General discussion


Missing Log Events

By hlabella ·
Need an explanation...
After reviewing the Event Logs (all 3) on a 2k client I found, the logs started 12/4/200 and end 11/30/2002..
During the review I noticed that the events from 6/18/2002 thru 8/24/2002 are missing. The last 6/18/2002 event in the Security Log is (515) System Event and the next entry 8/24/2002 is (515) System Event. After checking the other 2 logs I find that the same dates are missing.
How can this happen? Is third party software available to "EDIT" security logs. To add confussion, I checked and found multiable files that were updated during those missing dates.
The Aduits are set to record ALL Success and Failures.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Missing Log Events

by Greybeard770 In reply to Missing Log Events

When the log file fills up and the time has not passed to overwrite entries, events do not get logged. If somebody noticed the full log file situation on 8/24/2002 and expanded the size of the logfile the entries would again be logged, leaving the gap.

Another possibility may be that the logs were cleared on 8/24 and then for some reason a restore was done from 6/18 data, although that sounds kinda strange.

Using Overwrite as Needed would solve that problem, but if something real freaky happens that generates lots of entries you could wind up with less than a day of log data, so that can be a bad solution. The dafault size of logs tends to be rather conservative and increasing those settings is probably a good idea. The space and time you are willing to accept for log history would vary depending on the function of the server.

Collapse -

Missing Log Events

by hlabella In reply to Missing Log Events

Thanks for the reply, to expand, the size of the log is 8192kb (default for all my clients set during installation), with overwrite entries older then ** days selected.

Related Discussions

Related Forums