Re: GPO causing client security logs to fill?
- From: "kj" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx>
- Date: Tue, 26 Jun 2007 10:22:09 -0700
LDD15 wrote:
Do you have any idea why this would have changed? We have had this
system set up for several years and never had this issue. As I
mentioned, I had to make a policy change the other day and I'm sure
it results from that.
What bothers me is that if this policy, Computer Config/Windows
Settings/Security Settings/Event Log/Maximum Security Log Size was
not set before then why is it a problem now? Is it that there are
more events and if so why or more specifically is there a security
issue?
"Lanwench [MVP - Exchange]" wrote:
There are many different reasons that this may be an issue now and wasn't
before. First, what change did you make and to what policy object?
"LDD15" <LDD15@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:152CF5A9-7EAE-479D-A9B7-9DBF1409859A@xxxxxxxxxxxxxxxx
rsop.msc shows eventlog settings as not defined. So is the 512kb a
windows default?
I guess so. I always tweak mine so I can't look anything up from
here.
"Lanwench [MVP - Exchange]" wrote:
"LDD15" <LDD15@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:77D4DADD-7CA0-482B-A538-8F5FFFC805C1@xxxxxxxxxxxxxxxx
On our SBS2003 network the security logs on several of our
clients are filling quickly. This is causing a problem where
users can't logon because
they receive an error indicating that "the security log is full
and only
the
admin can logon to fix the problem".
This began after a change was made to
the group policies.
Do you know what exactly those changes were?
It appears that the two most problematic computers are those that
are logged
into from other computers. Specifically, one of them has a printer
attached
and the other is a server for our accounting program.
The event ID's are as follows 515, 528, 538, 540, 552, 576, 680,
858
When I view the event logs through server management the
properties for the
security event log indicate that it is to overwrite messages
older than 7
days. In one case the log is full with only two days worth of
events. Of
course this is the PC that is the accounting server.
I assume that this is as a result of a GPO change. I also assume
that with
the change either the log clearing properites were unknowingly
changed or
a
change was made with regard to what is recorded in the log.
Unfortunately,
I
don't really know what items to look at or which ones are safe to
change.
All event logs should be set to a decent size (about 20MB at
minimum, more
on the server esp for app/system), and set for "overwrite as
needed".
This can be controlled via GPO -
computer config\windows settings\security settings\event log
....but I'd run an rsop.msc on one of the problem computers to see
what's been set, and from where.
--
/kj
.
- Follow-Ups:
- Re: GPO causing client security logs to fill?
- From: LDD15
- Re: GPO causing client security logs to fill?
- References:
- Re: GPO causing client security logs to fill?
- From: Lanwench [MVP - Exchange]
- Re: GPO causing client security logs to fill?
- From: Lanwench [MVP - Exchange]
- Re: GPO causing client security logs to fill?
- From: LDD15
- Re: GPO causing client security logs to fill?
- Prev by Date: Re: Event code 327 - User cannot receive email
- Next by Date: Re: Exchange 03 send problem
- Previous by thread: Re: GPO causing client security logs to fill?
- Next by thread: Re: GPO causing client security logs to fill?
- Index(es):
Relevant Pages
|
