Home > IT Answers > Microsoft Windows > Everyday Security log become full and user can’t logon………..
Aliyani
265 pts.
 Everyday Security log become full and user can’t logon………..
Microsoft Windows, Network monitoring, Networking, Performance management, Security
Hi, Sometimes in some of computers in my domain when I check their eventlog I see some events about other users logon in their security log like bellow: ------------- Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 538 Date: 2006/09/27 Time: 10:09:32 ?.? User: S-1-5-21-727744907-765012080-2873131892-1146 Computer: COMPUTER-25 Description: User Logoff: User Name: bahra-f Domain: itdomain Logon ID: (0x0,0x1F256B) Logon Type: 3 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. ----------- That the Computer-25 is the name of computer and bahra-f is the username of other user in the domain thet can't logon on this computer. What's the meaning of this security message log? In my domain everybody can logon just on her or his computer and all of them is winxp pro sp2 and the domain OS is Win server 2003 R2. Now for some of users everyday the security log become full and they can't logon and I should clear their logs. Could you please help me!!!??? Thank you. ----- Regards Mahnaz

Software/Hardware used:
ASKED: October 9, 2006  5:28 AM
UPDATED: October 10, 2006  3:46 PM
RELATED QUESTIONS
Answer Wiki:
Hello, A Logon Type 3 event is generated most commonly when a user logs on to a remote computer on a network for such purposes as to access a shared file or folder which is available on that computer. It can also be triggered by IIS logons if IIS is running on this computer. Have you noted any event ID #528 (successful logon) with a logon type 2 in your security logs? Logon type 2 indicates an interactive logon which occurs when a user logs on to a computer from the console. Hope that helps! Good luck!
Last Wiki Answer Submitted:  October 9, 2006  8:44 am  by  Petroleumman   0 pts.
All Answer Wiki Contributors:  Petroleumman   0 pts.
To see all answers submitted to the Answer Wiki: View Answer History.


RSS - Discussions Help
Discuss This Question:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

 

Why don’t you just set the logs to overwrite events as needed?
If you right click on the log and chose properties, you can set the maximum log size larger and tell it to “Overwrite events as needed”. I you do this, the logs won’t overflow.
rt

Astronomer
 0 pts.
 

As was already stated, you should just set a group policy to set the security event logs on all these PCs to “overwrite events as needed”. Another option worth considering is the “prohibit logon if security log full” option- turn it off.

There’s no need to kill yourself with trying to catch people logging on and off the local PC when the domain controllers will log any logon/logoff to the domain anyways.

I would set the event log size and remote the restriction to prohibit logon if sec log is full with group policy as stated above.

You might consider getting a security event log management software like manage engine’s event log analyzer http://manageengine.adventnet.com/products/eventlog/index.html
(free for up to 5 hosts) to record all of the domain controller security logs to catch who is doing what.

PDMeat
 0 pts.