Our primary domain controller was having most if not all of it's CPU power being utilised by the svchost.exe process hosting Eventvwr, DHCP client and lmhosts. The security logs were almost 2GB and were logging at a rate of 15 per second but I've seen up to 25 per second. In the last 3 1/2 hours is has recorded close to 190,000 security events.
The categories are usually 'Detailed File share" "File share" or "Filtering Platform Connection" (stating that The Windows Filtering Platform has permitted a connection.) and the obvious logon logoff ones.
The default domain policy has all of the Local Policies/Audits Policy setting as Success, Failure which I figured will be contributing to the problem (Policy is listed at the bottom), but the other two DCs are governed by this policy and have no problems. Log retention is 30 days. I am thinking that patches may have been pushed out to the server and something has taken issue with it, maybe? Rebooting has done nothing, the only thing that stops it is killing the svchost which obviously is no good.
The max log size was set to 1310720 KB but I think that would have been a typo as the other DC's had it set to 131072, so I've changed that and redirected the logs to fill up a separate spare drive while I sort this out.
Any ideas where I should start?
Thank you all in advance,
Audit account logon events Success, Failure
Audit account management Success, Failure
Audit directory service access Success, Failure
Audit logon events Success, Failure
Audit object access Success, Failure
Audit policy change Success, Failure
Audit privilege use Success, Failure
Audit process tracking Success, Failure
Audit system events Success, Failure