TechTips: How to Deal with a "FULL" Security Log

In Windows Server 2003 or Windows XP if you are using an account that doesn't have admin rights sometimes you will get a message like this:

"The security log on this system is full. Only administrators can log on to fix the problem."

This problem occurs when the security log is full and can no longer write events to its log file. You have a few options for solving this issue, you can clear the log entirely, you can expand the amount of space the log can take up, or you can set the log to overwrite old events.

If you choose to clear the log then all past events will be lost. There will be no way to go back and check the security log files for a problem or error if you do this. Clearing the log also is generally a short term solution, it's going to fill backup again and produce the same error.

Expanding the size of the log is another short term option; this is where you simply allow the log more space for storing logs. Even with more space the log will eventually fill up and again you will again get the message that your security log is full.

The best option is to overwrite the security events as you need more space, the oldest events will be lost but you shouldn't need to look at security events that old anyway. If you set this option up you should never have this error message again.

So let's go about setting this up.

1. Click Start>> Settings>>Administrative Tools, and then double click Event Viewer.
2. Right-click Security and then click Properties.
3. In the Log Size area of the Security Properties window, click the "Overwrite events as needed" option under when maximum log size is reached.
4. Click OK.
5. Close Event Viewer.

If you don't want to over write your events then the two other options are in this same window. You can change the Maximum Log Size to a higher amount, set it to 100,032 KB (I know this number is weird but it has to be in 64kb increments) that should give you a good amount of space for your logs and it shouldn't fill up to quickly.

The other option is to click the Clear Log button. This will clear all of your security logs, so make sure that you don't need these logs, because once you clear them they are gone forever.

One last option is an expansion of the overwrite events as needed; it's just a simple customization of when you will overwrite the files. The overwrite as needed only over writes the old events once the log file is full, you can change this however to overwrite events older than a certain amount of time. The default is 7 days, so when you get log files that are 7 days old then the new events will over write anything older than 7 days. This option is no better than overwrite as needed but some people prefer it.