Event Log Performance Monitoring Events

Applies To: Windows 7, Windows Server 2008 R2

Security event monitoring involves not just the configuration of security event policy settings and reviewing the resulting audit events as they appear in the event log. It also depends on the reliable performance of the Windows Event Log service itself, without which the best security auditing policy framework can still not give you the critical information that your organization requires.

To protect against this, the following events provide diagnostic data when the Windows Event Log service is experiencing problems so you can take corrective action.

Event ID Symbol Message

1100

EVENT_SHUTDOWN

The event logging service has shut down.

1101

EVENT_AUDIT_EVENTS_DROPPED

Audit events have been dropped by the transport. %1

1102

EVENT_AUDIT_LOG_CLEARED

The audit log was cleared.

1103

EVENT_AUDIT_LOG_EXCEEDS_WARNING_LEVEL

The security log is now %1 percent full

1104

EVENT_AUDIT_LOG_FULL

The security log is now full.

1105

EVENT_AUDIT_AUTO_BACKUP

Event log automatic backup

1106

EVENT_AUDIT_FAILURE

Events have been dropped by the event logging service. The reason code is %1

1107

EVENT_AUDIT_PUBLISHER_META_DATA

The event logging service encountered an error while processing an incoming event from publisher %3 and trying to process the metadata for it.

1108

EVENT_AUDIT_PROCESSING

The event logging service encountered an error while processing an incoming event published from %3.