Security Log stops Logging

[Doreen]

I've been searching google.groups but I can't really find anything pertinent
to my problem. My IIS Windows 2000 Server (which has Exchange 2000 SP3)
keeps spontaneously rebooting. While that is my MAIN problem, this posting
is about the fact that when I go to check the logs for errors there are
none, but when I go to check the Security log, it has stopped logging some
time before.

The server rebooted at 1:30 am this morning...the Security Log file stops at
4:30 pm yesterday. I had cleared the log yesterday morning, so it was only
yesterday's Security logs. Its size was 62KB when I checked it this morning
and it was set to overwrite after 7 days. About three weeks ago I upgraded
this server to SP4 from SP2.

I'm not sure if the Security Log issue is related to my server rebooting
issue. When I clear the log, it logs normally again. I will delete the
existing log, but as that requires a reboot I don't want to rush into it if
this isn't something I need to do immediately.

Any ideas (on either problem!!) would be greatly appreciated.

Thanks!

Doreen

 

[Steven L Umbach]

Hi Doreen.

I would suggest that you increase the size of your logs quite a bit - probably to at
least 2MB. Also enable auditing of system events on your computer if you have not
already via Local Security Policy unless those settings are maintained at the domain
or OU level.

You may have corruption of your event logs and link below may be worth trying
assuming you mean that your event logs are empty and not recording anything instead
of a pertinent event was not recorded after the reboot.

http://support.microsoft.com/default.aspx?scid=kb;en-us;172156

There is a security option to check. In Local Security Policy [secpol.msc] go to
security settings/local policies/security options - shutdown system immediately if
unable to log security audits. Set it to disabled and verify that it is the
"effective" setting after running secedit /refreshpolicy machine_policy /enforce.
This is referred to as the "crash on audit fail" registry setting. --- Steve

 

[Doreen]

I deleted the exisiting Security Log yesterday afternoon. Last night I
asked someone to check to see if the Security Log was still logging events.
They logged into the server using Terminal Services. Two seconds after the
Terminal Service System log entry is the last Security Log entry. So I'm
going out on a limb here and saying that the Security Log issue is related
to Terminal Services.

Any thoughts on Win2K SP4/Exchange 2K SP3 and Terminal Services hanging the
Security Log? I'm not sure if this is related to my rebooting issue, but
I'd like to clear it up and at least exclude it as a suspect.

Thanks!

Doreen

Hi Doreen.

I would suggest that you increase the size of your logs quite a bit - probably to at
least 2MB. Also enable auditing of system events on your computer if you have not
already via Local Security Policy unless those settings are maintained at the domain
or OU level.

You may have corruption of your event logs and link below may be worth trying
assuming you mean that your event logs are empty and not recording anything instead
of a pertinent event was not recorded after the reboot.

http://support.microsoft.com/default.aspx?scid=kb;en-us;172156

There is a security option to check. In Local Security Policy [secpol.msc] go to
security settings/local policies/security options - shutdown system immediately if
unable to log security audits. Set it to disabled and verify that it is the
"effective" setting after running secedit /refreshpolicy machine_policy /enforce.
This is referred to as the "crash on audit fail" registry setting. --- Steve

I've been searching google.groups but I can't really find anything pertinent
to my problem. My IIS Windows 2000 Server (which has Exchange 2000 SP3)
keeps spontaneously rebooting. While that is my MAIN problem, this posting
is about the fact that when I go to check the logs for errors there are
none, but when I go to check the Security log, it has stopped logging some
time before.

The server rebooted at 1:30 am this morning...the Security Log file stops at
4:30 pm yesterday. I had cleared the log yesterday morning, so it was only
yesterday's Security logs. Its size was 62KB when I checked it this morning
and it was set to overwrite after 7 days. About three weeks ago I upgraded
this server to SP4 from SP2.

I'm not sure if the Security Log issue is related to my server rebooting
issue. When I clear the log, it logs normally again. I will delete the
existing log, but as that requires a reboot I don't want to rush into it if
this isn't something I need to do immediately.

Any ideas (on either problem!!) would be greatly appreciated.

Thanks!

Doreen

 

[Steven L Umbach]

I don't think it is related to TS or such. I would expect corruption of the log as
possible problem but definitely would make sure that the crash on audit fail setting
is disabled as I mentioned to see if that helps with the reboot problem. --- Steve

I deleted the exisiting Security Log yesterday afternoon. Last night I
asked someone to check to see if the Security Log was still logging events.
They logged into the server using Terminal Services. Two seconds after the
Terminal Service System log entry is the last Security Log entry. So I'm
going out on a limb here and saying that the Security Log issue is related
to Terminal Services.

Any thoughts on Win2K SP4/Exchange 2K SP3 and Terminal Services hanging the
Security Log? I'm not sure if this is related to my rebooting issue, but
I'd like to clear it up and at least exclude it as a suspect.

Thanks!

Doreen

Hi Doreen.

I would suggest that you increase the size of your logs quite a bit - probably to at
least 2MB. Also enable auditing of system events on your computer if you have not
already via Local Security Policy unless those settings are maintained at the domain
or OU level.

You may have corruption of your event logs and link below may be worth trying
assuming you mean that your event logs are empty and not recording anything instead
of a pertinent event was not recorded after the reboot.

http://support.microsoft.com/default.aspx?scid=kb;en-us;172156

There is a security option to check. In Local Security Policy [secpol.msc] go to
security settings/local policies/security options - shutdown system immediately if
unable to log security audits. Set it to disabled and verify that it is the
"effective" setting after running secedit /refreshpolicy machine_policy /enforce.
This is referred to as the "crash on audit fail" registry setting. --- Steve

I've been searching google.groups but I can't really find anything pertinent
to my problem. My IIS Windows 2000 Server (which has Exchange 2000 SP3)
keeps spontaneously rebooting. While that is my MAIN problem, this posting
is about the fact that when I go to check the logs for errors there are
none, but when I go to check the Security log, it has stopped logging some
time before.

The server rebooted at 1:30 am this morning...the Security Log file stops at
4:30 pm yesterday. I had cleared the log yesterday morning, so it was only
yesterday's Security logs. Its size was 62KB when I checked it this morning
and it was set to overwrite after 7 days. About three weeks ago I upgraded
this server to SP4 from SP2.

I'm not sure if the Security Log issue is related to my server rebooting
issue. When I clear the log, it logs normally again. I will delete the
existing log, but as that requires a reboot I don't want to rush into it if
this isn't something I need to do immediately.

Any ideas (on either problem!!) would be greatly appreciated.

Thanks!

Doreen

 

[Doreen]

I'd hate to say that I'm not having the reboot problem anymore, but it
hasn't rebooted since I deleted the Security log. That said, the log is
still stopping at random points. The other logs are chugging away, logging
events, but the Security log just stops. When I clear it, it starts logging
again.

I tried "crashing" it by having different people connect to the server via
TS several times yesterday to no avail. However, much later in the evening,
when no one was connected to the server remotely, the Security log stopped
logging.

Any ideas?

I don't think it is related to TS or such. I would expect corruption of the log as
possible problem but definitely would make sure that the crash on audit fail setting
is disabled as I mentioned to see if that helps with the reboot roblem. --- Steve

I deleted the exisiting Security Log yesterday afternoon. Last night I
asked someone to check to see if the Security Log was still logging events.
They logged into the server using Terminal Services. Two seconds after the
Terminal Service System log entry is the last Security Log entry. So I'm
going out on a limb here and saying that the Security Log issue is related
to Terminal Services.

Any thoughts on Win2K SP4/Exchange 2K SP3 and Terminal Services hanging the
Security Log? I'm not sure if this is related to my rebooting issue, but
I'd like to clear it up and at least exclude it as a suspect.

Thanks!

Doreen

Hi Doreen.

I would suggest that you increase the size of your logs quite a bit - probably to at
least 2MB. Also enable auditing of system events on your computer if

you
have not

already via Local Security Policy unless those settings are maintained

at
the domain

or OU level.

You may have corruption of your event logs and link below may be

worth
trying

assuming you mean that your event logs are empty and not recording anything instead
of a pertinent event was not recorded after the reboot.

http://support.microsoft.com/default.aspx?scid=kb;en-us;172156

There is a security option to check. In Local Security Policy

[secpol.msc]
go to

security settings/local policies/security options - shutdown system immediately if
unable to log security audits. Set it to disabled and verify that it

is
the

"effective" setting after running secedit /refreshpolicy

machine_policy
/enforce.

This is referred to as the "crash on audit fail" registry

etting. ---
Steve

I've been searching google.groups but I can't really find anything pertinent
to my problem. My IIS Windows 2000 Server (which has Exchange 2000 SP3)
keeps spontaneously rebooting. While that is my MAIN problem, this posting
is about the fact that when I go to check the logs for errors there are
none, but when I go to check the Security log, it has stopped

logging
some

time before.

The server rebooted at 1:30 am this morning...the Security Log file stops at
4:30 pm yesterday. I had cleared the log yesterday morning, so it

was
only

yesterday's Security logs. Its size was 62KB when I checked it this morning
and it was set to overwrite after 7 days. About three weeks ago I upgraded
this server to SP4 from SP2.

I'm not sure if the Security Log issue is related to my server rebooting
issue. When I clear the log, it logs normally again. I will delete the
existing log, but as that requires a reboot I don't want to rush

into it
if

this isn't something I need to do immediately.

Any ideas (on either problem!!) would be greatly appreciated.

Thanks!

Doreen

 

[Steven L Umbach]

That sounds like good news that the reboots stopped. I would try to delete
the .evt log for security as described in the link below to see if it
elps. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;172156

I'd hate to say that I'm not having the reboot problem anymore, but it
hasn't rebooted since I deleted the Security log. That said, the log is
still stopping at random points. The other logs are chugging away, logging
events, but the Security log just stops. When I clear it, it starts logging
again.

I tried "crashing" it by having different people connect to the server via
TS several times yesterday to no avail. However, much later in the evening,
when no one was connected to the server remotely, the Security log stopped
logging.

Any ideas?

I don't think it is related to TS or such. I would expect corruption of the log as
possible problem but definitely would make sure that the crash on audit fail setting
is disabled as I mentioned to see if that helps with the reboot roblem. --- Steve

after

the

hanging

the

maintained

at

the domain
or OU level.

You may have corruption of your event logs and link below may be worth
trying
assuming you mean that your event logs are empty and not recording
anything instead
of a pertinent event was not recorded after the reboot.

http://support.microsoft.com/default.aspx?scid=kb;en-us;172156

There is a security option to check. In Local Security Policy [secpol.msc]
go to
security settings/local policies/security options - shutdown system
immediately if
unable to log security audits. Set it to disabled and verify that it is
the
"effective" setting after running secedit /refreshpolicy machine_policy
/enforce.
This is referred to as the "crash on audit fail" registry etting. ---
Steve

I've been searching google.groups but I can't really find anything
pertinent
to my problem. My IIS Windows 2000 Server (which has Exchange

2000

SP3)

there

are

delete

the

 

[Doreen]

The reboots stopped after I deleted the .evt file. So the logging issue is
continuing with my "fresh" copy.

Any ideas? I appreciate all your input so far!!

Doreen

That sounds like good news that the reboots stopped. I would try to delete
the .evt log for security as described in the link below to see if it
elps. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;172156

I'd hate to say that I'm not having the reboot problem anymore, but it
hasn't rebooted since I deleted the Security log. That said, the log is
still stopping at random points. The other logs are chugging away, logging
events, but the Security log just stops. When I clear it, it starts logging
again.

I tried "crashing" it by having different people connect to the server via
TS several times yesterday to no avail. However, much later in the evening,
when no one was connected to the server remotely, the Security log stopped
logging.

Any ideas?


of
the log as audit
fail setting

night

I

asked someone to check to see if the Security Log was still logging events.
They logged into the server using Terminal Services. Two seconds

after

the
Terminal Service System log entry is the last Security Log entry.

So
I'm

going out on a limb here and saying that the Security Log issue is related
to Terminal Services.

Any thoughts on Win2K SP4/Exchange 2K SP3 and Terminal Services

hanging

the
Security Log? I'm not sure if this is related to my rebooting

issue,
but

I'd like to clear it up and at least exclude it as a suspect.

Thanks!

Doreen


Hi Doreen.

I would suggest that you increase the size of your logs quite a bit -
probably to at
least 2MB. Also enable auditing of system events on your computer

if
you

have not
already via Local Security Policy unless those settings are

maintained

at
the domain
or OU level.

You may have corruption of your event logs and link below may be worth
trying
assuming you mean that your event logs are empty and not recording
anything instead
of a pertinent event was not recorded after the reboot.

http://support.microsoft.com/default.aspx?scid=kb;en-us;172156

There is a security option to check. In Local Security Policy [secpol.msc]
go to
security settings/local policies/security options - shutdown system
immediately if
unable to log security audits. Set it to disabled and verify that

it
is

the
"effective" setting after running secedit /refreshpolicy machine_policy
/enforce.
This is referred to as the "crash on audit fail" registry etting. ---
Steve

I've been searching google.groups but I can't really find anything
pertinent
to my problem. My IIS Windows 2000 Server (which has Exchange

2000

SP3)
keeps spontaneously rebooting. While that is my MAIN problem, this
posting
is about the fact that when I go to check the logs for errors

there

are
none, but when I go to check the Security log, it has stopped logging
some
time before.

The server rebooted at 1:30 am this morning...the Security Log file
stops at
4:30 pm yesterday. I had cleared the log yesterday morning, so

it
was

only
yesterday's Security logs. Its size was 62KB when I checked it this
morning
and it was set to overwrite after 7 days. About three weeks ago I
upgraded
this server to SP4 from SP2.

I'm not sure if the Security Log issue is related to my server rebooting
issue. When I clear the log, it logs normally again. I will

delete

the
existing log, but as that requires a reboot I don't want to rush into it
if
this isn't something I need to do immediately.

Any ideas (on either problem!!) would be greatly appreciated.

Thanks!

Doreen

 

[Steven L Umbach]

Hi Doreen.

I can't think of much else to try right now other than to be sure that the
log size is adequate and it is configured in the properties to overwrite
events as needed. --- Steve

The reboots stopped after I deleted the .evt file. So the logging issue is
continuing with my "fresh" copy.

Any ideas? I appreciate all your input so far!!

Doreen

That sounds like good news that the reboots stopped. I would try to delete
the .evt log for security as described in the link below to see if it
elps. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;172156

night

computer

if

you
have not
already via Local Security Policy unless those settings are maintained
at
the domain
or OU level.

You may have corruption of your event logs and link below may be
worth
trying
assuming you mean that your event logs are empty and not recording
anything instead
of a pertinent event was not recorded after the reboot.

http://support.microsoft.com/default.aspx?scid=kb;en-us;172156

There is a security option to check. In Local Security Policy
[secpol.msc]
go to
security settings/local policies/security options - shutdown system
immediately if
unable to log security audits. Set it to disabled and verify

that

it

so

it it
this

ago

I