Server 2008 Security log empty and inaccessible
My security.evtx file is empty and when I try to access it I get an access is denied (5) error. Here are my settings:
Logged in as a domain admin.
System, Administrators, Event Log all have Full Control
Local Service was the Owner like the rest. I tried changing to my account but did not fix anything.
Policy: Generate security audits has LOCAL SERVICE and NETWORK SERVICE having the rights
Audit policies:
Audit account logon events - Success, Failure
Audit account management - Success, Failure
Audit directory service access - Failure
Audit logon events - Success, Failure
Audit object access - Failure
Audit policy change - Success, Failure
Audit privilege use - Success, Failure
Audit process tracking - No auditing
Audit system events - Success, Failure
There is no CustomSD at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security though there are many other keys
However there is a CustomSD key at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\DNS Server and also at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\File Replication Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
I have tried stopping the Event Log service, deleting the file, rebooting and restarting the service and it had no effect. File didn't appear until several hours later, but it still has 0 size.
This is a DC
August 18th, 2010 4:46pm
Hi,
Thanks for the post.
Please confirm that only system , adminstrators account has full control permission, eventlog acccount has read permission to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
In this case, please also add the LOCAL SERVICE account with read permission in
the registry HKLM\System\CurrentControlSet\services\eventlog\Security
Hope this helps.
MilesPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
August 19th, 2010 6:16pm