none
Application Log Getting Flooded with Events 64 and 65

    Question

  • We have recently installed our certificate servers and issued certificates to all domain computers and users.  We have noticed that the Application event logs on all the user systems and terminal servers are getting flooded with events 64 and 65 that are informational only.  I am trying to find a way to eliminate these useless events.  I have tried looking for a GPO or something, but so far have been unable to come up with a solution

    Any help would be greatly appreciated.

     

    ================

    Log Name:      Application
    Source:        Microsoft-Windows-CertificateServicesClient-CertEnroll
    Date:          9/19/2011 1:07:36 AM
    Event ID:      65
    Task Category: None
    Level:         Information
    Keywords:      Classic
    User:          SYSTEM
    Computer:      MY_COMPUTER.MY_DOMAIN.com
    Description:
    Certificate enrollment for Local system is successfully authenticated by policy server {AC59B4C0-922A-4EBB-A387-D29C34207A9C}
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}" EventSourceName="CertEnroll" />
        <EventID Qualifiers="33370">65</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2011-09-19T08:07:36.000000000Z" />
        <EventRecordID>48478</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>Application</Channel>
        <Computer>MY_COMPUTER.MY_DOMAIN.com</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData>
        <Data Name="Context">Local system</Data>
        <Data Name="ServerURL">{AC59B4C0-922A-4EBB-A387-D29C34207A9C}</Data>
      </EventData>
    </Event>

     

    =======================

    Log Name:      Application
    Source:        Microsoft-Windows-CertificateServicesClient-CertEnroll
    Date:          9/19/2011 1:07:31 AM
    Event ID:      64
    Task Category: None
    Level:         Information
    Keywords:      Classic
    User:          MY_DOMAIN\MY_USERNAME
    Computer:      MY_COMPUTER.MY_DOMAIN.com
    Description:
    Certificate enrollment for MY_DOMAIN\MY_USERNAME successfully load policy from policy server {AC59B4C0-922A-4EBB-A387-D29C34207A9C}
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}" EventSourceName="CertEnroll" />
        <EventID Qualifiers="33370">64</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2011-09-19T08:07:31.000000000Z" />
        <EventRecordID>48477</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>Application</Channel>
        <Computer>MY_COMPUTER.MY_DOMAIN.com</Computer>
        <Security UserID="S-1-5-21-1085031214-1604221776-682003330-1193" />
      </System>
      <EventData>
        <Data Name="Context">MY_DOMAIN\MY_USERNAME</Data>
        <Data Name="ServerID">{AC59B4C0-922A-4EBB-A387-D29C34207A9C}</Data>
      </EventData>
    </Event>

    • Changed type Bruce-Liu Monday, September 26, 2011 3:51 PM
    Monday, September 19, 2011 11:25 PM

All replies

  • Hi,

     

    These event logs are just information logs and expected if you have certificate servers in your environment. This type of event only describes the successful operation of a task. It does not mean any warning or error. So we do not need to clean them.

     

    If there are too many events to check, you can use Event filter. Please refer to:

     

    Filter Displayed Events

    http://technet.microsoft.com/en-us/library/cc722058.aspx

     

    Thanks for your understanding.

     

    Regards,

    Bruce

    • Marked as answer by Bruce-Liu Monday, September 26, 2011 3:51 PM
    • Unmarked as answer by Steve Van Domelen Wednesday, November 16, 2011 9:56 PM
    Wednesday, September 21, 2011 3:09 AM
  • Bruce,

    Thanks, but filtering is not an option. Flooding the Application Event Log is a serious problem.  When I see thousands and thousands of these events on a large number of machines to a point where the entire log is consumed by this junk, it is a serious matter in an enterprise.

    These events serve no real purpose.  They are just informational and it is information that I just do not want.

    I am looking for a way to eliminate their existence -- not a way to ignore them.

    Wednesday, November 16, 2011 9:58 PM
  • You may not agree, but the existence of successful operation log entries are also an important part of troubleshooting. It helps to develop a baseline if warnings or errors occur. 
    Monday, January 02, 2012 6:54 PM
  • I do agree that success and failure audit logs are important.  But I want the ability to determine for my enterprise which ones I want and which ones I do not.  If I make the decision that these two particular events are of no use, then I should have the ability to configure them to cease reporting into the event logs.

    Thursday, March 01, 2012 11:06 AM
  • Hello Steve,

    Did you got it resolved.?

    I am also having these events on one server.



    Sainyam Aggarwal MCTS

    Thursday, March 29, 2012 2:07 AM
  • Not yet -- we have a ticket open with Microsoft Tech Support.  I will post the answer here when I get it.
    Thursday, March 29, 2012 7:53 PM
  • Hello Steve,

    Is there any reaction from Microsoft Tech Support yet? I'd be interested in any outcome, since I have the exact same problem...

    Regards,
    Gerhard

    Monday, June 11, 2012 10:15 AM
  • Same issue here ... the event logs on all of the computers and servers in the domain are filled with these Event ID 64 and 65. There are more than 70 of these events / 24 hours.

    It decreases the number of events in the event log per period of time regardless of filtering so either there is a compromise on the days I can go back in the event log to troubleshoot a problem or I am required to increase the size of the event logs on all computer to have the same period of time in them.

    Friday, November 02, 2012 12:23 PM
  • Reviving an old thread, I'm wondering if anyone has found a solution for this?    I thought I'd found it with the GP setting of Audit Certification Services, but I set it to Failure only and the msgs are still filling up my audit log.

    Anyone? 

    Thanks.

    Friday, April 12, 2013 1:00 PM
  • We have the same problem here. Those Info Messages are flooding the Application Log.

    This is very annoying for us.

    Wednesday, May 15, 2013 8:31 AM
  • NO responses since May? Anything? I'm getting the same issue and would like them gone.
    Friday, October 18, 2013 1:39 PM