Event viewer not showing Security (logging) events.

Hello,

We have login audits enabled through Group Policy, however, when we go to Event Viewer>Windows Logs>Security  we do not see any logon/logoff events. Is there anything we are missing? We used to see them, we do not know what was changed. We have Windows Server 2012
Thank you in advance.
HD LFAsked:
Who is Participating?
 
Wayne88Connect With a Mentor Commented:
"GpResult does not show it under Applied GPOs"

That's odd and I don't think the GPO is getting applied.  So I did some digging and I came across this link that is specific to Server 2012.  There are a few things to try so it's easier for me just paste the link then copy/paste the content.   Let me know how it goes.

https://serverfault.com/questions/617713/advanced-audit-policy-not-getting-applied-on-2012-r2
1
 
Wayne88Commented:
Were you searching for Windows Security Log Event ID 4624?

"This is a highly valuable event since it documents each and every successful attempt to logon to the local computer regardless of logon type, location of the user or type of account. You can tie this event to logoff events 4634 and 4647 using Logon ID."
0
 
HD LFAuthor Commented:
Yes, that event ID. I followed these instructions to enabled it but everything seemed fine already:

https://www.lepide.com/blog/audit-successful-logon-logoff-and-failed-logons-in-activedirectory/
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

 
Wayne88Commented:
Having quickly scanned the link you gave me I don't see any part where it tells you to enforce the GPO.  Can you right click on the policy you created and ensure that "link enabled" and  "enforced" is checked?  

Open up a command prompt then run GPUPDATE /FORCE command to apply it immediately and retest.

i4jpg.png
0
 
HD LFAuthor Commented:
I enforced it and ran gpupdate /force. I logged out and in and I do not see any new events.
0
 
Wayne88Commented:
Did you create this GPO for the whole domain or a test group?  The reason I asked is because if just a test group then it may not be applying correctly.

In any case, run GPRESULT to see the Resultant Set of Policy to see if the GPO you created is active.

https://www.404techsupport.com/2010/05/11/rsop-and-gpresult-must-know-tools-when-using-group-policy/

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult
0
 
HD LFAuthor Commented:
It is configured for the whole domain as far as I know (Display links in this location has the domain name selected.) However, I ran RSOP and GPRESULT and GpResult does not show it under Applied GPOs.
0
 
Wayne88Commented:
Also how many DC do you have?  if more than one then you need to check all DCs for that event log not just one.
0
 
Naveen SharmaCommented:
Make sure if you have successfully configured Advanced Audit Policy in AD environment.

Run below command with admin right to get all audit settings on your computer:

auditpol /get /category:*

The below articles might be helpful:

Audit policy not registering audits: https://blogs.msdn.microsoft.com/spatdsg/2011/06/06/audit-policy-not-registering-audits/

Getting the Effective Audit Policy in Windows: https://blogs.technet.microsoft.com/askds/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2/

Additionally, you can check AD auditing solution to audit active directory user logon/logoff events.
1
 
HD LFAuthor Commented:
This command helped me (auditpol /get /category:* ) because everything seemed configured and the results reported "not auditing." Somehow it was selecting whatever was under Advanced Audit Policy and there was nothing configured so I just enabled the logon/log off and ran gpupdate /force and that solved it. Thank you all for your help!
0
 
Wayne88Commented:
Glad you got it solved and thanks for getting back.  Cheers!
0
 
Naveen SharmaCommented:
Glad it help and you fix this. Please mark the answer and close the thread so other can get help.
0
All Courses

From novice to tech pro — start learning today.