Security log hangs sometimes
Hi,
I log to the security log throught dumpevt software (which is used to download the event from the log). Most of the times it works fine but sometimes it hangs the security log and it doesn't work again until I reboot the server (2008).
Can anybody tell me how I can solve this problem? I need to get the events to treat them later.
Thanks in advance.
Regards.
March 16th, 2011 10:34am
dumpevt is a SomarSoft software.
Please contact SomarSoft Technical Support to solve your issue.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Free Windows Admin Tool Kit Click here and download it now
March 16th, 2011 10:44am
Same thing happens with other log reader software.
So far, no one has found a way to stop it or are there any settings to fix the hang.
Last time I checked it had to do with the LSA queue. Messages are queued until some "quiet time" to actually place them into the event logs. The problem is that once the train leaves the tracks, there is no (known) way to get things
going again until a reboot.
LSA has a queue set in HKLM\SYSTEM\CurrentControlSet\Control\Lsa. It is currently 0x00 30 00 00 00 20 00 00.
"Specifies thresholds for managing the length of the kernel-mode Local Security Authority ( LSA ) audit queue. The audit queue stores kernel-mode events destined for the Security Log in Event Viewer.
The value of this entry is an 8-byte binary field. The value of the first four bytes specifies the maximum number of items that can be held in the audit queue (the upper bound). When the number of audits exceeds this value, LSA discards all new audits until
the number of audits remaining in the queue reaches the lower bound, as specified by the value of the last four bytes.
The system does not notify you when the queue is nearing, has reached, or has exceeded its upper bound.
To prevent the system from running when it cannot report all security events, set the value of
CrashOnAuditFail to 1."
I have asked about this as have others.
March 16th, 2011 4:40pm
Thank you.
I've asked about it in the Somarsoft Software forum.
Thank you D Negidius. If you find out any solution, please, tell me it.
¿Does anyone know any easy way to audit a server?
Free Windows Admin Tool Kit Click here and download it now
March 17th, 2011 4:05am
Hi,
You can refer to:
Security Audit Policy Reference
http://technet.microsoft.com/en-us/library/dd772623(v=ws.10).aspx
How to use Group Policy to configure detailed security auditing settings for Windows Vista-based and Windows Server 2008-based computers in a Windows Server 2008 domain, in a Windows Server 2003 domain, or in a Windows 2000 domain.
http://support.microsoft.com/kb/921469
BrentPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
March 18th, 2011 3:33am
If you find out any solution, please, tell me it.
I would if I could.
I asked pretty much the same question some time ago. The text I copied was frrom my original plea for help.
800+ views and not one response (other than my own).
I cannot tell if there is simply a lack of info concerning how the Local Security Authority ( LSA ) audit queue actually functions, or whether releasing info pertaning to the Security Audits is considered too dangerous to discuss in open forums.
It seems that third party event readers can cause a delay in writing the events to the event log itself, the queue fills and the event system grinds to a stop. I have had success in the past by deleting the events two or three times until the LSA queue
catches up.
But more often than not it is a reboot, since the event log service seems to be "protected" from restarting even if accessing the services.msc with full admin prviledges.
Free Windows Admin Tool Kit Click here and download it now
March 18th, 2011 5:39pm
Thank you Brent.
I've configured the security auditing settings and it works fine..
Regards.
March 24th, 2011 7:50am
Thank you. I see this is a general and unsolved problem. If I find any solution I tell you.
Regards.
Free Windows Admin Tool Kit Click here and download it now
March 24th, 2011 8:00am