|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Windows Security LogHi,
I keep running into this and now its really causing me headaches. When I log into my server, I get the message that "..the Security Log is full". So I look at my settings, and I have a GPO that enforces 1GB for the Maximum security log size (and overwrite older than 30 days), which is correctly set. Then I look at the actual size of the file on the filesystem, and its only 350MB!! Why am I getting this message when the log is no where near its limit? Do I need to compact/ defrag the file or something? I've had this happen on multiple servers now. Obviously if I change the overwrite setting to "overwrite events as needed", I no longer get the message.. but company policy does not allow me to do this, nor do I want to. Any insight as to why the server is reporting the wrong log size to itself?
Show quote
Hide quote
"dontinou" <johnd***@gmail.com> wrote in message news:ff6299c9-ee68-46b3-a968-d9ed79b25a32@y7g2000yqa.googlegroups.com... How did you define the 1 GB limit in GPO? It must be in multiples of 64KB:> Hi, > > I keep running into this and now its really causing me headaches. > When I log into my server, I get the message that "..the Security Log > is full". So I look at my settings, and I have a GPO that enforces > 1GB for the Maximum security log size (and overwrite older than 30 > days), which is correctly set. Then I look at the actual size of the > file on the filesystem, and its only 350MB!! Why am I getting this > message when the log is no where near its limit? Do I need to compact/ > defrag the file or something? I've had this happen on multiple > servers now. > > Obviously if I change the overwrite setting to "overwrite events as > needed", I no longer get the message.. but company policy does not > allow me to do this, nor do I want to. > > Any insight as to why the server is reporting the wrong log size to > itself? "A user-defined number of kilobytes from 64 through 4,194,240; however, it must be a multiple of 64." From: Event Log Policy Settings: Security PolicyAlthough you can specify values as large as 4 GB in Group Policy Object Editor and ... that you should be able to configure up to 1 GB for all the event logs, ..... It is advisable to set Event log retention method for all three event ... http://technet.microsoft.com/en-us/library/cc778402(WS.10).aspx Also, have you confirmed with an RSOP and gpresults the machine is getting the policy? -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution. Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT Microsoft Certified Trainer ace***@mvps.RemoveThisPart.org http://twitter.com/acefekay For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers. Hi,
I just put 1000000 in the GPO field for security log size. Yes I've done an RSOP, and it shows correctly. "dontinou" <johnd***@gmail.com> wrote in message news:6b3f381a-115c-4c34-a584-d6deea074915@t21g2000yqi.googlegroups.com... 1000000 is not a multiple of 64KB, as I've stated as well as the link I've provided, stated that it must be set as, or it will ignore it and go with whatever the default is or the prior setting was on the machine> Hi, > > I just put 1000000 in the GPO field for security log size. Yes I've > done an RSOP, and it shows correctly. Try entering it as 1,024,000,000, the run a gpupdate: gpupdate /force Ace OK, did that, Security Log Max Size now shows: 1024000KB, still the
same error message on login :( "The security log on this system is full." Both the filesystem and eventvwr.msc shows the actual size of the .evt file to be ~320MB thanks for your help so far.. "dontinou" <johnd***@gmail.com> wrote in message news:b6af1ea3-b343-411b-ae1d-0e9b82d22b3d@n11g2000yqb.googlegroups.com... Is this a DC? > OK, did that, Security Log Max Size now shows: 1024000KB, still the > same error message on login :( > > "The security log on this system is full." > > Both the filesystem and eventvwr.msc shows the actual size of the .evt > file to be ~320MB > > thanks for your help so far.. What is the GPO applied to? All DCs and all servers or one or the other? Do the others exhibit the same issue? Ace One of the problematic servers is a DC, the other is just a member
server. There are two GPOs in action, one for DCs and one for member servers. The other servers that are not having an issue I can't say are affected or not, the security logs aren't as full to hit the "limit" yet.. "dontinou" <johnd***@gmail.com> wrote in message news:e938f90a-ec58-4e26-943d-c4b48c5bd01a@c36g2000yqn.googlegroups.com... Is the other GPO set to 1000000KB or 1024000KB? I have a feeling it won't work on the other one if not set to multiples of 64KB. I usually use 1024 as the multiplying factor to figure out the KB entry.> One of the problematic servers is a DC, the other is just a member > server. There are two GPOs in action, one for DCs and one for member > servers. The other servers that are not having an issue I can't say > are affected or not, the security logs aren't as full to hit the > "limit" yet.. Anyway, after I re-read that article I previously posted, it appears that 300mb is the practical limit for an event log max due to the way Windows 'maps' the memory that all of the event logs share. Kind of surprised me, hence why you are experiencing this issue. Please re-read that article closely, specifically the second paragraph under the section titled, "Maximum event log size (settings for application, security and system logs)." You may want to read Tony Murray's blog on this, indicating the same thing, which also references the link I previously provided. Event logs and the "Maximum security log size" Group Policy setting http://blogs.dirteam.com/blogs/tonymurray/archive/2006/09/01/Security-logs-and-the-_2200_Maximum-event-log-size_2200_-Group-Policy-setting.aspx Ace Very interesting guys, at least now I know I'm not going crazy.
Thanks for all your efforts, it really is appreciated!! "dontinou" <johnd***@gmail.com> wrote in message news:50089488-2c07-4018-99eb-0206a482b4f7@n11g2000yqb.googlegroups.com... My pleasure!> Very interesting guys, at least now I know I'm not going crazy. > > Thanks for all your efforts, it really is appreciated!! Ace Hello dontinou,
If i remember correct there was a problem as higher you set the size of the event log. So i suggest you set a smaller log, save and delete(take care of company policies) your logfiles for archive. For example, when you configure the GPO setting, "shutdown server when security log is full" this happens also when the size is not reached. I realized this myself some years ago. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Show quoteHide quote > Hi, > > I keep running into this and now its really causing me headaches. > When I log into my server, I get the message that "..the Security Log > is full". So I look at my settings, and I have a GPO that enforces > 1GB for the Maximum security log size (and overwrite older than 30 > days), which is correctly set. Then I look at the actual size of the > file on the filesystem, and its only 350MB!! Why am I getting this > message when the log is no where near its limit? Do I need to > compact/ > defrag the file or something? I've had this happen on multiple > servers now. > Obviously if I change the overwrite setting to "overwrite events as > needed", I no longer get the message.. but company policy does not > allow me to do this, nor do I want to. > > Any insight as to why the server is reporting the wrong log size to > itself? > 
Other interesting topics
|
|||||||||||||||||||||||
