Warning: "Security log overwrites occurred on this DC since the last collection"

WARNING Security log overwrites
KB1498 | Last review: Feb 01, 2018 | Netwrix Auditor for Active Directory | All versions
Email It to Me Print this Page
Symptoms DC collection warnings:  The message is: [WARNING] Security log overwrites occurred on this DC since the last collection. Increase the maximum size of the Security event log.
Cause The event flow on a particular domain controller exceeds the predefined Security event log size.
Resolution Enable the Auto Archiving Event Log option. With this option, the Event Log will be archived and log overwrites will not occur. To enable Auto Archiving on the problematic DC, perform the following steps: 
  1. On the problematic DC, click Start -> Run and  type rsop.msc
  2. In the Resultant Set of Policy window, expand Computer Configuration -> Windows Setting -> Security Settings -> Event Log 
  3. Make sure that the policy setting Retention method for security log value is set to “Not Defined” or “Manually”. If not, change the Source GPO accordingly.
  4. Depending on OS:
    • Windows Server 2003
      1. Click Start ->  Run and type regedit
      2. Navigate to HKEY_LOCAL_MACHINE -> SYSTEM ->CurrentControlSet -> Services ->Eventlog -> Security.
      3. Change the values of the following keys:
        • Set AutoBackupLogFiles to
        • Set MaxSize to 307167232 in Decimal 
        • Set Retention to ffffffff in Hexamical
      4. Click Start -> Run and type eventvwr.
      5. Right-click on Security and select Properties.
      6. Click the Clear Log button. 
    • Windows Server 2008 and above, configure Security Event Log size and retention according to Netwrix Auditor Online Help Center: https://helpcenter.netwrix.com/Configure_IT_Infrastructure/AD/AD_Security_Log_Size.html?Highlight=configure%20event%20log%20size
On the computer where Netwrix Auditor resides, perform the following steps: 
  1. Click Start -> Run and type regedit 
  2. Depending on the OS navigate to:
    • 32-bit OS: HKEY_LOCAL_MACHINE -> SOFTWARE -> NetWrix -> AD Change Reporter
    • 64-bit OS: HKEY_LOCAL_MACHINE -> SOFTWARE -> Wow6432Node -> NetWrix -> AD Change Reporter
  3. Change the values of the following keys:
    • Set ProcessBackupLogs to 1
    • Set CleanAutoBackupLogs to X (if you want the archives to be removed when all events in the log are older than X hours)
Was this information helpful?