ES Compliance tracking 10807 email but we have it set correctly

edited June 2014 in General
We are getting an email from ES from Compliance Tracking from each of our DC's, event ID 10807.

The requested auditing policies have been adjusted, but the "Log Size" properties of the Security event log are not configured properly. In order for tracking features to work reliably it is recommended that you reconfigure the security event log (with "Event Viewer") to "Overwrite events as needed".


Now on each if I right click the Security event log and go to properties, the maximum log size is 16384 and the radio button next to Overwrite events as needed is already checked. So my question is why does this say to check that radio button if it is ALREADY checked?

I will be trying to exclude it. I pushed out the config but as soon as it pushed I got these two messages again (one from each DC).

Comments

  • What OS are these domain controllers running?

    Can you also open the registry editor on one of the DCs and let us know what the value for "Retention" under SYSTEM\CurrentControlSet\Services\Eventlog\Security is set to?

    Thank you.

  • 2008 R2 server.

    The value for retention in the registry is 0x0013c680 (1296000).
  • I get it for on site DC's early in the morning daily, and I also get it for an off site DC around 11:48 AM EST daily. Its two emails back to back saying the same thing.

    I pushed out an exclude for event ID 10807 from source EventSentry, but no dice. Still get the emails.
  • Oh and also when I push configuration, its only a few seconds but I get the email again.
  • Oh I think I figured out my filter. I had info checked. I think this is a warning. Anyway I checked off all three (info, warning, error) and saved then pushed the config back out. Didn't get an email.

    So that stops it from saying there's a problem when there's not.
  • Thanks for the updates, and I'm glad to hear the filter is working now.

    We'll take a look as to why you are getting these false alerts in the event log, that shouldn't be happening.

    It's not a known issue, we'll keep you updated though.
  • It looks like querying this attribute through the registry is not accurate on 2008 and later, we will fix this with the next patch we will release, so that we accurately query the retention policy of the security event log.

    Thanks for bringing this to our attention!
  • Thank you so much for your help!

Sign In or Register to comment.