none
Some events in the Security Event Log are missing when the archive file is created

    Question

  • I am using Group Policy to control our event logs. I have enabled "backup log automatically when full" and "retain old events". When the Security log gets full, it renames it as "Archive-Security-YYYY-MM-DD-XX-XX-XXX.evtx. So far so good. The problem is that the Archive log doesn't seem to have all of the events like the "current" log. See below.

    Current Log

    Archive Security Log

    Notice that the current log has many different type of events and the achive log only has 4656 events (except for the entry where the event log is created and where the event log is full). Having a security log with missing information is not useful. Any suggestions to make sure the current log is converted to an archive log with no lost data? Am I looking at the wrong log?

    Monday, July 29, 2013 10:04 PM

All replies

  • Hi,

    Thanks for posting in Microsoft TechNet forums.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
     
    Thank you for your understanding and support.

    Regards

    Kevin

    Wednesday, July 31, 2013 4:22 AM
  • Hi,

    The policy "backup log automatically when full" only backup event log which it is full, it will not backup the current log.

    For more information , see below:

    http://blogs.technet.com/b/askds/archive/2008/08/12/event-logging-policy-settings-in-windows-server-2008-and-vista.aspx

    Hope this helpful.

    Thanks,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. 

    Thursday, August 01, 2013 10:47 AM
  • That is not the problem. When the current log is full, it correctly creates the backup log. Lets call the current log, security.evtx. When log security.evt gets full it correctly renames the file Archive-Security-YYYY-MM-DD-XX-XX-XXX.evtx. The problem is that the file named Archive-Security-YYYY-MM-DD-XX-XX-XXX.evtx does not have all of the same information that it had when it was called security.evtx. See the examples above for details. What is the problem?

    Thursday, August 01, 2013 11:11 AM