I've run into a strange occurrance where a Dell XP laptop out in the field keeps getting a security log full and the user doesn't have admin rights to log back on to clear it out. I tried changing audit group policies and setting his local security event log to "Overwrite events as needed" and raised his log size to 1024 (doubled the size) but nothing seems to work. Ideas??
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Remote machine security log filling up
- Thread starter slbobo
- Start date
Is there one particular event that is repeating itself in the log?
You could set the size of the log even greater, 16MB is not unusual.
I assume you have tried clearing the log manually?
What about the possibility of a corrupt log file itself? Maybe deleting (after copying and backup) C:\WINDOWS\System32\config\SecEvent.Evt, is worth a try to see if Windows recreates a new log file?
A User Logon Request Is Rejected Without Any Messages
227896 - Error Message: The System Log Is Full
How To Determine Audit Policies from the Registry
Some general things to try.
Try running ChkDsk to check your drive for errors. Right click your Drive icon/ Properties/ Tools/ Error Checking.
Run the System File Checker program from the Run Box by typing.....Sfc /Scannow in it and have your XP CD handy.
These are the Events Microsoft recommend for Audit.
Audit account logon events (Success, Failure)
Audit account management (Success, Failure)
Audit directory service access (Failure)
Audit logon events (Success, Failure)
Audit object access (Failure)
Audit policy change (Success, Failure)
Audit system events (Success, Failure)
You could set the size of the log even greater, 16MB is not unusual.
I assume you have tried clearing the log manually?
What about the possibility of a corrupt log file itself? Maybe deleting (after copying and backup) C:\WINDOWS\System32\config\SecEvent.Evt, is worth a try to see if Windows recreates a new log file?
A User Logon Request Is Rejected Without Any Messages
227896 - Error Message: The System Log Is Full
How To Determine Audit Policies from the Registry
Some general things to try.
Try running ChkDsk to check your drive for errors. Right click your Drive icon/ Properties/ Tools/ Error Checking.
Run the System File Checker program from the Run Box by typing.....Sfc /Scannow in it and have your XP CD handy.
These are the Events Microsoft recommend for Audit.
Audit account logon events (Success, Failure)
Audit account management (Success, Failure)
Audit directory service access (Failure)
Audit logon events (Success, Failure)
Audit object access (Failure)
Audit policy change (Success, Failure)
Audit system events (Success, Failure)
Vaiohazard
Technical User
Hey there I've just recently encouhntered the exact same problem....pretty much verbatim....but in addition, I have extra errors like "cannot logon interactively" ....and my favorite :this computer has been locked Only ____ or an administrator can unlock this computer. I was wondering how you get past the logon screen to carry out the steps to fix the problem.
I have a Sony Vaio RA820G which uses the featuure of a password reset disc....again,.....I can get to the point where I can set a new pw but at the last minute an error msg pops up and says that the new pw could not be set.I'm not very computer literate but can follow instrcutions well.
HELP!!!!
I have a Sony Vaio RA820G which uses the featuure of a password reset disc....again,.....I can get to the point where I can set a new pw but at the last minute an error msg pops up and says that the new pw could not be set.I'm not very computer literate but can follow instrcutions well.
HELP!!!!
Vaiohazard, you need to log on with the administrator account. Then, to clear the audit logs, hit start>run and type in "eventvwr". You can then right click on the entry on the left called "security" and choose "Clear all events". Is that a work laptop? I'm wondering how the login audits were enabled, they're off by default.
I just had the same thing happen to a computer of my own. I stuck it out in my DMZ overnight (1 night mind you) and the audit logs were full by morning. I'm sure it's these stupid worms. Some of them try brute force password attacks and hit your computer a few hundred times trying to log on as guest or administrator with various passwords. That, or script kiddies.
If your computer is not behind a firewall or router with NAT, I suggest installing a software firewall. It'll at least stop the logon attempts from even hitting your computer to be logged.
I just had the same thing happen to a computer of my own. I stuck it out in my DMZ overnight (1 night mind you) and the audit logs were full by morning. I'm sure it's these stupid worms. Some of them try brute force password attacks and hit your computer a few hundred times trying to log on as guest or administrator with various passwords. That, or script kiddies.
If your computer is not behind a firewall or router with NAT, I suggest installing a software firewall. It'll at least stop the logon attempts from even hitting your computer to be logged.
Vaiohazard,
Is there anything here that might apply to what you are seeing?
812530 - "You Do Not Have Permission to Change Your Password" Error Message When You Change Your Password At Logon
How to Log On to Windows XP If You Forget Your Password or Your Password Expires
306541 - HOW TO: Manage Stored User Names and Passwords on a Computer That Is Not in a Domain in Windows XP
Password Expiration Warning Notification
thread779-873302
local security policies...
thread779-916030
Is there anything here that might apply to what you are seeing?
812530 - "You Do Not Have Permission to Change Your Password" Error Message When You Change Your Password At Logon
How to Log On to Windows XP If You Forget Your Password or Your Password Expires
306541 - HOW TO: Manage Stored User Names and Passwords on a Computer That Is Not in a Domain in Windows XP
Password Expiration Warning Notification
thread779-873302
local security policies...
thread779-916030
- Status
Similar threads
- Locked
- Question