Can't clear security log on DC
- My account is member of Domain Admins, and Enterprise Admins but can't clear security log. How can i clear security log on my DCs. please advise
Thank you.
Thana
解答
Hi,
A possible cause is that custom security permission is defined for the event log. Please open Registry Editor and check if there is a registry entry called CustomSD existing in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security. If so, please backup the registry key, remove the CustomSD entry and restart the computer to check the result.
If that is not the case, please run the command "wevtutil gl security" and let us know the output. It is really useful for us to check the security settings.
Thanks.
This posting is provided "AS IS" with no warranties, and confers no rights.- 已標示為解答Joson ZhouMSFT, 版主2009年12月28日 上午 03:37
所有回覆
- Thana,
What's the OS level? If you are running Windows Server 2008/2008R2-based DC, make sure that you elevate the privileges to avoid UAC impact...
hth
Marcin - Has there been any additional GPO's being applied to the DCs? Can you clear it on any DC or this just the only one you can't clear it on?
Mark Morowczynski|MCT| MCSE 2003:Messaging, Security|MCITP:ES, SA,EA|MCTS:Windows Mobile Admin|Security+|http://almostdailytech.com - Hi Marcin,
Thanks for your attention.
My DC is Windows Server 2008, STD and domain functional level is Windows Server 2008 too. I has been elevated the privileges.
Thana - did any error message being prompted or showed when u tried to clear the log?
can you please check the NTFS permission of %systemroot%\system32\winevt
C:\Windows\system32\winevt NT SERVICE\EventLog:(OI)(CI)(RX,W,DC)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\Authenticated Users:(CI)(R)
are they the same as above?
hope that helps... - Hi Mark,
I can't clear it on both DC.
Thana - Can you check the GPO's that are applied to the DCs? I know there is a policy on who can be allowed to clear the security event logs. This may have been modified in some way.
Mark Morowczynski|MCT| MCSE 2003:Messaging, Security|MCITP:ES, SA,EA|MCTS:Windows Mobile Admin|Security+|http://almostdailytech.com - Hi Mark,
I has been checked the GPO and no policy setting about security log.
Thank in advanced.
Thana did any error message being prompted or showed when u tried to clear the log?
can you please check the NTFS permission of %systemroot%\system32\winevt
C:\Windows\system32\winevt NT SERVICE\EventLog:(OI)(CI)(RX,W,DC)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\Authenticated Users:(CI)(R)
are they the same as above?
hope that helps...
Hi,
Could you please confirm the information mentioned by ls01c?
Please also run "wevtutil gl security" on the DC and post the output here for research.
In addition, I would like to confirm if you can clear other logs (such as Application, System, etc.) on the DC.
Thanks.
This posting is provided "AS IS" with no warranties, and confers no rights.Hi,
This is the result,
C:\Windows\System32\winevt NT SERVICE\EventLog:(OI)(CI)(RX,W,DC)NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\Authenticated Users:(CI)(R)
C:\Windows\System32\winevt\Logs NT SERVICE\EventLog:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\Authenticated Users:(CI)(R)
C:\Windows\System32\winevt\TraceFormat NT SERVICE\EventLog:(I)(OI)(CI)(RX,W,DC)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
NT AUTHORITY\Authenticated Users:(I)(CI)(R)
And, I can't to clear any log file (Application, System)
Thank you.
Thana- hi, can you try this?
open an elevated command prompt
run wevtutil cl Security /bu:C:\security.evtx
this command will clear the security log and backup it into c:\ drive with security.evtx
please let us know the error message if it failed.
or you can try to boot into safe mode and try to clear the security log again
btw, have you apply SP2?
if not, please upgrade to SP2 and check again
- Hi all,
My DC had SP2 installed.
Now, I can using "wevtutil cl Security /bu:C:\security.evtx" to clear log file.
How can I use the GUI to clear log file instead cmd wevtutil.
Thank in advanced ...
Thana
can you try to disable UAC and try with the GUI?Hi all,
My DC had SP2 installed.
Now, I can using "wevtutil cl Security /bu:C:\security.evtx" to clear log file.
How can I use the GUI to clear log file instead cmd wevtutil.
Thank in advanced ...
Thana
Hi ThanaPha,
To clear Security log in GUI mode, you may try to do it in Event Viewer on Windows Server 2008.
Steps:
1. Start -> Run -> Eventvwr
2. Navigate to Windows Logs\Security
3. Right-click on it and select "Clear log…"
4. Click Clear to proceed.
Hope it helps.
This posting is provided "AS IS" with no warranties, and confers no rights.- 已標示為解答David Shen - MSFTMSFT, 版主2009年12月9日 上午 02:28
- 已取消標示為解答ThanaPha 2009年12月11日 上午 06:09
- Hi David,
The problem is I can't clear security log with GUI even I try elevated to by pass UAC on WS2K8. But I can clear with wevutil command. - Hi,
Please run "wevtutil gl security" on the DC and let us know the output of the command.
In addition, please confirm the following:
1. Can you clear the security log via GUI on other computers in this domain?
2. What error do you encounter when you try to clear the security log on the DC? Could you please capture a screenshot for us to better understand the issue?
Thanks.
This posting is provided "AS IS" with no warranties, and confers no rights. - Hi,
For Q1: Yes I can.
For Q2: When I did clear the log they shown the following message "Event Viewer could not clear the log. The following error occured: Access is denied"
Thanks.
Thana Hi,
A possible cause is that custom security permission is defined for the event log. Please open Registry Editor and check if there is a registry entry called CustomSD existing in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security. If so, please backup the registry key, remove the CustomSD entry and restart the computer to check the result.
If that is not the case, please run the command "wevtutil gl security" and let us know the output. It is really useful for us to check the security settings.
Thanks.
This posting is provided "AS IS" with no warranties, and confers no rights.- 已標示為解答Joson ZhouMSFT, 版主2009年12月28日 上午 03:37
- Hi,
How's everything going? We've not heard back from you in a few days and wanted to check the current status of the issue. If you need any further assistance, please do not hesitate to respond back.
This posting is provided "AS IS" with no warranties, and confers no rights.
