Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET

Server 2008 R2 security log no longer logs events

Home Forums Server Operating Systems Windows Server 2008 / 2008 R2 Server 2008 R2 security log no longer logs events

Viewing 1 post (of 1 total)
  • Author
    Posts

  • mirage137
    Member
    #162789

    First time poster, long time lurker. I’m contracted IT administrator for multiple small-medium sizes business.

    One of the customers I support wanted me to enable file/folder auditing on a few folder locations for certain users to determine who is accessing what and if they’re moving, trying to delete etc. I know it can be resource intensive and fill up space quick so I did some test audit settings to make sure the security log was recording the correct detailed info needed. I had it working at one point once I figured the correct settings then figured I’d start over with a clean security audit configuration and in doing so the security log no longer records any events. It’s been about 2 months since I first configured it and had time to troubleshoot so my memory of steps taken is a little faded.

    I just wanted to audit on one file server which is also a server 2008 r2 DC. It holds the RID, PDC and infrastructure roles.

    I went through all domain/domain controller GPO’s and RSoP to backtrack and make sure the audit settings that I changed are no longer defined/enforced. I checked local security policy to verify no audit settings are defined. Server has been rebooted after verifying audit settings not defined. One of the steps I know I took in starting with a clean audit setting slate was deleting the audit.csv files.

    I also verified the local and network service have appropriate user rights to “generate security audits” however they are not included in the “manage auditing and security log” user right.

    Not sure what else to try from here as first time seeing this issue. I tried even setting account logon events – success/failure and still doesn’t log events.

    Currently the Domain Controller Policy is set for Account Logon events – success/failures and Object Access – success/failures. Server1 which is also a DC only logs event ID 4616 – Security state change once/twice a day where Server2 (one having issues) doesn’t log anything.

    Any help or direction is much appreciated. Thank you in advance.

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

Live on Tuesday, September 28th, at 9:30 AM ET!

GET-IT: EndPoint Management 1-Day Virtual Conference

The management of endpoints is complicated and the risks associated with having unsecured devices roaming outside the firewall are quickly becoming a targeted vector for malicious users. In this Petri one-day virtual conference, we will be diving deep into how you can improve the way you manage your endpoints and learn from industry experts and MVPs about best practices, available tools to streamline your operations, and what's coming soon with Windows 11.

RSVP Now!

Sponsored By

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: