[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Server security logs filling up regardless of overwrite settings

Posted on 2012-09-19
13
Medium Priority
?
1,137 Views
Last Modified: 2012-10-02
When I try to login locally or through mstsc, I get the message that my security log is full.  I have made appropriate log size changes, allowed overwrite, and saved the current logs and then cleared it to start from 0 bytes again.  In less than a day it fills up again.

I had spice works but the box is not implemented right now, and this has been happening since before spice works was implemented (i know there is an issue with spiceworks hammering the log / http requests).

Is this effecting anyone else or has anyone found a resolution to this?
0
Comment
Question by:lpadmin1
  • 7
  • 3
  • 3
13 Comments
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38416860
When I try to login locally or through mstsc, I get the message that my security log is full.  I have made appropriate log size changes, allowed overwrite, and saved the current logs and then cleared it to start from 0 bytes again.  In less than a day it fills up again - Is there any advanced logging enabled as normally it wouldnt create so many events. What is the size of the Sys logs ?

Maybe we can try to find Spiceworks in registry and disable any logging for it :)

- Rancy
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 38417351
Confirm that there isn't a group policy or some other mechanism that is changing the options you are setting for the logs.
0
 

Author Comment

by:lpadmin1
ID: 38418082
Well the spiceworks box is not even on the network anymore..  Also the issue was happening before we installed spiceworks.  

Regarding group policy, I tried to see if that was the issue as I feel it might be.  However I do not have the entry for \Computer Configuration\Windows Settings\Security Settings\Event Log\

After Security Settings there is no event log.  There is only the following:

Account Policies
Local Policies
Public Key Policies
Software Restriction Policies
IP Security Policies on Local Computer

This is Windows Server 2003 R2 SP2

How can this not be here?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38418276
If you open Eventvwr do you see App logs, Sys logs and others and what is the Current size set and what is the max events for ?

- Rancy
0
 

Author Comment

by:lpadmin1
ID: 38421762
Yes I see all the logs that should be there.  Currently the offending security log is set to 1024kb - however I had set this to 10 mb allowing overwrite first for events older than 7 days.  The issue persisted so I set overwrite as needed.  Now it is back to 1024kb.  That is why I think there might be a group policy setting that is messing with this.  

However I don't even see the entry for it in GP..  I am going to set this back to 10mb and save / clear the logs.  I am going to monitor this and will post back on Monday if it has reverted back.  Do you have any other ideas in the mean time?
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38421873
Check this once

Event Log Policy Settings
http://technet.microsoft.com/en-us/library/cc778402(v=WS.10).aspx

Check this on both the GPO and the Server itself
GPO_name\Computer Configuration\Windows Settings\Security Settings\Event Log\

- Rancy
0
 

Author Comment

by:lpadmin1
ID: 38437191
The server is the system that is effected, no other objects..  And as I stated earlier I do not have that GP entry "\Computer Configuration\Windows Settings\Security Settings\Event Log\" and I would like to know if anyone knows why?
0
 

Author Comment

by:lpadmin1
ID: 38450741
Anyone?
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 38450808
Confirming - In the Group Policy Manager Editor, if you create a new policy -- you don't have the option for "\Computer Configuration\Windows Settings\Security Settings\Event Log\"?  
Is the whole 'Security Settings' branch missing?

If the settings are missing... I would suspect your ADM files are damaged.  You can redownload them from Microsoft.  (Don't do this if you aren't the domain controller administrator and/or if you've moved into the realm of 2008 servers...)

As you move towards Windows 2008, they move to ADMX files...  and it requires using the upgraded Group Policy Manager Editor.  Confirm that you haven't already made that move, but are not yet using the new tool?
0
 

Author Comment

by:lpadmin1
ID: 38450838
Correct.  I do not have Event Log, I do however have Security settings (see picture below)
http://i.imgur.com/jhGAT.jpg

In this case what should I do?
0
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 1400 total points
ID: 38450902
I think you're looking at the Local Computer Policy through the Group Policy editor rather than editing a group policy.  
(And, I apologize, but I haven't seen that interface in several years now... The new editor is Group Policy Management... so I can't give exact steps.)
Hopefully there is a way in that editor to create a new policy.  Confirm that policy does have the Event Log entries that you're expecting.

Assuming that checks out okay, open Active Directory Users and Computers, and I'd start at the OU that contains this server in question.  Pull up the properties for the OU, and the last tab should be Group Policy.  I'd look to see if there is an affecting group policy there... and if not there... step up to see if there is a policy on the parent OU(s) all the way up to the domain.  (And I don't often see them, but it's also possible that someone set a site policy, but I can't imagine anyone setting a site policy for event logs...  Okay, I can imagine it, I just wouldn't advocate it.)

(Oh, and if the Group Policy tab defers you to the Group Policy Management tool with a button... that's not necessarily a bad thing!)
0
 

Author Comment

by:lpadmin1
ID: 38450950
Thank you so much, this was a great explanation!  (see image below)
http://i.imgur.com/QX9lg.jpg

I have increased the size to about 10mb as I did on the server itself that kept reverting back to 1mb.  

I will leave this open to see if the size finally stays at 10mb due to this policy change I just made.

I will update when confirmed.  Thanks again!
0
 

Author Comment

by:lpadmin1
ID: 38454769
So I checked this morning and I got the same message, security log is full.  I went into GP and my settings were correct for size.  I checked the event log settings on the computer itself and they matched GP still.  I noticed the overwrite went back to 7 days so I figured there was a GP setting for that.  I found it, changed it to overwrite as needed.  I am now able to log in the server without the message!

THANK YOU!
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question