I tried the general forum and waited some time (and nearly 2,500 views) and received no real response. Perhaps I will have better luck on this board. Server 2008 (32 bit) Domain Controller will be running just fine, then the normal 4624, 4634, etc. events will cease and the following will appear: The event logging service encountered an error while processing an incoming event from publisher Microsoft-Windows-Security-Auditing and trying to process the metadata for it. EVENT ID: 1107 I understand that LSA has a queue set in HKLM\SYSTEM\CurrentControlSet\Control\Lsa. It is currently 0x00 30 00 00 00 20 00 00. I have also found the following data: "Specifies thresholds for managing the length of the kernel-mode Local Security Authority ( LSA ) audit queue. The audit queue stores kernel-mode events destined for the Security Log in Event Viewer. The value of this entry is an 8-byte binary field. The value of the first four bytes specifies the maximum number of items that can be held in the audit queue (the upper bound). When the number of audits exceeds this value, LSA discards all new audits until the number of audits remaining in the queue reaches the lower bound, as specified by the value of the last four bytes. The system does not notify you when the queue is nearing, has reached, or has exceeded its upper bound. To prevent the system from running when it cannot report all security events, set the value of CrashOnAuditFail to 1." Well.... I am getting mighty tired of rebooting a domain controller because it is not logging properly. Are there any settings, changes, mods, upgrades that will allow me to run the system without repeatedly resetting? Note... In one case, clearing the security log 2x times allowed the queued events to be read and the event log to continue running. However, normally the event viewer crashes instead, requiring a full reboot. Dell PowerEdge 750 Pentium 4 Dual Core 2.8 Ghz 2.5 GB Ram

I'd like to know why are you setting that "CrashOnAuditFail" value; what are you trying to achieve ? See, if the purpose is to ensure that security events won't be overwritten, then you'd better consider using a scheduled job to dump the eventlog at interval (and optionally import the data onto a central storage) and then configuring the eventlog to automatically overwrite older events (after sizing the given logs as needed)

I'd like to know why are you setting that "CrashOnAuditFail" value; what are you trying to achieve ? Security. If the machine keeps running while not being able to accurately log security events, one never knows when ort how one may have been hacked. It is a required setting on pretty much any secured network. Refer to any given Server Security checklist. See, if the purpose is to ensure that security events won't be overwritten, then you'd better consider using a scheduled job to dump the eventlog at interval (and optionally import the data onto a central storage) and then configuring the eventlog to automatically overwrite older events (after sizing the given logs as needed) You miss the point. The log isn't full. The LSA queue is full. Once the LSA queue is full, the event you get is "The event logging service encountered an error while processing an incoming event from publisher Microsoft-Windows-Security-Auditing and trying to process....." over and over and over again instead of the true security events.... Using a SYSLOG server or archiving/dumping the events is pretty much useless once the events become 1107 gibberish.

something I have to take up with Microsoft support staff outside of the forum? Yes, I'd suggest you to contact Microsoft support, also given that, as reported here http://technet.microsoft.com/en-us/library/dd363738(WS.10).aspx you should try contacting the publisher vendor which, in your case, is Microsoft :)