Post

Windows Server random reboots when Event Log is full due to GPO setting

So while working on a server at one of my clients, I noticed that the server was randomly shutting down with no good explanation.  Here’s a snippit of infomation that I found in the event viewer:

 

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 12/2/2011 4:44:13 PM

Event ID: 4625

Task Category: Logon

Level: Information

Keywords: Audit Failure

User: N/A

Computer: servername.domain.local

Description:

An account failed to log on.

 

Subject:

Security ID: NULL SID

Account Name: –

Account Domain: –

Logon ID: 0×0

 

Logon Type: 3

 

Account For Which Logon Failed:

Security ID: NULL SID

Account Name: username

Account Domain: DOMAIN.LOCAL

 

Failure Information:

Failure Reason: Unknown user name or bad password.

Status: 0xc000006e

Sub Status: 0×0

 

Process Information:

Caller Process ID: 0×0

Caller Process Name: –

 

Network Information:

Workstation Name: –

Source Network Address: 192.168.1.73

Source Port: 61923

 

Detailed Authentication Information:

Logon Process: Kerberos

Authentication Package: Kerberos

Transited Services: –

Package Name (NTLM only): –

Key Length: 0

 

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

 

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

 

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

 

The Process Information fields indicate which account and process on the system requested the logon.

 

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

 

The authentication information fields provide detailed information about this specific logon request.

– Transited services indicate which intermediate services have participated in this logon request.

– Package name indicates which sub-protocol was used among the NTLM protocols.

– Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Event Xml:

<Event xmlns=”http://schemas.microsoft.com/win/2004/08/events/event”>

<System>

<Provider Name=”Microsoft-Windows-Security-Auditing” Guid=”{54849625-5478-4994-A5BA-3E3B0328C30D}” />

<EventID>4625</EventID>

<Version>0</Version>

<Level>0</Level>

<Task>12544</Task>

<Opcode>0</Opcode>

<Keywords>0×8010000000000000</Keywords>

<TimeCreated SystemTime=”2011-12-02T22:44:13.352802000Z” />

<EventRecordID>35312462</EventRecordID>

<Correlation />

<Execution ProcessID=”556″ ThreadID=”660″ />

<Channel>Security</Channel>

<Computer>servername.DOMAIN.local</Computer>

<Security />

</System>

<EventData>

<Data Name=”SubjectUserSid”>S-1-0-0</Data>

<Data Name=”SubjectUserName”>-</Data>

<Data Name=”SubjectDomainName”>-</Data>

<Data Name=”SubjectLogonId”>0×0</Data>

<Data Name=”TargetUserSid”>S-1-0-0</Data>

<Data Name=”TargetUserName”>username</Data>

<Data Name=”TargetDomainName”>DOMAIN.LOCAL</Data>

<Data Name=”Status”>0xc000006e</Data>

<Data Name=”FailureReason”>%%2313</Data>

<Data Name=”SubStatus”>0×0</Data>

<Data Name=”LogonType”>3</Data>

<Data Name=”LogonProcessName”>Kerberos</Data>

<Data Name=”AuthenticationPackageName”>Kerberos</Data>

<Data Name=”WorkstationName”>-</Data>

<Data Name=”TransmittedServices”>-</Data>

<Data Name=”LmPackageName”>-</Data>

<Data Name=”KeyLength”>0</Data>

<Data Name=”ProcessId”>0×0</Data>

<Data Name=”ProcessName”>-</Data>

<Data Name=”IpAddress”>192.168.1.73</Data>

<Data Name=”IpPort”>61923</Data>

</EventData>

</Event>

 

Maybe you googled part of that event log and found this… Good news….  Sure enough, I found that the server was shutting down because the event log  was set to shutdown the server once full.  This was due to group policy being enforced and verifying that the event log for system, security, or application (can be a combination of any) was set “Do not overwrite events” in the properties of each log.  Get into your group policy and disable this policy, which is found in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options