No announcement yet.

Server 2008 R2 security log no longer logs events

  • Filter
  • Time
  • Show
Clear All
new posts

  • Server 2008 R2 security log no longer logs events

    First time poster, long time lurker. I'm contracted IT administrator for multiple small-medium sizes business. \

    One of the customers I support wanted me to enable file/folder auditing on a few folder locations for certain users to determine who is accessing what and if they're moving, trying to delete etc. I know it can be resource intensive and fill up space quick so I did some test audit settings to make sure the security log was recording the correct detailed info needed. I had it working at one point once I figured the correct settings then figured I'd start over with a clean security audit configuration and in doing so the security log no longer records any events. It's been about 2 months since I first configured it and had time to troubleshoot so my memory of steps taken is a little faded.

    I just wanted to audit on one file server which is also a server 2008 r2 DC. It holds the RID, PDC and infrastructure roles.

    I went through all domain/domain controller GPO's and RSoP to backtrack and make sure the audit settings that I changed are no longer defined/enforced. I checked local security policy to verify no audit settings are defined. Server has been rebooted after verifying audit settings not defined. One of the steps I know I took in starting with a clean audit setting slate was deleting the audit.csv files.

    I also verified the local and network service have appropriate user rights to "generate security audits" however they are not included in the "manage auditing and security log" user right.

    Not sure what else to try from here as first time seeing this issue. I tried even setting account logon events - success/failure and still doesn't log events.

    Currently the Domain Controller Policy is set for Account Logon events - success/failures and Object Access - success/failures. Server1 which is also a DC only logs event ID 4616 - Security state change once/twice a day where Server2 (one having issues) doesn't log anything.

    Any help or direction is much appreciated. Thank you in advance.

  • #2
    Re: Server 2008 R2 security log no longer logs events

    Have you seen this blog post about what appears to be a very similar problem?


    • #3
      Re: Server 2008 R2 security log no longer logs events

      Thank you for the link. I've seen similar posts and I've performed the procedures deleting the audit.csv files that I could find on both DCs. However on DC2 there was no "microsoft\windows nt\audit folder within the C:\Windows\System32\GroupPolicy\Machine folder. Also when I ran the "auditpol /get /category*" command I get an error 0x00000057 occurred, the parameter is incorrect.