Re: Security Log stops Logging

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 07/20/04


Date: Tue, 20 Jul 2004 18:39:23 GMT

Hi Doreen.

I would suggest that you increase the size of your logs quite a bit - probably to at
least 2MB. Also enable auditing of system events on your computer if you have not
already via Local Security Policy unless those settings are maintained at the domain
or OU level.

You may have corruption of your event logs and link below may be worth trying
assuming you mean that your event logs are empty and not recording anything instead
of a pertinent event was not recorded after the reboot.

http://support.microsoft.com/default.aspx?scid=kb;en-us;172156

There is a security option to check. In Local Security Policy [secpol.msc] go to
security settings/local policies/security options - shutdown system immediately if
unable to log security audits. Set it to disabled and verify that it is the
"effective" setting after running secedit /refreshpolicy machine_policy /enforce.
This is referred to as the "crash on audit fail" registry setting. --- Steve

"Doreen" <doreo715@hotmail.com> wrote in message
news:ubCNUHmbEHA.1248@TK2MSFTNGP11.phx.gbl...
> I've been searching google.groups but I can't really find anything pertinent
> to my problem. My IIS Windows 2000 Server (which has Exchange 2000 SP3)
> keeps spontaneously rebooting. While that is my MAIN problem, this posting
> is about the fact that when I go to check the logs for errors there are
> none, but when I go to check the Security log, it has stopped logging some
> time before.
>
> The server rebooted at 1:30 am this morning...the Security Log file stops at
> 4:30 pm yesterday. I had cleared the log yesterday morning, so it was only
> yesterday's Security logs. Its size was 62KB when I checked it this morning
> and it was set to overwrite after 7 days. About three weeks ago I upgraded
> this server to SP4 from SP2.
>
> I'm not sure if the Security Log issue is related to my server rebooting
> issue. When I clear the log, it logs normally again. I will delete the
> existing log, but as that requires a reboot I don't want to rush into it if
> this isn't something I need to do immediately.
>
> Any ideas (on either problem!!) would be greatly appreciated.
>
> Thanks!
>
> Doreen
>
>



Relevant Pages

  • [NEWS] Nokia IPSO Script Injection Vulnerability
    ... Get your security news from a reliable source. ... Nokia Network Voyager is "an SSL-secured, ... After the malicious code is successfully injected into the logs, ...
    (Securiteam)
  • Re: Changes to folder permissions not taking effect on Server 2008
    ... When a user logs on, Windows creates a SID (security identifier) that contains a list of the security groups the user belongs to at that particular moment. ... are only 2 special access folders, on which I turned off 'Include Inherited ... I tried gpupdate on client and server to no avail. ...
    (microsoft.public.security)
  • R: Fwd: Centralizing Event Viewer Logs
    ... workstation event logs all at once you can be alerted. ... If we want to start comparing enterprise products, ... Infrastructure Engineer - Security ... CONFIDENTIALITY NOTICE: This email may contain confidential and ...
    (Focus-Microsoft)
  • Re: Any personal Intrusion Detection Systems
    ... > logs" and could profit from some elaboration. ... > 'security' product from _any_ vendor that addresses all of them. ... you're right on again about clueless "support desk" techs. ... "utility" apps with open ports, etc, that I was aware of. ...
    (comp.security.firewalls)
  • Hacked?
    ... Event Source: Security ... Domain Policy Changed: Password Policy modified ... according to the logs no one with authority to make such a change was logged ... with privelage to change local security policies was logged in at the time. ...
    (microsoft.public.inetserver.iis.security)