🟠 High   ⏱ 5–30 min  Last verified: 01 April 2027
Affected versions: Windows Server 2012 R2

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

On Windows Server 2012 R2, the Security event log fills quickly and starts overwriting events, causing audit gaps during incident investigations.

Environment & Reproduction

Common when ‘Audit: Force audit policy subcategory settings’ is on and subcategories like Object Access generate high event volume.

wevtutil gl Security
Get-WinEvent -LogName Security -MaxEvents 1 | Select TimeCreated

Root Cause Analysis

Default 196MB Security log size cannot hold heavy audit volume.

Quick Triage

Inspect current log size and oldest event.

wevtutil gl Security
Get-WinEvent -ListLog Security | Select FileSize,MaximumSizeInBytes,LogMode
auditpol /get /category:*

Step-by-Step Diagnosis

Verify subcategory volume.

Get-WinEvent -LogName Security -MaxEvents 10000 | Group-Object Id | Sort-Object Count -Descending | Select -First 10
Illustrative mockup for windows-server-2012-r2 β€” event_or_log_viewer
Security log overwriting events β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Increase Security log size and switch to archive mode.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

wevtutil sl Security /ms:1073741824 /rt:false /ab:true
New-Item -Path 'C:Logs' -ItemType Directory -Force
wevtutil sl Security /lfn:'C:LogsSecurity.evtx'
Illustrative mockup for windows-server-2012-r2 β€” terminal_or_powershell
wevtutil log config β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Forward events to a SIEM via WEF.

wecutil ss /q:false
wevtutil sl 'ForwardedEvents' /ms:1073741824

Verification & Acceptance Criteria

No 1104 events appear and audit data is retained for the required window.

Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=1104)]]" -MaxEvents 5
wevtutil gl Security

Rollback Plan

Reset to original size if disk pressure becomes an issue.

wevtutil sl Security /ms:201326592 /rt:true /ab:false

Prevention & Hardening

Trim noisy subcategories, ship events to a central collector, and alert on 1104 ‘security log is full’.

auditpol /set /subcategory:'File System' /success:disable

Linked with SACL not generating audits and LSASS audit overhead.

Related tutorial: View the step-by-step tutorial for Windows Server 2012 R2.

View all Windows Server 2012 R2 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: Audit policy and event log management.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.