Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
|Type: Success Audit|
Unable to log events to security log:
Status code: <error code>
Value of CrashOnAuditFail: <value>.
|English: Request a translation of the event description in plain English.|
Status code 0x80000005 - Systems with GFI EventsManager or GFI Languard installed may experience this type of problem. See EV100622 (GFI KBID001721) for details.
The event description contains a status code that may provide a first clue in regards to the source of the problem:
- 0x80000005 = "Buffer overflow"
- 0xc0000008 = "Invalid parameter" - See Error code 0xc0000008. - May indicate a full or a corrupted security event log. If the event log is full, adjust the size or the overwriting options.
- 0xc0000017 = No memory
The system drive (C:\Windows) on a Windows 2008 Server ran out of drive space. I cleared the Event logs after clearing up some drive space on the server. I continued to get the 521 events until I rebooted. May be a larger issue but it is working now.
This event indicates that for some reason (the clue being the error code specified in the event), the system cannot record any new event in the event log. This is considered a critical problem from a security perspective.
CrashOnAuditFail defines whether the system is configured to stop when it cannot record new security events, either because the Security Log in Event Viewer is full, or because the internal queue to the log has reached the maximum value that is established. This makes sure that an intruder cannot disable the logging in order to cover his tracks.
In any case, the administrator should check the obvious about the system's ability to record messages in the event log (restrictions on the log sizes, space on disk, corrupted disks, etc.). A reboot may temporarily fix the problem but not necessarily.
|Private comment: Subscribers only. See example of private comment|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
Send comments or solutions
- Notify me when updated