none
Security event log, Want overwrite but reverts to archive

    Question

  • I set the Security Event log to "Overwrite events as needed" but it reverts to "Archive the log when full." When I run the RSOP command it shows that this setting is controlled by the Default Domain Group Policy, and it is set to "Overwrite." I need to find out what is changing the setting back to "Archive" as it is filling up the C: drive on our servers. We have Windows Server 2012 domain controllers and Windows Server 2008 R2 servers.
    Wednesday, November 18, 2015 7:02 PM

Answers

All replies

  • I suspect GPO doing it.

    Disable the GPO's and check the results. 

    If its behaves normally, check the GPO, reg keys, etc


    Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, November 19, 2015 5:00 AM
  • Hi Arnav,

    I disabled the GPOs and the Security Event log setting is now staying at "Overwite." I checked the setting "Retention method for Security log" on all GPOs and they are all set as not defined except one Domain policy which is set to overwrite the Security log. Is there a way I can find which GPO is changing the setting to archive the Security log?

    Thanks,

    Carolyn

    Friday, November 20, 2015 12:15 AM
  • Cool !! So, GPO is the culprit !! 

    You might need to pull a complete report for GPO's and check which one is messing up with setting, reg keys, or sec policies .


    Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Proposed as answer by arnavsharmaMVP Sunday, November 29, 2015 9:45 PM
    Friday, November 20, 2015 12:31 AM
  •  I checked the setting "Retention method for Security log" on all GPOs and they all set as...

    Try to run "Gpresult /h C:\result.html" to view a list of Group Policies for the currently logged on user and computer.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Friday, November 20, 2015 6:57 AM
    Moderator
  • Hi Ethan,

    I ran the "Gpresult /h C:\result.html" command and checked the setting under Computer Configuration, Event Log. Here is what is listed: 

        Policy: Retention method for security log 

        Setting: As Needed 

        Winning GPO: Default Domain Policy

    This is what the Security Log should be doing, it should Overwrite as needed, but when I check the Event Log GUI settings, the Security log is set to "Archive." If I change it to "Overwrite," it changes back to "Archive."

    Is there another setting in the GPO that controls the Security log?

    Thanks,

    Carolyn

    Friday, November 20, 2015 6:58 PM
  • this 

    https://technet.microsoft.com/en-us/library/cc778402(v=ws.10).aspx

    http://blogs.technet.com/b/askds/archive/2008/08/12/event-logging-policy-settings-in-windows-server-2008-and-vista.aspx


    Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Proposed as answer by arnavsharmaMVP Sunday, November 29, 2015 9:45 PM
    Monday, November 23, 2015 12:32 AM
  • Is there another setting in the GPO that controls the Security log?

    Please check if below Group Policy is defined in any GPO:
     
    Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\Backup log automatically when full
     
    More reference: https://technet.microsoft.com/en-us/library/dd349798%28v=ws.10%29.aspx
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, November 23, 2015 5:06 AM
    Moderator
  • Hi,
     
    Just checking in to see if above information was helpful. Please let us know if you would like further assistance.
     
    Thanks,
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Wednesday, December 2, 2015 1:56 AM
    Moderator
  • Hi,
     
    I'm marking the reply as answer as there has been no update for a couple of days.
     
    If you come back to find it doesn't work for you, please reply to us and unmark the answer.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, December 7, 2015 1:40 AM
    Moderator