Re: GPO causing client security logs to fill?


"LDD15" <LDD15@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:152CF5A9-7EAE-479D-A9B7-9DBF1409859A@xxxxxxxxxxxxxxxx
rsop.msc shows eventlog settings as not defined. So is the 512kb a windows
default?

I guess so. I always tweak mine so I can't look anything up from here.


"Lanwench [MVP - Exchange]" wrote:


"LDD15" <LDD15@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:77D4DADD-7CA0-482B-A538-8F5FFFC805C1@xxxxxxxxxxxxxxxx
On our SBS2003 network the security logs on several of our clients are
filling quickly. This is causing a problem where users can't logon
because
they receive an error indicating that "the security log is full and
only
the
admin can logon to fix the problem".
This began after a change was made to
the group policies.

Do you know what exactly those changes were?

It appears that the two most problematic computers are those that are
logged
into from other computers. Specifically, one of them has a printer
attached
and the other is a server for our accounting program.

The event ID's are as follows 515, 528, 538, 540, 552, 576, 680, 858

When I view the event logs through server management the properties for
the
security event log indicate that it is to overwrite messages older than
7
days. In one case the log is full with only two days worth of events.
Of
course this is the PC that is the accounting server.

I assume that this is as a result of a GPO change. I also assume that
with
the change either the log clearing properites were unknowingly changed
or
a
change was made with regard to what is recorded in the log.
Unfortunately,
I
don't really know what items to look at or which ones are safe to
change.

All event logs should be set to a decent size (about 20MB at minimum,
more
on the server esp for app/system), and set for "overwrite as needed".

This can be controlled via GPO -

computer config\windows settings\security settings\event log

....but I'd run an rsop.msc on one of the problem computers to see what's
been set, and from where.






.

Relevant Pages

  • Re: GPO causing client security logs to fill?
    ... they receive an error indicating that "the security log is full and only ... It appears that the two most problematic computers are those that are ... and the other is a server for our accounting program. ... All event logs should be set to a decent size (about 20MB at minimum, ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003 Logon problem
    ... workstation also the administrator can not logon from a workstation ... a re-boot of the server cures the problem. ... There have to be some errors in some event logs somewhere. ...
    (microsoft.public.windows.server.sbs)
  • Re: question about windows 2000 Active directory
    ... - can clients ping DC by name ... > and the roaming profile are store on the crashed server. ... >> Are there any errors in clients logs (Application and System Event logs)? ...
    (microsoft.public.windows.server.networking)
  • Re: Unable to Logon to Domain
    ... Take a look at the event logs and in the System evnt log you should see some ... > I have a new Windows 2003 Server Eval server ... > workstations are unable to logon. ...
    (microsoft.public.windows.server.networking)
  • Re: XP user cannot logon to SBS2003 (applying personel settings)
    ... check the event logs of both the server and workstation to see ... User cannot logon to any other PC either, ...
    (microsoft.public.windows.server.sbs)