Security log empty

[Guest]

I'm not getting any security events logged. All setting are default, running
under administrator privileges. I know security events occur, but since last
reimage, they are not getting logged. Any obvious reason?

 

[Wesley Vogel]

Event Viewer Logs Empty

Open Event Viewer...
Start | Run | Type: eventvwr | Click OK |
Right click Security | Properties | Filter tab |
Click the Restore Defaults button

Make sure the Event Log service is set to Automatic and running.

Clear *all* Events. There may still be some data and it may be corrupted.

In Event Viewer, right click Application, Security and System one at a time
| Clear All Events | Click No to... [[Do you want to save "Application"
before clearing it?]]

How to Delete Corrupt Event Viewer Log Files
http://support.microsoft.com/kb/172156

The event log stops logging events before reaching the maximum log size
http://support.microsoft.com/?kbid=312571

Make sure that the Overwrite Option is set...

How to Set Log Size and Overwrite Options
To specify log size and overwrite options, follow these steps:
1. Click Start, and then click Control Panel. Click Performance and
Maintenance, then click Administrative Tools, and then double-click Computer
Management. Or, open the MMC containing the Event Viewer snap-in.
2. In the console tree, expand Event Viewer, and then right-click the log in
which you want to set size and overwrite options.
3. Under Log size, type the size that you want in the Maximum log size box.
4. Under When maximum log size is reached, click the overwrite option that
you want.
5. If you want to clear the log contents, click Clear Log.
6. Click OK.

Are the log files in the correct location?

Event Viewer log locations

AppEvent.Evt = Application
SecEvent.Evt = Security
SysEvent.Evt = System

C:\WINDOWS\system32\config\AppEvent.Evt
or
%windir%\system32\config\AppEvent.Evt

C:\WINDOWS\System32\config\SecEvent.Evt
or
%windir%\System32\config\SecEvent.Evt

C:\WINDOWS\system32\config\SysEvent.Evt
or
%windir%\system32\config\SysEvent.Evt

HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308427

Event Viewer overview
http://www.microsoft.com/resources/.../xp/all/proddocs/en-us/event_overview_01.mspx

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Nepatsfan]

(e-mail address removed),

I'm not getting any security events logged. All setting are
default, running under administrator privileges. I know
security events occur, but since last reimage, they are not
getting logged. Any obvious reason? --
naybeb

Have you enabled auditing of account logon events in your Local
Security Policy?

Start -> Run -> secpol.msc or Start -> Control Panel ->
Administrative Tools -> Local Security Policy

Navigate to Security Settings\Local Policies\Audit Policy

Right click Account Logon Events in the right hand pane and
enable Success and Failure. That will cover the majority of
events. If you want you can also enable logging of additional
events. Take a look at this article for more information:

Enabling Auditing Policies
http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prdd_sec_xutj.asp

Good luck

Nepatsfan

 

[Steve N.]

I'm not getting any security events logged. All setting are default, running
under administrator privileges. I know security events occur, but since last
reimage, they are not getting logged. Any obvious reason?

It will be empty unless you enable auditing.

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/audittn.mspx

Steve N.