Auditing Log is Full - Eventlog Archive GPO not working

Question

I am trying to create an Archive for Eventlog but it does not seem to work.

Server 2k12 R2 Environment.

Following is the GPO I have enabled:

I have rebooted the server and made sure it is being applied using "gpresult /r /scope computer". I also checked locally using gpedit.msc and the same settings got propogated successfully. Unfortunately, besides an "Auditing Log is Full" popup the logs keep getting overridden.

I might as well mention that all logs are currently 100MB in size.

Edit: I fired up Process Monitor and found this:

It just looks too weird to me. How come it can write to Security.evtx but cant create a new file? What might be missing if System has FULL Control over that directory?

Answer 1

Solution:

ICACLS C:\Windows\System32\winevt\logs /grant *S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122:(F)

It appears that Eventlog is controlled by a security group called Eventlog. I'm not sure why but it had no permissions at all on the eventlog directory.

Note that this did not add the actual permissions to the directory for some reason. I had to manually tick "Full Permissions" for "eventlog" group after executing it. Also note that you can simply add it manually by using "NT SERVICE\EVENTLOG".