I noticed recently that my Security Event Log stopped Functioning on one of the servers several months ago. It works fine on the other server and when I compare the 2 I do not see any differences.
UAC is disabled on both.
The Security.evtx file is dated several months ago, no newer events were in it.
Trying to open the Security Event log in Events Viewer I get “Event Viewer cannot open the event log or custom view. Verify that Event Log Service is running or query is too long. Access is denied (5).”
If I double click on the Security event log file itself, it comes up under Saved Logs with events up until the file date. No new events have been added since.
In Events Viewer, if I right click on the Security log and select properties, the Properties dialog comes up. If I attempt to change the properties, like the name or path of the associated eventlog file, I get an Access Denied error, but if I close and re-open the Security eventlog properties, it appears to have updated.
I can open and view any of the other event logs fine (application, system, etc) from the event viewer, and they are all collecting events.
Initially I restarted the Windows Event Log Server, then tried re-booting the server.
I also tried logging on locally to see if the local admin account can access the Security event log, and that did not help.
When I compare File permissions, and CACLS /S, on the Logs directory, Security.evtx file, svchost.exe, wevtsvc.dll, and wevtapi.dll with the server that still function, they match.
Both servers are in the same Domain and OU with the same group policies applied.
I verified that the settings in HKLM\System\CurrentControlSet\Services\Eventlog\Security folder matches between the working and not-working servers.
I checked the local policy for Generate Security Audit (seAuditPrivilege) – is set to Network Service and Local Service.
I verified that my GPO sets it the same way.
I moved the server to an isolated OU that was set to no policy inheritance. No change.
I then added in an individual Test Group Policy to just set the Security Event settings - Computer Configuration/Policies/Administrative Templates/Windows Components/Event Log Service/Security - Set the Log File Path location, Access (fromCACLs /S) , plus all the other settings.
No change.
I tried deleting the security.evtx thinking it may be corrupt, and it did not get recreated when we restarted the service. Tried copying a good Security.evtx file from the good system, that made no difference.
I ran xcacls on the whole winevt directory, and it matches the working server exactly.
I compared the Local Service and Network Service accounts to verify they exist and are part of the NT Authority group.
I did restart the Windows Event Service between each of these steps, and re-booted after the domain OU changes.
I seem to have run out of ideas? What next? Where should I look to determine the issue?
