The security log on this system is full

This error can be encountered only on Windows XP or Windows Server 2003 and it is the result of the log file size reaching the default limit set by the system. This means that any other users except for those in the Administrators group can’t login to the system, and they will get this message: the security log on this system is full while trying to login.

Default log file sizes:

Windows Server 2003 – 16MB

Windows XP Professional SP1 – 8MB

Windows XP Professional – 512 KB

The log file size must be set as a number multiple of 64KB, else the system will correct (you will receive a warning with only an option to press Ok and then the value you just added will be adjusted by the system to the nearest 64KB multiple). It is better if you to adjust this limit to a bigger file size, especially if you are a system administrator or a person that might need to check or keep track of the logs somewhere in the future.

If the only thing that might interest you is recent history, you can also make a setting to “overwrite events as needed” as you will see a bit later in this article, which will just overwrite the older events with the new ones when the log file size is reached. It is better, a good practice and an optimization, even if you plan to use this setting to “overwrite events as needed” to maximize the log file size, at least to a double size.

There are three important event log types: Application, Security and System. You can see more details on them, like the actual log file size set and the log file location if you access any of them through computer management. Right click My Computer on your system and select “manage” or just hit “compmgmt.msc” without the quotes, in a start – run dialogue and then expand “event viewer”, like you can see below:

The security log on this system is full - Computer Management

Right click any of them and then select properties and you will see these details, including the options to “overwrite events as needed” and the textbox where you can change the log file size but note that I’ve opened “Security” event properties.

The security log on this system is full - Security Properties

Log name – in there you can see the location of the actual file that keeps all the entries on the right side of the event type selected (you can see below how the entries look, the same view will be displayed to you if you select the security, system or application event type). You can see even more details if you open any of the entries, for the desired hour/minute when an action happened but this is not the purpose of this article. You should know that except for the fact that application, security and system event logs keep track of different things, they work and behave in a similar way.

The security log on this system is full - Computer Management Security

Clear Log – this is an option you can manually use anytime you want to just delete the logs for that specific log types (application, security or system). When you will use it, it will ask you if you want to save the logs before deleting them as you can see below. You can assume this is up to you, if you store such things, if you think at given time in the future you might need any of them for that specific system that you plan to delete them, and so on. They basically need a small amount of memory to be stored, but they are easy to get lost if you don’t mark them somehow or store them in a special location marked somehow.

The security log on this system is full - Security Properties Save

If you select No, they will just be deleted.

If you select Yes, a new window will pop up which will ask you for the location of the file to be stored (.evt extension). Add a name to the file name textbox, confirm with save and the process that runs in background is actually an automatic method for a cut/paste of the file that you can see at LOG NAME, which will be automatically completed as soon as you confirmed.

The security log on this system is full - Save security as

SOLUTION for The security log on this system is full error:

Due to the details I have presented so far, I am pretty sure a big part of you already found the way to fix this so far, but to resume the whole process and what you could do to bypass the problem I will shortly describe it in a few words the possible fixes…any of them work.

One thing which will also can count in how you will fix this error is, if you have direct access to the computer or you will need to remotely manage it. In both cases, you will need to login using an administrator account (a member of the administrators group on the local machine), no other account will be permitted to login before dealing with the error.

If you have direct access to the computer, just login using an admin account and do any of the below fixes, which you consider to address your issue and future needs better.

If you don’t have direct access and you will have to remotely fix this (this applies mostly to system and network administrators), there is no point for a connection like an RDP type. That would only be a waste of time to use RDP and login with an administrator to open the computer management and do any of the below.

We need to open a compmgmt.msc with administrator rights. You can do this either with the help of a runas command in a command prompt window and then use compmgmt.msc in that cmd to open the LOCAL computer management as you can see in the next image or create a shortcut to the compmgmt.msc and use the runas option from the right click selection menu.

The security log on this system is full - Password and Username

After you provide the password, in the new window that will automatically open with the administrator account credentials, use “compmgmt.msc” without the quotes to bring up the local computer management console as you can see in the next picture. After you use the runas command you will have two cmd windows, one running as admin and one with the default user that will still contain the runas instructions – you can close the one you used to open the second one and keep just the new one with the administrator account.

Note: if you don’t have a domain account with administrator rights, just use a local one. In the above syntax it will be something like: “runas /u:administrator cmd” without the quotes. You can see the difference that there is no more domain in the syntax. The same local admin account must exist on the remote computer that you will try to connect, with the same password.

From the compmgmt.msc that has the local computer management opened, right click on “Computer Management” and select “Connect to another computer..”.

The security log on this system is full - Computer Management Connect

In the textbox add the IP or the hostname of the computer in your network with the error in the title of this article and confirm with Ok.

The security log on this system is full - Select Computer

If the connection will be a success (no network connection problems, the computer can be seen at ping) the result will be the same that you had for the (Local) computer with access to most of the functions in the computer management, but after the “Computer Management” instead of (Local) you will have the hostname or the IP used for the connection, plus remotely management to it.

Now you can select any of the fixes below and start fixing your problem.

1. Use the “Clear Log” button and delete the logs with or without saving when asked, depending on your needs.

The security log on this system is full - Computer Management Clear log

2. Max out the Maximum log size limit, as I said earlier, a multiple of 64KB, for example to a 4096KB which should give you quite a while of detailed tracking without any error.

The security log on this system is full - Computer Management maximum log size

3. Use the “Overwrite events as needed”, check it and the system will automatically overwrite the older events when the system log max file size has been reached.

There are also other combinations, for example you can have above limit sizes for the log file plus “overwrite events older than 7 days”, but that depends on you. Basically as you can see from the print screen, I use a 4096 with the option to overwrite events as needed. That gives me plenty of info and a wide variety of tracking details and history.

Any of these three settings will fix your problem or the problem for the user you remotely manage, but you should keep in mind that after you do this, a reboot might be required, else the user might still not login with his non-administrative account.

NOTE: You will have to apply the setting on EACH of the THREE event logs: application, security and system.

I can’t basically cover all of the ways you can remotely fix this issue or manage a computer and I assure you there are a lot more than I have covered here (especially because these same things can be done in a lot more than 3 ways as I presented above), but I hope you learned something new. If by any chance you are facing a problem or this problem with different data, for example a scenario I didn’t cover in here, please do tell me so I can help you or write an update with the scenario.

VN:F [1.9.22_1171]
Rating: 5.0/5 (4 votes cast)
The security log on this system is full, 5.0 out of 5 based on 4 ratings
  1. sfinx

Leave a Reply

Your email address will not be published. Required fields are marked *