer Configuration\Windows Settings\Security Settings\Event Log\

After Security Settings there is no event log.  There is only the following:

Account Policies
Local Policies
Public Key Policies
Software Restriction Policies
IP Security Policies on Local Computer

This is Windows Server 2003 R2 SP2

How can this not be here?
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
If you open Eventvwr do you see App logs, Sys logs and others and what is the Current size set and what is the max events for ?

- Rancy
0
 
lpadmin1Author Commented:
Yes I see all the logs that should be there.  Currently the offending security log is set to 1024kb - however I had set this to 10 mb allowing overwrite first for events older than 7 days.  The issue persisted so I set overwrite as needed.  Now it is back to 1024kb.  That is why I think there might be a group policy setting that is messing with this.  

However I don't even see the entry for it in GP..  I am going to set this back to 10mb and save / clear the logs.  I am going to monitor this and will post back on Monday if it has reverted back.  Do you have any other ideas in the mean time?
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Check this once

Event Log Policy Settings
http://technet.microsoft.com/en-us/library/cc778402(v=WS.10).aspx

Check this on both the GPO and the Server itself
GPO_name\Computer Configuration\Windows Settings\Security Settings\Event Log\

- Rancy
0
 
lpadmin1Author Commented:
The server is the system that is effected, no other objects..  And as I stated earlier I do not have that GP entry "\Computer Configuration\Windows Settings\Security Settings\Event Log\" and I would like to know if anyone knows why?
0
 
lpadmin1Author Commented:
Anyone?
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Confirming - In the Group Policy Manager Editor, if you create a new policy -- you don't have the option for "\Computer Configuration\Windows Settings\Security Settings\Event Log\"?  
Is the whole 'Security Settings' branch missing?

If the settings are missing... I would suspect your ADM files are damaged.  You can redownload them from Microsoft.  (Don't do this if you aren't the domain controller administrator and/or if you've moved into the realm of 2008 servers...)

As you move towards Windows 2008, they move to ADMX files...  and it requires using the upgraded Group Policy Manager Editor.  Confirm that you haven't already made that move, but are not yet using the new tool?
0
 
lpadmin1Author Commented:
Correct.  I do not have Event Log, I do however have Security settings (see picture below)
http://i.imgur.com/jhGAT.jpg

In this case what should I do?
0
 
lpadmin1Author Commented:
Thank you so much, this was a great explanation!  (see image below)
http://i.imgur.com/QX9lg.jpg

I have increased the size to about 10mb as I did on the server itself that kept reverting back to 1mb.  

I will leave this open to see if the size finally stays at 10mb due to this policy change I just made.

I will update when confirmed.  Thanks again!
0
 
lpadmin1Author Commented:
So I checked this morning and I got the same message, security log is full.  I went into GP and my settings were correct for size.  I checked the event log settings on the computer itself and they matched GP still.  I noticed the overwrite went back to 7 days so I figured there was a GP setting for that.  I found it, changed it to overwrite as needed.  I am now able to log in the server without the message!

THANK YOU!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.