Hi, I log to the security log throught dumpevt software (which is used to download the event from the log). Most of the times it works fine but sometimes it hangs the security log and it doesn't work again until I reboot the server (2008). Can anybody tell me how I can solve this problem? I need to get the events to treat them later. Thanks in advance. Regards.

dumpevt is a SomarSoft software. Please contact SomarSoft Technical Support to solve your issue. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

Same thing happens with other log reader software. So far, no one has found a way to stop it or are there any settings to fix the hang. Last time I checked it had to do with the LSA queue. Messages are queued until some "quiet time" to actually place them into the event logs. The problem is that once the train leaves the tracks, there is no (known) way to get things going again until a reboot. LSA has a queue set in HKLM\SYSTEM\CurrentControlSet\Control\Lsa. It is currently 0x00 30 00 00 00 20 00 00. "Specifies thresholds for managing the length of the kernel-mode Local Security Authority ( LSA ) audit queue. The audit queue stores kernel-mode events destined for the Security Log in Event Viewer. The value of this entry is an 8-byte binary field. The value of the first four bytes specifies the maximum number of items that can be held in the audit queue (the upper bound). When the number of audits exceeds this value, LSA discards all new audits until the number of audits remaining in the queue reaches the lower bound, as specified by the value of the last four bytes. The system does not notify you when the queue is nearing, has reached, or has exceeded its upper bound. To prevent the system from running when it cannot report all security events, set the value of CrashOnAuditFail to 1." I have asked about this as have others.

Thank you. I've asked about it in the Somarsoft Software forum. Thank you D Negidius. If you find out any solution, please, tell me it. ¿Does anyone know any easy way to audit a server?

Hi, You can refer to: Security Audit Policy Reference http://technet.microsoft.com/en-us/library/dd772623(v=ws.10).aspx How to use Group Policy to configure detailed security auditing settings for Windows Vista-based and Windows Server 2008-based computers in a Windows Server 2008 domain, in a Windows Server 2003 domain, or in a Windows 2000 domain. http://support.microsoft.com/kb/921469 BrentPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

If you find out any solution, please, tell me it. I would if I could. I asked pretty much the same question some time ago. The text I copied was frrom my original plea for help. 800+ views and not one response (other than my own). I cannot tell if there is simply a lack of info concerning how the Local Security Authority ( LSA ) audit queue actually functions, or whether releasing info pertaning to the Security Audits is considered too dangerous to discuss in open forums. It seems that third party event readers can cause a delay in writing the events to the event log itself, the queue fills and the event system grinds to a stop. I have had success in the past by deleting the events two or three times until the LSA queue catches up. But more often than not it is a reboot, since the event log service seems to be "protected" from restarting even if accessing the services.msc with full admin prviledges.

Thank you Brent. I've configured the security auditing settings and it works fine.. Regards.

Thank you. I see this is a general and unsolved problem. If I find any solution I tell you. Regards.