Dear Support team,
I have a windows 2008 R2 server, The security events didn't recorded from last year.
1. The maximum log size set to 100 MB, But the log file is 300 MB. The retention was set to "archive the log when full,do not overwrite events".
2. Below last entry security log show the registry key that i modified at that time. After i modify the registry value all of the security event were discarded
A registry value was modified.
Subject:
Security ID: domain\userid
Account Name: userid
Account Domain: domain
Logon ID: 0x2c202074
Object:
Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\eventlog\Security
Object Value Name: Retention
Handle ID: 0x100
Operation Type: Existing registry value modified
Process Information:
Process ID: 0x129c
Process Name: C:\Windows\regedit.exe
Change Information:
Old Value Type: REG_DWORD
Old Value: 0
New Value Type: REG_DWORD
New Value: 4294967295
3. As i know,The Windows Event Log supersedes the Event Logging API beginning with the Windows Vista operating system. Here is the KB link: http://msdn.microsoft.com/en-us/library/windows/desktop/aa385780(v=vs.85).aspx?ppud=4
And the registry key which i modified at the before ( \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\eventlog\Security\retention ) Seems only apply to Event logging for Windows 2003 and prior system.
Here is the KB link: http://msdn.microsoft.com/en-us/library/windows/desktop/aa363648(v=vs.85).aspx
May i know what is the reason cause security event discarded ?
Does the retention setting at Registry still working at windows 2008?
Thanks very mush.
Liu