Some environments that require tight security dictate that all security events are logged, regardless of the cost. However, Windows NT has limited space in which to store all of the logs. At some point, the logs become full.
A high level of administration is necessary for manually archiving and clearing logs. To ensure that you don't lose any security messages, force the server to crash when the event logs become full. Here's how:
- Start the Registry Editor (Regedit or Regedt32).
- Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.
- Add a DWORD value named CrashOnAuditFail with a value of 1.
- Exit the Registry Editor, and reboot the server.
When the event logs become full, the system stops and must be rebooted. In order to use the server after this, an administrator has to log in from the console, archive the event logs, and manually reset the value of CrashOnAuditFail to 1 (It automatically changes to 2 when the logs become full to allow an administrative logon).
Note: Editing the registry is risky, so be sure you have a verified backup before making any changes.