Windows Server 2003 does not issue security event 523 even though the WarningLevel registry entry is configured

Consider the following scenario:

• On a Windows Server 2003-based computer, you set the maximum size of the Security log to a large value. For example, you set the maximum size to a value that is larger than 60 megabytes (MB).
• You select the Do not overwrite events (clear log manually) option in the Security log properties.
• You configure the Security log to issue an event 523 when the size of the Security log reaches a warning level. To do this, you configure the WarningLevel registry entry under the following registry subkey:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security
  You set the warning level to a high percentage. For example, you set the WarningLevel registry entry to 80 or to 90.

However, when the actual size of the Security log reaches the specified percentage, event 523 is not issued to the Security log. Therefore, you are not warned of the Security log usage before the Security log is full. More security events cannot be issued when the Security log is full. In this case, some important audit events are not captured as expected.

Note A typical event 523 resembles the following event:

Event Type: Success Audit
Event Source: SECURITY
Event Category: System Event
Event ID: 523
Date: Date
Time: Time
User: N/A
Computer: Computer name
Description:
The security log is now WarningLevel percent full.

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must have Windows Server 2003 Service Pack 1 or Windows Server 2003 Service Pack 2 installed on the computer. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Windows Server 2003 with Service Pack 1, x86-based versions

Windows Server 2003 with Service Pack 2, x86-based versions

Windows Server 2003 with Service Pack 1, Itanium-based versions

Windows Server 2003 with Service Pack 2, Itanium-based versions

Windows Server 2003, x64-based versions

Windows Server 2003 with Service Pack 2, x64-based versions

To work around this problem, use one of the following methods:

• Set the maximum size of the Security log to a value that is less than 50 MB.
• Configure the AutoBackupLogFiles registry entry to enable automatic log file backup. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
  312571 The event log stops logging events before reaching the maximum log size

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Windows Server 2003 and Windows 2000 Service Pack 3 include a new feature to generate a security audit event in the Security log when the log size reaches a user-defined threshold. For example, if the threshold value is set to 90, an event 523 will be issued when the Security log reaches 90 percent of capacity. This entry contains the following description:Note The threshold setting does not work if the Security log is configured to overwrite events as needed.

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base: