Server 2008 Security log file does not keep auditing group

April 9, 2013 at 08:30:46
Specs: Server 2008, 8

I have a Server 2008 R2 64 domain controller,

I am auditing c:\windows\system32\winevt\logs 'security' file for Everyone FAIL, and auditing in GPO

Clearing and saving the Event Log 'Security', removes the \windows\system32\winevt\logs group 'everyone' from auditing.

I can add the group 'everyone' back in and have FAIL all, but, when I clear and save the security log from event viewer again, the group 'everyone' gets removed from auditing again.

Any ideas?


ps the current rights to this folder are System, Administrators and Eventlog

See More: Server 2008 Security log file does not keep auditing group

Report •

April 12, 2013 at 19:17:35
I always added domain administrators as local administrators. It saved me a lot of problems.

How do you know when a politician is lying? His mouth is moving.

Report •

April 16, 2013 at 08:59:51
It took me a couple of reads to understand what you are doing.

Why would anyone audit the audit file? That is not how you do this. Everyone doesn't have rights to delete the file and in some configuration even view it.

What you are seeing is normal file/rights behavior if you are deleting the file and recreating it. All rights are removed when a file is deleted and recreated and its only inherited permissions that apply.

Proper procedure is no one is admin on the local pc. This way they can't delete the security log. Neither should you. You should be filtering the log on specific security events and just auditing those. There are scripts out there for doing this sort of thing. No having to save audit logs.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's

Report •
Related Solutions

Ask Question