Audit Failures shown as Information in Windows 2012 R2

Question

question

SergioTorres-7780 asked Mar 29, '22 SergioTorres-7780 commented Apr 6, '22

Audit Failures shown as Information in Windows 2012 R2

Since yesterday, event viewer is not using the "audit failures" keyword in my windows server 2012 R2.

It reports the quantity of audit failures, lets say 16,081, as in the image.

But when I go to the Security Folder there is no "Audit Failures". All events are "Information".

The keywords "Audit Success" and "Audit Failure" seem not to exist anymore.

I wrote a program to parse some audit failures data and store it in a SQL Server database. I've been using it for years.

Do I need to change my program? It uses the keyword "Audit Failure" to begin extracting each event data.

The failure data is there, as you can see in the second image, but all events are reported as "information".

windows-server-security windows-server-2012

1.png (12.1 KiB)

2.png (85.3 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2022-04-06T01:27:58.05Z

LimitlessTechnology-2700 answered Apr 6, '22 SergioTorres-7780 commented Apr 6, '22

Hi @SergioTorres-7780

There can be many possibilities when the Event Viewer logs can go missing in Windows servers. It can be all the logs file or only some of the log files. So depending on which situation are you are in, try these suggestions.

-Restart Windows Event Log
-Run System File Checker
-Check on specific log settings
You will need admin permission to configure and change things

If some event logs is missing on the computer, restarting the Windows Event Log service might help.

-Open Run prompt (Win + R), type Services.msc, and press the ENTER key.
-Locate Windows Event log in the Services listed.
-If the service is stopped, then click on the Start button.
-If it is already running, then right-click on the service, and choose restart.
-The next step is to open Windows Event log Service, Select Dependencies.

Hope this resolves your Query!!

--If the reply is helpful, please Upvote and Accept it as an answer–

· 3

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SergioTorres-7780 · Apr 06 at 02:52 AM

Thank you for your answer!
I will follow your suggestions and let you know what happens.

0 ·

SergioTorres-7780 · Apr 06 at 02:58 AM

I just tried to restart de Windows Event Log and it did not work.
I tried to stop it to start it later, but it did not work.
I restarted the whole server.
It is a remote server so I manage it through Remote Desktop.

0 ·

SergioTorres-7780 · Apr 06 at 05:34 PM

I ran sfc and got some "cannot repair" messages in its log, but two lines later it says "Repair complete" and, at the end it says "all files... have been successfully repaired".

The problem wit the event log is still there.

A few days back I enabled Desktop Experience to be able to run disk cleanup. Could this be related to mu event log problem?

2022-04-05 09:16:13, Info CSI 000009fe [SR] Cannot repair member file [l:36{18}]"Amd64\CNBJ2530.DPB" of prncacla.inf, Version = 6.3.9600.17415, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type = [l:24{12}]"driverUpdate", TypeName neutral, PublicKey neutral in the store, hash mismatch
2022-04-05 09:16:13, Info CSI 000009ff [SR] This component was referenced by [l:166{83}]"Package_2709_for_KB3000850~31bf3856ad364e35~amd64~~6.3.1.8.3000850-6825_neutral_GDR"
2022-04-05 09:16:13, Info CSI 00000a00 [SR] Repair complete
2022-04-05 09:16:13, Info CSI 00000a06 [SR] Verify and Repair Transaction completed. All files and registry keys listed in this transaction have been successfully repaired

0 ·

question