I have a Windows Server 2008 R2 System on a Dell Power Edge r510 powered by a QEMU virtual CPU 2.53GHz (4 processors) and 16 GB of RAM. 64 Bit Operating System.
The security audit log in the system fills to 32MB capacity in about 4 days with multiple Event IDs 4624 (logon) and 4634 (logoff). These are system events that I believe are logged because Security Settings\Local Policies\Audit Policy\Audit System Events is set to log Success and Failure events. A system account is performing almost all of the logon and logoffs that fill the log.
When I turn off auditing for system events (Audit System Events, a basic windows audit policy setting) and reboot, Audit System Events always resets to log success and failure events again. Windows Advanced Audit Policy is also configured on this system.
I believe having both basic and advanced audit policy configured is causing my audit log to fill rapidly, and this may be an unexpected event that Microsoft warns can occur in this article:
What is the interaction between basic audit policy setting and advanced audit policy settings? (Warning: Using both advanced and basic audit policy settings can cause unexpected results).
gpresult.exe /h shows that three group policy objects are applied: Local Group Policy, Default Domain Policy, and Default Domain Controllers Policy
gpresult.exe /h shows Manage Auditing and security log is controlled by the winning GPO, the Default Domain Controller Policy. When I checked the Default Domain Controller Policy, it shows that users in BUILTIN/Administrators can manage the Manage Auditing and Security Log settings. I verified that I am a member in the BUILTIN/Administrators group making the changes, but still can’t turn off success and failure events in Audit System Events (basic windows audit policy). Any help with this matter would be greatly appreciated. Thank you for your time.