Error: "Security log overwrites occurred on this DC since the last data collection. Please increase the maximum size of the Security event log"

Active Directory error log report domain maximum size security
Email It to Me Print this Page
Symptoms Daily Activity Summary email (Change Summary in Netwrix Auditor 8.5 and below) and the Netwrix Auditor System Health log contain the following warning message: "Security log overwrites occurred on this DC since the last data collection. Please increase the maximum size of the Security event log".  
Cause
The problem occurs if the size of the Security log is not big enough to hold all events that occurred between data collections, and some events have been overwritten. 
 
Resolution
  • To prevent overwriting of the Security log, you must increase the maximum size of this log on the problem domain controller(s):
    1. Open the Group Policy Management console on any domain controller in the target domain: navigate to  Start -> Windows Administrative Tools (Windows Server 2016) or Administrative Tools (Windows 2012 R2 and below) Group Policy Management
    2. In the left pane, navigate to Forest: <domain_name> --> Domains --> <domain_name> --> Domain Controllers. Right-click the effective domain controllers policy (by default, it is the Default Domain Controllers Policy), and select Edit from the pop-up menu.
    3. Navigate to Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Event Log.
    4. Ensure that Retention method for security log is set to "Not Defined or As Needed". 
    5. Double-click the Maximum security log size policy.
    6.  In the Maximum security log size Properties dialog, select Define this policy setting and set maximum security log size to "299968" kilobytes (300MB) on pre-Windows Vista versions, or to "4194304" kilobytes (4GB) on Windows Vista and above.

      NOTE: Refer to the following Microsoft article for information on recommended settings for event log sizes.

    7. Navigate to Start --> Run and type '"cmd". Input the "gpupdate /force" command and press Enter. The group policy will be updated. 
  • If increasing the maximum security log size does not resolve the problem, it may be necessary to enable auto archiving on the domain controllers. With this option, the Event Log will be archived and log overwrites will not occur.
    1. Verify the Event Log settings of effective policy applied to the domain controllers in the managed domain (Default Domain Controllers Policy by default):
      1. Open the Group Policy Management console on any domain controller in the target domain: navigate to  Start -> Windows Administrative Tools (Windows Server 2016) or Administrative Tools (Windows 2012 R2 and below) Group Policy Management
      2. In the left pane, navigate to Forest: <domain_name> --> Domains --> <domain_name> --> Domain Controllers.  Right-click the effective domain controllers policy (by default, it is the Default Domain Controllers Policy), and select Edit from the pop-up menu.
      3. Navigate to Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Event Log.
      4. Make sure that the Retention Method for Security Log parameter is set to "Manually".
    2. Enable Auto archiving centrally on all domain controllers on any of your domain controllers:
      1. Open the Group Policy Management console on any domain controller in the target domain: navigate to  Start -> Windows Administrative Tools (Windows Server 2016) or Administrative Tools (Windows 2012 R2 and below) Group Policy Management
      2. In the left pane, navigate to Forest: <domain_name> --> Domains --> <domain_name> --> Domain Controllers. Right-click the effective domain controllers policy (by default, it is the Default Domain Controllers Policy), and select Edit from the pop-up menu.
      3. Navigate to Computer Configuration -> Policies. Right-click Administrative Templates: Policy definitions and select Add / Remove templates. Click Add in the dialog that opens.
      4. In the Policy Templates dialog, navigate to %Netwrix Auditor installation folder%/Active Directory Auditing, select the Log Autobackup.adm file (if the product is installed on a different computer, copy this file to the domain controller), and click Open

      5. Navigate to Computer Configuration -> Policies -> Administrative Templates: Policy Definitions -> Windows Component -> Event Log Service -> Security. Do the following:
On...Select...Set to...
Windows Server 2008 R2
  • Back up log automatically when full
  • Retain old events
"Enabled"
Windows Server 2012 R2

  • Back up log automatically when full
  • Control Event Log behavior when the log file reaches its maximum size
"Enabled"
  1. Navigate to Start --> Run and type '"cmd". Input the "gpupdate /force" command and press Enter. The group policy will be updated. 
 
Was this information helpful?