Server 2012 R2 Security Log Event Viewer not logging

I built a 2012 R2 server which is acting as a DC, DNS, KMS and CA. The Group Policy settings for Default Domain Controllers are as per the attachment yet the security event log shows only a handful of events despite there being numerous issues with one user account being locked out - I have twice gone through the steps: disabling the event log service, rebooting, renaming the security event log file, re-enabling the service and re-booting
which generates a new security event viewer log file but no entries appear after the initial logs.  See attachment.

The server is hit by 2 GPO's, DDC and DD. Event logs settings attached.

The GPO's were migrated to this domain from another.

Any further ideas?
DDCSettings.jpg
DDSettings.jpg
SecurityEventViewer.jpg
SecLogProperties.jpg
BashContractorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KmitraCommented:
Do a rsop.msc on your run window and check to see if your GPO have been applied to this DC.
BashContractorAuthor Commented:
Yup did that originally and they are being applied
Christopher Jay WolffWiggle My Legs, OwnerCommented:
Hello.

I'm new with this but was reading and would like to learn.  This article below led me to think this.  His location is different than yours I think or I just don't understand.  I looked at your screens and it seems like I want to look in the one labeled "...Security Options"  which I believe remains closed in all screens you provided.  It sounds like everything is doing what it is set to do, but it is set incorrectly maybe for what you want?

This article describes advice on setting up for auditing for security.  As he says, deciding to audit is easy, the harder choice is deciding what to audit.


https://newsignature.com/articles/server-2012-auditing-for-security

 What do you think?
Amazon Web Services

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

Christopher Jay WolffWiggle My Legs, OwnerCommented:
From a video I just saw the "Advanced Audit Policy Configuration" is way down below "Local Policies"

What I did is sign up for an instant webinar and downloaded it a couple minutes ago and in the first 4 minutes I think it is saying you might be looking at the wrong audit settings.

https://www.ultimatewindowssecurity.com/webinars/register.aspx?id=241

The link has a form, I filled it out, they emailed me the .wmv of the webinar and it's pretty good.

Do you think this is the right track?

Hope so.  :-)
BashContractorAuthor Commented:
Have been looking at this further via a different avenue as we were having NTLM issues - On another 2012 R2 server I saw the same behavior - it was one I built around the same time and imported the same GPO settings too yet when I ran a auditpol /get it showed all settings as not defined whereas in Local Policies they are. Setting these to Success and Failure in Advanced Audit generates entries in the security log .

I'll take a look at the video but if this is the case as above does this mean we have to deal with event log configuration via GPO in Server 2012 R2 in a different way than we are used to? I didn't get that memo!
Christopher Jay WolffWiggle My Legs, OwnerCommented:
No experience here.

That is definitely what the video says.  To paraphrase, Server 2008 and later you'll want to configure GPO to force advanced audit, then your options under advanced offer much greater specifics for what you want to audit.  It appears in the video that using the GP Management Editor, selecting Local Policies, Security Options, lets you see Policies in the right panel where you should find...

Audit:  Force audit policy subcategory settings

Once you have that enabled, then go to Advanced Audit and make your choices.  He calls the regular audit options "legacy" for prior to Server 2008.  I only watched the first four minutes of the video to get this, and you can jump to minute two or so.  I'll see if I can get this guy to send you the memo.  :-)
BashContractorAuthor Commented:
So I found the below explicitly stated in addition to the info provided earlier -

'as soon as you start applying Advanced Audit Configuration Policy, legacy policies will be completely ignored.' From: https://blogs.technet.microsoft.com/askds/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2/

If you use advanced audit, don't bother configuring the local policy\audit policy setting as it will be ignored once you set the policy for enabling advanced audit which is:

“Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings”

Thanks for setting me in the right direction. All logging as expected now.

And don't forget to enable winlog.log to be generated on newly built DC's via the registry key (another thing I'd missed)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
Click the key ExtensionDebugLevel and enter 2

http://windows.ittips.eu/2014/03/no-winlogonlog-file.html

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BashContractorAuthor Commented:
Expert comment set me in the right direction but I ha to find out further information and conduct further verification myself to confirm behaviour was as described.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.