My security.evtx file is empty and when I try to access it I get an access is denied (5) error. Here are my settings: Logged in as a domain admin. System, Administrators, Event Log all have Full Control Local Service was the Owner like the rest. I tried changing to my account but did not fix anything. Policy: Generate security audits has LOCAL SERVICE and NETWORK SERVICE having the rights Audit policies: Audit account logon events - Success, Failure Audit account management - Success, Failure Audit directory service access - Failure Audit logon events - Success, Failure Audit object access - Failure Audit policy change - Success, Failure Audit privilege use - Success, Failure Audit process tracking - No auditing Audit system events - Success, Failure There is no CustomSD at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security though there are many other keys However there is a CustomSD key at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\DNS Server and also at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\File Replication Service HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer I have tried stopping the Event Log service, deleting the file, rebooting and restarting the service and it had no effect. File didn't appear until several hours later, but it still has 0 size. This is a DC

Anyone?

Hi, Thanks for the post. Please confirm that only system , adminstrators account has full control permission, eventlog acccount has read permission to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security In this case, please also add the LOCAL SERVICE account with read permission in the registry HKLM\System\CurrentControlSet\services\eventlog\Security Hope this helps. MilesPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.