Event ID 1101 — Security Channel Publishing

Applies To: Windows Server 2008

As events are delivered to the Event Log service to be saved in the Security log, they pass through the operating system (OS) kernel. If the kernel does not have enough resources to deliver the events to the Event Log service (which can happen if the Event Log service has to handle a large number of events), then the events are lost. This can compromise the security of the system and ability of administrators, support personnel, and automated utilities to troubleshoot and diagnose problems.

Event Details

Product: Windows Operating System
ID: 1101
Source: Microsoft-Windows-Eventlog
Version: 6.0
Symbolic Name: EVENT_AUDIT_EVENTS_DROPPED
Message: Audit events have been dropped by the transport. %1

Resolve

Decrease the number of events logged in the Security log

Events sent to the Security log are dropped (they cannot reach the Event Log service and the Security log) when their volume exceeds system capabilities. The hardware (CPU speed and disk size) can be improved to allow the system to handle a higher volume of events, or the number of events published should be reduced. For a busy domain controller system with full auditing enabled, the system attempts to publish a large number of events into the Security log. To allow the system to handle the volume, disable some auditing.

Verify

Use the Event Viewer to read the Security log on the local computer after the computer has been restarted. Verify that events 1101 or 1106 do not appear in the Security log.

Security Channel Publishing

Management Infrastructure