Remove From My Forums

Event Logs - archive log when full

Question
0

Sign in to vote

Hi

I am trying to use/test the "Archive the log when full, do not overwrite events" option in my event log properties

Basically when it gets to set size expecting it to create archive so I have backup of older events

BUT it doesn't work - when log hits chosen size limit it just stops logging and no archive file is ever created

Is this a know problem, or have I missed something?

Thanks

Darren Rose

Sunday, August 13, 2017 12:07 PM

Answers

0

Sign in to vote
Yes, it's released on January 3, 2018—KB4056892 (OS Build 16299.192)

https://support.microsoft.com/en-sg/help/4056892
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Marked as answer by wingers Friday, January 5, 2018 2:51 PM
Friday, January 5, 2018 2:35 AM

All replies

0

Sign in to vote

Hi Darren,

Generally, by default eventlogs are get archived into %WinDir%\System32\winevt\Logs folder. Their names are formed by the next template:

Archive + <Event log name> + <Date> + <Time>.evtx

Please check if your event log location is that location because archived logs are put in the same folder with actual log file.

Here is an example for Windows 10

1105(S): Event log automatic backup

https://docs.microsoft.com/en-us/windows/device-security/auditing/event-1105
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Monday, August 14, 2017 2:51 AM
0

Sign in to vote

Thanks for you reply

Yes log location is as you mention - default location

All settings checked and are as per that article and one it links to

But log is log never archived and stops logging events when full and not event relating to it shown in event log to help diagnose it

For some reason it just doesn't work
Darren Rose

Monday, August 14, 2017 9:14 AM
0

Sign in to vote

Hi Darren,

That's odd. Since no one option will stop logging.

Which event was you configured to "Archive the log when full, do not overwrite events"?

Please check if you have enabled this group policy "Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Shut down system immediately if unable to log security audits". If yes, please disable it to see if the issue gone.

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Tuesday, August 15, 2017 10:23 AM
0

Sign in to vote

Well it has and does stop logging

It as per first message is set to "Archive the log when full, do not overwrite events"

Checked that setting and it is disabled
Darren Rose

Tuesday, August 15, 2017 10:28 AM
0

Sign in to vote
Which event log did you want to archived and set "Archive the log when full, do not overwrite events" option?

If it's possible, please run gpresult /h c:\gpreport.html to generate the group policy report. Then upload it to OneDrive for analysis, share the link here for downloading.

Of course, make sure you enable that log.

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Edited by Karen_HuMicrosoft contingent staff Thursday, August 17, 2017 9:59 AM
Thursday, August 17, 2017 9:57 AM
0

Sign in to vote

I have tried it on system, application and security - all with same problem - but it would be security I would use going forward if I can get it working - just testing with others as they fill up quicker to enable the testing

Screenshots below of settings in Event Viewer - you can also see here it has reached size limit and stopped logging as nothing showing for 17/08 (today)

Also tried setting it using command line tool = wevtutil sl system /rt:true /ab:true

Link to report as requested = http://www.pcassistonline.co.uk/TEST/gpreport.zip

Darren Rose

Thursday, August 17, 2017 10:26 AM
0

Sign in to vote

Hi,

There is no clue in your group policy report.

Please try enable "Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\Security\Backup log automatically when full" for test.

Meanwhile, when it stops, check if Windows event log service is running fine.

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Friday, August 18, 2017 8:47 AM
0

Sign in to vote

Had already tried it via group policy - but will try it again

When it stops logging the Event Log Service is running okay as other logs still working fine
Darren Rose

Friday, August 18, 2017 8:53 AM
0

Sign in to vote
When it stops logging the Event Log Service is running okay as other logs still working fine

How did you know it stopped?

Open Event Viewer, check the security log's Date and Time to confirm if it's logging.

In addition, based on my test, you cannot set the size less than your original size that before you change configuration of "When maximum event log size is reached".

eg: If your security log maximum size is 20480 original. You can set the 20544 for test to see if it would be archived.

If you set size smaller than 20480, like 1028, archived is not working.

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Proposed as answer by Karen_HuMicrosoft contingent staff Tuesday, August 22, 2017 8:42 AM
Monday, August 21, 2017 8:49 AM
0

Sign in to vote
How did you know it stopped?

Because no new events in the log for last 3 days......

Checks logs date and time and it wasn't logging as it was full and had stopped logging 3 days ago so date showed Modified: 17 August - this I already knew and was why I posted problem in first place

Darren Rose
- Edited by wingers Monday, August 21, 2017 9:06 AM
Monday, August 21, 2017 9:05 AM
0

Sign in to vote

Okay will try larger size then as perhaps that was why it is not working - as I chose small sizes to enable quick testing - will let you know how I get on
Darren Rose

Monday, August 21, 2017 9:07 AM
0

Sign in to vote

Okay will try larger size then as perhaps that was why it is not working - as I chose small sizes to enable quick testing - will let you know how I get on

Darren Rose

Any result?
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Tuesday, August 22, 2017 8:42 AM
0

Sign in to vote

it will take some time for log to grow to that size - so won't know for a few days - hence why originally I chose a smaller size!
Darren Rose

Tuesday, August 22, 2017 8:51 AM
0

Sign in to vote

it will take some time for log to grow to that size - so won't know for a few days - hence why originally I chose a smaller size!

Darren Rose

Ok, any update, reply here.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Tuesday, August 22, 2017 8:54 AM
0

Sign in to vote

Okay to speed up testing I ran a loop in powershell to keep adding events to the log so it grew quicker

Log was set to archive at 20544kb as per your reply

Log got to 20548kb in size (according to explorer), NO archive was created and it has stopped logging completely to that log - in event viewer it shows number of events 87,294 (!) New events available, but refreshing it still shows the same message and last event was logged 12 minutes ago

So even set to that size it is NOT archiving when configured to do so - it is simply stopping logging until I manually clear it or change settings

Something clearly not right here
Darren Rose

Tuesday, August 22, 2017 6:29 PM
0

Sign in to vote

Hi Darren,

That's abnormal. please give us a screenshot of your event log directory, especially their size.

Default is %WinDir%\System32\winevt.

Then perform a Clean Boot status.

You needn't running a loop in powershell to keep adding events to the log. Just set the number that close to its original size.

eg,

1. Locate to %WinDir%\System32\winevt, confirm the security size.

2. Then go to Event viewer -> Windows Logs-> Security, right lick to open its Properties, set the size number the same as the security size that you confirmed in the step 1.

Note: If it prompt that the size specified is invalid, just click OK to ignore it, and then click up-arrow next to maximum log size box to increate one level.

3. Afterwards, restart the computer to check the result.

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Friday, August 25, 2017 9:28 AM
0

Sign in to vote

You needn't running a loop in powershell to keep adding events to the log. Just set the number that close to its original size.

That was what I was doing originally - only did it larger and manually added events using powershell because you mentioned trying a larger size file - so I did and it still doesn't work
Darren Rose

Friday, August 25, 2017 12:08 PM
0

Sign in to vote

Hi Darren,

That's abnormal. please give us a screenshot of your event log directory, especially their size.

screenshot below

Darren Rose

Friday, August 25, 2017 12:09 PM
0

Sign in to vote

Hi Darren,

That's abnormal. please give us a screenshot of your event log directory, especially their size.

Default is %WinDir%\System32\winevt.

Then perform a Clean Boot status.

You needn't running a loop in powershell to keep adding events to the log. Just set the number that close to its original size.

eg,

1. Locate to %WinDir%\System32\winevt, confirm the security size.

2. Then go to Event viewer -> Windows Logs-> Security, right lick to open its Properties, set the size number the same as the security size that you confirmed in the step 1.

Note: If it prompt that the size specified is invalid, just click OK to ignore it, and then click up-arrow next to maximum log size box to increate one level.

3. Afterwards, restart the computer to check the result.

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Yes I know how to configure it - that is not the problem - problem is it just doesn't work and I have tried it on two computers running Windows 10 now with same result

Darren Rose

Friday, August 25, 2017 12:10 PM
0

Sign in to vote

Hi Darren,

That's abnormal. please give us a screenshot of your event log directory, especially their size.

screenshot below

Darren Rose

Now please boot into Clean Boot status.

Then configure your System event log (20548 KB) as "Archive the log when full, do not overwrite events", set the maximum log size as "20608KB".

Then restart the computer to check the result.

If the issue persist, i am afraid you need to perform an In-Place Upgrade using the official ISO to see if it can be resolved.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Monday, August 28, 2017 9:35 AM
0

Sign in to vote

issue persists and one of the computers is a clean installation of Windows 10!
Darren Rose

Monday, August 28, 2017 11:42 AM
0

Sign in to vote

issue persists and one of the computers is a clean installation of Windows 10!

Darren Rose

Are you sure it doesn't work under Clean boot status that no third-party software or service running and configured as what i said?

If yes, the only way i can think is using another official ISO file to do In-Place upgrade or Clean install for test.

If yours are Home or Pro edition, visit the following page to obtain the ISO file:

Download Windows 10

https://www.microsoft.com/en-us/software-download/windows10

if yours are Enterprise or Education edition, go to your own MSDN subscription or Volume license center to obtain the ISO file.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Tuesday, August 29, 2017 8:41 AM
0

Sign in to vote

as I said one of them is a clean install of Windows 10 - so there is no other running 3rd party software

I suspect it is a problem with this build of Windows 10 I am using personally
Darren Rose

Tuesday, August 29, 2017 9:43 AM
0

Sign in to vote

as I said one of them is a clean install of Windows 10 - so there is no other running 3rd party software

I suspect it is a problem with this build of Windows 10 I am using personally

Darren Rose

Therefore I suggest you switch an ISO file for test. Since as you see, mine is working fine.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Tuesday, August 29, 2017 9:46 AM
0

Sign in to vote

okay can't do that at present, and as it is multiple computers affected I suspect more of a particular build problem, as they are both insider previews
Darren Rose

Tuesday, August 29, 2017 9:49 AM
0

Sign in to vote
okay can't do that at present, and as it is multiple computers affected I suspect more of a particular build problem, as they are both insider previews

Darren Rose

What's your build?

Mine is Windows 10 1703 build 15063.540. If your computer is not, update to the latest build for test.

In addition, are those computers domain joined?

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Edited by Karen_HuMicrosoft contingent staff Tuesday, August 29, 2017 9:52 AM
Tuesday, August 29, 2017 9:52 AM
0

Sign in to vote

Not domain joined

1703 build 16251.1002

Darren Rose

Tuesday, August 29, 2017 9:54 AM
0

Sign in to vote
Not domain joined

1703 build 16251.1002

Darren Rose

Could you give a screenshot of winver ouput?

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Edited by Karen_HuMicrosoft contingent staff Wednesday, August 30, 2017 1:41 AM
Tuesday, August 29, 2017 10:00 AM
0

Sign in to vote

as I said insider preview build

see below:-

Darren Rose

Tuesday, August 29, 2017 10:02 AM
0

Sign in to vote

Ok. I have no this build of lab machine to do test.

You could use the ISO file I provided above to clean install a lab machine for test.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Tuesday, August 29, 2017 10:07 AM
0

Sign in to vote

don't have spare machine handy

I will wait for next insider preview to install and then see if problem fixed and report back

Thank you
Darren Rose

Tuesday, August 29, 2017 10:09 AM
0

Sign in to vote

don't have spare machine handy

I will wait for next insider preview to install and then see if problem fixed and report back

Thank you

Darren Rose

Ok. Maybe it's indeed the build specific issue.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Tuesday, August 29, 2017 10:21 AM
0

Sign in to vote

Hi Winger,

Based on the test, it's this specific build issue. We have submit this feedback via our own channel.

So far, you could roll back to Windows 10 1703 build 15063 to avoid this issue.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Thursday, August 31, 2017 8:04 AM
0

Sign in to vote

It still doesn't work in Windows 10 1709 build 16288.1
Darren Rose

Sunday, September 17, 2017 2:53 PM
0

Sign in to vote

It still doesn't work in Windows 10 1709 build 16288.1

Darren Rose

This issue have submitted to product team. It may need more time to resolve it. Let's wait to later build.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Monday, September 18, 2017 9:22 AM
0

Sign in to vote

Still same issue in Windows 10 1709 build 16299.15 - which I believe is the RTM and the next official version - so would have expected it to be fixed for that?........
Darren Rose

Friday, October 6, 2017 12:10 PM
0

Sign in to vote

Still wasn't fixed in Fall Creators release, and also not working in 17025.1000

Obviously not deemed as important enough to fix, even though affecting enterprise customers who have moved to Windows 10

I will find another solution as waited long enough
Darren Rose

Friday, November 3, 2017 6:01 PM
0

Sign in to vote

Confirmed bug. Problem is fixed in RS4. RS3 Backports scheduled for 1st quarter of next year if all goes according to plan.

Monday, December 4, 2017 11:15 PM
0

Sign in to vote
Look for CUs that contain the following fix:

Addresses issues where event logs stop receiving events when a maximum file size policy is applied to the channel.
Tuesday, December 5, 2017 12:14 AM
0

Sign in to vote

Thanks for letting me know
Darren Rose

Tuesday, December 5, 2017 1:34 PM
0

Sign in to vote
Yes, it's released on January 3, 2018—KB4056892 (OS Build 16299.192)

https://support.microsoft.com/en-sg/help/4056892
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Marked as answer by wingers Friday, January 5, 2018 2:51 PM
Friday, January 5, 2018 2:35 AM
0

Sign in to vote

Thanks Karen
Darren Rose

Friday, January 5, 2018 2:51 PM
1

Sign in to vote

This problem has re-surfaced! After Windows 10 April 2018 update.

Fresh Windows Install. Set to archive when full. No matter the size you set the security log will not archive!
SteveS

Wednesday, June 13, 2018 5:10 PM
0

Sign in to vote

This is outrageous! How are Windows 10 supposed to enter the Enterprise when such critical functions break on a build to build basis.

Spent almost a day of work when configuring our security baseline for Event Logging on clients and was working on the "latest and greatest" build (1803), just to find out that after all this development, such crucial things break.

How am I supposed to deliver an OS where anything can break at any point in time?

--

Alex

Thursday, June 28, 2018 2:44 PM
0

Sign in to vote

Hi,

This is still a problem on W10 (see screenshot below).
Does anyone have any additional information?
Thanks in advance.

Anthony LaMark

Wednesday, March 27, 2019 11:04 PM
0

Sign in to vote

Hi,

For anyone following this thread (especially secRMM customers), we (i.e. Squadra Technologies) have opened a support incident (REG:119032926007024) with Microsoft. Hope to get a fix very soon. Sorry for the inconvenience.
Anthony LaMark

Sunday, March 31, 2019 3:24 PM
0

Sign in to vote

Hi,

Bug still exists in W10 1809!
The Microsoft engineer I have been working with has confirmed the bug.
Unfortunately, it still hasn't been promoted to the Microsoft development team.

Anthony LaMark

Tuesday, April 16, 2019 12:11 AM
0

Sign in to vote

Hi again,

For anyone who is following this thread (especially secRMM customers), I still cannot get Microsoft to address the issue.
I am trying (and so is the Microsoft support engineer I am talking to) but still no luck in getting a Microsoft developer to address this.
I will keep you posted when I get more information.
Sorry for this insanity.
Anthony LaMark

Friday, April 19, 2019 1:54 AM
0

Sign in to vote

Hi,

Windows Server 2019 The same problem occurs

When can I update the file?

The current update file does not have 1809

Friday, April 19, 2019 6:32 AM
0

Sign in to vote

Hi All,

Here is the latest update from the Microsoft support engineer as of today (04/23/2019, open for 25 days now):

Once I have the update regarding the hotfix then I will definitely update you.
However, we don’t have the ETA for it.

If anyone reading this thread feels this bug is a Severity 1 bug (as I do) and wants to reach out to your Microsoft representative, here is the support incident number and title:
[REG:119032926007024] Event Log does not archive when full

Thanks.
Anthony LaMark

Wednesday, April 24, 2019 1:04 AM
0

Sign in to vote

Thanks for keeping this rolling. Only recently discovered this on a new DC. Looking forward to seeing a fix.

Friday, May 3, 2019 8:14 PM
0

Sign in to vote

Hi,

Sure thing.
Still getting the same story from Microsoft about this bug.
It is such a critical bug for an operating system.
The worst part about this bug is that when the event log fills, you just start loosing new events.
The ReportEvent Win32 API (this is what programs call to create an event in an event log) always returns that it succeeded but in reality, the event is lost.
Anthony LaMark

Sunday, May 5, 2019 5:58 PM
0

Sign in to vote

I FIGURED IT OUT PEOPLE!!!!

Its a permissions problem

You need to add "LOCAL SERVICE" with full permissions to "%SystemRoot%\SYSTEM32\WINEVT\LOGS" and propagate that permission down to the files in the folder.

Once you apply these permissions, reboot the computer.

Once it boots back up, you will see the logs being archived.

Monday, May 6, 2019 4:06 PM
0

Sign in to vote
I FIGURED IT OUT PEOPLE!!!!

Its a permissions problem

You need to add "LOCAL SERVICE" with full permissions to "%SystemRoot%\SYSTEM32\WINEVT\LOGS" and propagate that permission down to the files in the folder.

Once you apply these permissions, reboot the computer.

Once it boots back up, you will see the logs being archived.

great work @thenefield, will give it a try. If it is really that simple then even more embarrassing Microsoft haven't fixed it, since I first reported it in August 2017!!

Darren Rose
- Edited by wingers Monday, May 6, 2019 4:11 PM
Monday, May 6, 2019 4:11 PM
0

Sign in to vote

Hi,

Awesome!!!

Since I have this as an open bug with Microsoft, I will ask them to verify that this is the fix across all the OS versions.

Microsoft should pay you for your brilliance!

Great work and I hope this is it!!!
Anthony LaMark

Monday, May 6, 2019 4:12 PM
0

Sign in to vote

Hi,
Sorry for the delay.
Well, the Microsoft support engineer (i.e. subcontracted offshore/outsourced company in India) is not answering my emails now.
Of course, they had no problem taking my $500 (which I cannot seem to get back now)...ugh, is my frustration coming thru! :-)
To put more salt in the wound, I tried your suggested fix but am not seeing the same results as you (script below).
I wonder if the fix may vary by OS version/patch.
Anyway, if you see something wrong with the script, please let me know because this bug really needs to get fixed soon.
Thanks guys.

@ECHO OFF
SETLOCAL EnableDelayedExpansion

REM Get the account that is running the eventlog service.
FOR /f "tokens=1,2 delims=:" %%A in ('sc \\localhost qc eventlog ^| findstr SERVICE_START_NAME') do (
REM %%A=SERVICE_START_NAME : %%B=NT AUTHORITY\LocalService
SET ACCOUNT=%%B
)
REM Trim spaces from the start and end of the account variable
FOR /f "tokens=* delims= " %%a in ("%ACCOUNT%") do SET ACCOUNT=%%a
FOR /l %%a in (1,1,31) do if "!ACCOUNT:~-1!"==" " SET ACCOUNT=!ACCOUNT:~0,-1!

REM Give full permissions to the account for the event log folder and file
SET Folder="%SystemRoot%\System32\winevt\logs"
SET File="%Folder%\secRMM.evtx"

SET /P Answer= Do you want to give account %ACCOUNT% full permission to %Folder% and %File%? (Y/N):
IF /I NOT "%Answer%"=="Y" GOTO :Skip

IF EXIST %Folder% "%ComSpec%" /c icacls %Folder% /Q /C /grant "%ACCOUNT%":(F)
IF EXIST %File% "%ComSpec%" /c icacls %File% /Q /C /grant "%ACCOUNT%":(F)

:Skip
ENDLOCAL
Anthony LaMark

Wednesday, May 8, 2019 7:02 PM
0

Sign in to vote

Providing the account full control also did not resolve the issue for me. :(
It seems likely that UAC may be playing some part in this as well. I am unable to change the UAC settings in my Prod environment so if it is I'll have to make alternate plans, however i intend to fiddle with a test machine and see if either removing UAC completely or moving then log files to an alternate location produces fruit.

Thursday, May 9, 2019 7:19 PM
0

Sign in to vote

I am having the same issue with several Windows 10 machines on1803. They reach the set maximum file size of 32786 kb and then get stuck and end up overwriting logs. I have checked event viewer settings for each log and verified that they were indeed set to auto archive and that the max file size was 32786 kb, I have set group policy on the domain to make sure that they are set to auto archive and nothing else. I have also given the event log account and the local service account full permissions into the log folder and all other child items. I have updated to the latest cumulative update for Windows 10 1803 that came out this month. I'm starting to grasp at straws here.

Wednesday, May 29, 2019 1:53 PM
0

Sign in to vote

Hello,

This a known issue and Microsoft is working on a fix to address this.
Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

Wednesday, May 29, 2019 10:16 PM
0

Sign in to vote

Hello Darren,

It was fixed but it was broken again with a later update
Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

Wednesday, May 29, 2019 10:18 PM
0

Sign in to vote

Hello,

I use the Windows 10 1903 Pro "Portugues Brasil" and i have the same problem.

In the Enterprise Edition there the problem ?

Wednesday, June 5, 2019 2:34 PM
0

Sign in to vote

Hello,

Does anyone have an update? I have the same problem. Tried build 1803, 1809 and 1903.. but it happens on all of them.

Regards,

Ramon

Monday, June 17, 2019 10:45 AM
0

Sign in to vote

Hello,

The fix for this has not been released yet,
Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

Tuesday, June 18, 2019 10:34 PM
0

Sign in to vote

Do you know if Microsoft posted an official statement regarding this problem?

Tried looking for it but haven't found anything about it.

Friday, June 21, 2019 8:01 AM
0

Sign in to vote
Hi All,

Good news.
Today (07/01/2019), I installed "Windows 10 version 1903" from:
https://www.microsoft.com/en-us/software-download/windows10
Once I was on 1903, the bug has been fixed!
The install of "Windows 10 version 1903" contains KB4501375:
https://support.microsoft.com/en-us/help/4501375/windows-10-update-kb4501375
Notice on this page (i.e. the URL for KB4501375), it tells you about the bug fix:

Addresses an issue that prevents the Windows Event Log service from processing notifications that the log is full. This makes event log behaviors, such as archiving the log when it reaches a maximum file size, impossible. Additionally, the Local Security Authority (LSA) cannot handle CrashOnAuditFail scenarios when the Security log is full, and events cannot be written.

As a sanity check, once you have "Windows 10 version 1903" installed, you should go into powershell and type the command:
get-hotfix -id KB4501375
(see screenshot below)

Hope this is helpful.

Anthony LaMark
Monday, July 1, 2019 4:55 PM
0

Sign in to vote

Confirmado, atualização corrigiu o problema. Arquivamento de log funcional na versão 1903.

Confirmed, update fixed the problem. Log archiving is OK in version 1903.

Obrigado

Thursday, July 11, 2019 9:00 PM
0

Sign in to vote

In Windows 10 1803 the last update don´t fixed the problem.

Friday, July 12, 2019 5:46 PM
0

Sign in to vote
Hi All,

Microsoft just release the fix for W10 1803 on 07/16/2019:

https://support.microsoft.com/en-us/help/4507466/windows-10-update-kb4507466

It is listed as the 5th bullet item under “Improvements and fixes”:

Addresses an issue that prevents the Windows Event Log service from processing notifications that the log is full. This causes issues with some Event Log behaviors such as archiving the log when it reaches a maximum file size and you’ve configured the "Archive the log when full, do not overwrite events" setting. Additionally, the Local Security Authority (LSA) cannot handle CrashOnAuditFail scenarios when the Security Log is full, and events cannot be written.

Let's hope we never see this severe bug again! :-)

Anthony LaMark
- Edited by ALaMark Wednesday, July 17, 2019 4:30 PM typo
Wednesday, July 17, 2019 4:29 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Event Logs - archive log when full

Question

Answers

All replies