Microsoft KB Archive/945463

= Windows Server 2003 does not issue security event 523 even though the WarningLevel registry entry is configured =

Article ID: 945463

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard x64 Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Datacenter x64 Edition
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
 * Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems

-



SYMPTOMS
Consider the following scenario:  On a Windows Server 2003-based computer, you set the maximum size of the Security log to a large value. For example, you set the maximum size to a value that is larger than 60 megabytes (MB). You select the Do not overwrite events (clear log manually) option in the Security log properties. You configure the Security log to issue an event 523 when the size of the Security log reaches a warning level. To do this, you configure the WarningLevel registry entry under the following registry subkey:

You set the warning level to a high percentage. For example, you set the WarningLevel registry entry to 80 or to 90.

However, when the actual size of the Security log reaches the specified percentage, event 523 is not issued to the Security log. Therefore, you are not warned of the Security log usage before the Security log is full. More security events cannot be issued when the Security log is full. In this case, some important audit events are not captured as expected.

Note A typical event 523 resembles the following event: Event Type: Success Audit

Event Source: SECURITY

Event Category: System Event

Event ID: 523

Date:

Time:

User: N/A

Computer:

Description:

The security log is now  percent full.



Hotfix information
A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Windows Server 2003 service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

http://go.microsoft.com/?linkid=6294451

Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Prerequisites
To apply this hotfix, you must have Windows Server 2003 Service Pack 1 or Windows Server 2003 Service Pack 2 installed on the computer. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

889100 How to obtain the latest service pack for Windows Server 2003

Restart requirement
You must restart the computer after you apply this hotfix.

Hotfix replacement information
This hotfix does not replace any other hotfixes.

File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Windows Server 2003 with Service Pack 2, x64-based versions


WORKAROUND
To work around this problem, use one of the following methods:  Set the maximum size of the Security log to a value that is less than 50 MB. Configure the AutoBackupLogFiles registry entry to enable automatic log file backup. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

312571 The event log stops logging events before reaching the maximum log size

</ul>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

<div class="moreinformation_section">

MORE INFORMATION
Windows Server 2003 and Windows 2000 Service Pack 3 include a new feature to generate a security audit event in the Security log when the log size reaches a user-defined threshold. For example, if the threshold value is set to 90, an event 523 will be issued when the Security log reaches 90 percent of capacity. This entry contains the following description:

<pre class="fixed_text">The security event log is 90 percent full.

Note The threshold setting does not work if the Security log is configured to overwrite events as needed.

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Keywords: kbexpertiseinter kbwinserv2003postsp2fix kbbug kbfix kbhotfixserver kbqfe KB945463

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.