Event viewer not showing Security (logging) events.

Hello,

We have login audits enabled through Group Policy, however, when we go to Event Viewer>Windows Logs>Security  we do not see any logon/logoff events. Is there anything we are missing? We used to see them, we do not know what was changed. We have Windows Server 2012
Thank you in advance.
HD LFAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Wayne88Commented:
Were you searching for Windows Security Log Event ID 4624?

"This is a highly valuable event since it documents each and every successful attempt to logon to the local computer regardless of logon type, location of the user or type of account. You can tie this event to logoff events 4634 and 4647 using Logon ID."
0
HD LFAuthor Commented:
Yes, that event ID. I followed these instructions to enabled it but everything seemed fine already:

https://www.lepide.com/blog/audit-successful-logon-logoff-and-failed-logons-in-activedirectory/
0
Wayne88Commented:
Having quickly scanned the link you gave me I don't see any part where it tells you to enforce the GPO.  Can you right click on the policy you created and ensure that "link enabled" and  "enforced" is checked?  

Open up a command prompt then run GPUPDATE /FORCE command to apply it immediately and retest.

i4jpg.png
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

HD LFAuthor Commented:
I enforced it and ran gpupdate /force. I logged out and in and I do not see any new events.
0
Wayne88Commented:
Did you create this GPO for the whole domain or a test group?  The reason I asked is because if just a test group then it may not be applying correctly.

In any case, run GPRESULT to see the Resultant Set of Policy to see if the GPO you created is active.

https://www.404techsupport.com/2010/05/11/rsop-and-gpresult-must-know-tools-when-using-group-policy/

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult
0
HD LFAuthor Commented:
It is configured for the whole domain as far as I know (Display links in this location has the domain name selected.) However, I ran RSOP and GPRESULT and GpResult does not show it under Applied GPOs.
0
Wayne88Commented:
"GpResult does not show it under Applied GPOs"

That's odd and I don't think the GPO is getting applied.  So I did some digging and I came across this link that is specific to Server 2012.  There are a few things to try so it's easier for me just paste the link then copy/paste the content.   Let me know how it goes.

https://serverfault.com/questions/617713/advanced-audit-policy-not-getting-applied-on-2012-r2
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Wayne88Commented:
Also how many DC do you have?  if more than one then you need to check all DCs for that event log not just one.
0
Naveen SharmaCommented:
Make sure if you have successfully configured Advanced Audit Policy in AD environment.

Run below command with admin right to get all audit settings on your computer:

auditpol /get /category:*

The below articles might be helpful:

Audit policy not registering audits: https://blogs.msdn.microsoft.com/spatdsg/2011/06/06/audit-policy-not-registering-audits/

Getting the Effective Audit Policy in Windows: https://blogs.technet.microsoft.com/askds/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2/

Additionally, you can check AD auditing solution to audit active directory user logon/logoff events.
1
HD LFAuthor Commented:
This command helped me (auditpol /get /category:* ) because everything seemed configured and the results reported "not auditing." Somehow it was selecting whatever was under Advanced Audit Policy and there was nothing configured so I just enabled the logon/log off and ran gpupdate /force and that solved it. Thank you all for your help!
0
Wayne88Commented:
Glad you got it solved and thanks for getting back.  Cheers!
0
Naveen SharmaCommented:
Glad it help and you fix this. Please mark the answer and close the thread so other can get help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.