I agree with Woods. If you don’t want to see the message that the security log reached its maximum limit then in the event viewer, choose the “over-write as needed” option.
But if you don’t want these logs at all then you need to do disable the security auditing in Local security policy.

1. Control Panel->Adiministrative Tools-> Local Security policy
2. Expand Local Policies and double-click Audit policy.
3. Double-click the “Audit account logon events” in the right pane and a dialog box appears.
4. Uncheck the “success” option. (If you want you can also uncheck the “failure” option too, incase if you don’t want it.) and save the settings.

If the security auditing is enable at the domain level. Then you need to edit the Domain security policiy instead of Local Security policy in each client.

Hope it may help you

Regards,

Shafi.

Are your computers in a Domain, Windows Server 2000 or Server 2003? Is auditing turned on? If so you can set your security policies through Group Policy. Auditing can be turned on through:

This will turn on auditing for all the pc’s at the domain level:
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy: Set to Success/Failure.

To manage Security Settings on the Security Log:
Computer Configuration/Windows Settings/Security Settings/Event Log:
Settings for Event Logs:
Maximum Security log size: set this is KB
Retain Security Log: # of days
Retention Method for Security Log: Select an overwrite option: by days, as needed or clear manually.

Note: If you select to clear manually then you have to remember to clear the logs manually when they fill up. This can be rather tediuous on a large network.

If you’re not on a domain you can set through Windows XP through the Local Security Policies which are found in
Control Panel/Administrative Tools/Local Security Policies.
I believe you would have to do this on each individual pc.

Under Security Settings: select Local Policies, Audit Policies. This is where Auditing is set for success/failure. You set the security options
You can manage the logs through Computer Management/System Tools/Event Viewer/Right Click Security/Go to Properties and select the log options you need.

I use Group Policies to maintain this instead of each individual pc as this is an easier process.

If you need to clear the security logs immediately because they are full, then go to the pc where the log is full and go to Computer Management/System Tools/Event Viewer/Right Click Security/Clear all events.
You will be asked if you want to save the log file or just clear it. If you feel the need to save it for later viewing then save it and the log will be cleared.

I hope this is what you are looking for and good luck!
ls

9949748886 is correct. I have that enabled on my server. I also set the event viewer to over write.

Good luck
Ed

The previous posters gave you a lot of excellent advice. There are two points that they probably took for granted, so they didn’t mention them, but that may not be obvious to someone new to administering systems.

The first point is that these are not really errors; they’re just information. Some application, and it looks like it may be Kerberos in this case, is set up to log this information. It’s not saying anything is broken; it’s just letting you know what’s happening because someone told it to do that.

The other thing is that you say it started two days ago. That should tell you what to look at when you’re trying to change this behavior. Something was added/changed on the system two days ago, and it’s causing these log messages.

Hi,
Thanks of all your help,they were so usefull for me but it is so important for me to know why there are these events in security log as DaveInaZ said!!!???
All of clients are on domain win 2003 server and are winxp pro sp2.
It’s interresting that the user that makes logon/logoff on these client is same is user1 in all clients that has this problem!!!!From two days ago they didn’t have any changes and the user1 is a simple and restricted user and it is belong to a typist!!!!
Now just two client has this problem and I don’t think it’s about domain group policy!!?
Am I right?
So much thanks if you have any other advise.
Thank you.
—-
Regards
Mahnaz

Hi Mahnaz,

I’m sure the clients SAY nothing on their systems has changed, but that’s clearly not true. They just aren’t aware of what changed or don’t remember or don’t want to tell you. But something changed or you wouldn’t be seeing a change in behavior. Q.E.D.

Since the events being logged all involve logging on or off the network, or assigning privileges, and one event specifically mentions Kerberos, which is a network authentication protocol and is available as freeware, that’s the place to look. Either they just installed it or they changed one or more settings that cause those signon/signoff events to be logged. The changed setting is most likely to be a Kerberos setting, but it could be something related to OS/network security.

Do a quick Google on Kerberos and you’ll find a ton of information on it. Microsoft even has an article on enabling exactly the kind of logging you’re seeing; http://support.microsoft.com/?id=262177. You could probably reverse their advice to disable it, if they’re running Windows, but make sure you know what you’re doing before taking this step. Kerberos is normally only used in high security situations, so turning it off may be a bad idea.

Good luck!

If the issue is continuing, perhaps you need to educate the specific user that they are to protect their sign-on information. Maybe it has leaked out ? At the very least, changing the password on the account will tell you a couple of things. Does the info entry go away? if so, they had let their user info out accidentally. Does the info show that the user is actually present at their station when the info is being logged? If not, they might have a trojan on their machine that is logging in for some reason.