Event ID 1101 — Security Channel Publishing

Updated: December 6, 2007

Applies To: Windows Server 2008

red

As events are delivered to the Event Log service to be saved in the Security log, they pass through the operating system (OS) kernel. If the kernel does not have enough resources to deliver the events to the Event Log service (which can happen if the Event Log service has to handle a large number of events), then the events are lost. This can compromise the security of the system and ability of administrators, support personnel, and automated utilities to troubleshoot and diagnose problems.

Event Details

Product: Windows Operating System
ID: 1101
Source: Microsoft-Windows-Eventlog
Version: 6.0
Symbolic Name: EVENT_AUDIT_EVENTS_DROPPED
Message: Audit events have been dropped by the transport. %1

Resolve

Decrease the number of events logged in the Security log

Events sent to the Security log are dropped (they cannot reach the Event Log service and the Security log) when their volume exceeds system capabilities. The hardware (CPU speed and disk size) can be improved to allow the system to handle a higher volume of events, or the number of events published should be reduced. For a busy domain controller system with full auditing enabled, the system attempts to publish a large number of events into the Security log. To allow the system to handle the volume, disable some auditing.

Verify

Use the Event Viewer to read the Security log on the local computer after the computer has been restarted. Verify that events 1101 or 1106 do not appear in the Security log.

Related Management Information

Security Channel Publishing

Management Infrastructure

Tags :


Community Content

beishi110
Event 1101 exists - now what?
What's it mean if the 1101 event appears in the security log - is there an issue? Something I should be concerned about? Something I can/should do??


[tfl - 26 Aug 08] You should post questions like this to the Technet Forums at http://forums.microsoft.com/technet or the MS Newsgroups at

http://www.microsoft.com/communities/newsgroups/en-us/. You are much more likely get a quick response using the forums than through the Community Content.
For specific help about:
Windows : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.windows%2C&
Windows Server : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.windows.server%2C&


Tags : contentbug

mkleppla
Not running a domain controller how does event 1101 apply
I'am running a single computer on cable modem with wireless router. There is a printer and somtimes my roomate accesses that from his computer. He also somtimes accesses the wireless router to access the internet. But I don't believe I'am running a domain controller let alone a busy one. So the response to this event in this page seems inapropriate to my situation. I'am on windows vista the computer is an hpdv6704nr vista home premium. Also I have not added any events to the eventlog it remains on default. So my computer should be operating well below the threshold for to many events being logged? But in any event how do I know how many presently logged events to cancel? Which ones would be best?, there must be hundreds to choose from? Lastly What server am I running if Iam running one at all? Is it 2003 or 2008? Currently I'am experincing the Black Screen Of Death, which requires me to manually shutdown the computer. Therefore, the event properties state for this event, "Audit events have been dropped by the transport. The real time backup file was corrupt due to improper shutdown." I'am trying to resolve this Black Screen problem but with audit events being dropped the information leading up to this event is lost.
Tags :

Page view tracker