You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: support/windows-server/active-directory/troubleshoot-event-2866-maximum-audit-queue-size.md
+9-3Lines changed: 9 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,7 +15,9 @@ appliesto:
15
15
---
16
16
# Troubleshoot Event ID 2866 (maximum number of cached audit events)
17
17
18
-
This article describes several methods to use to fix Event ID 2866, and discusses how to identify which methods are appropriate for your situation.
18
+
## Summary
19
+
20
+
Event ID 2866 occurs when your system generates more audit events for the Security log than the local transaction audit queue can hold. This article describes several methods to use to fix this situation, and discusses how to identify which methods are appropriate to fix your situation.
19
21
20
22
## Symptoms
21
23
@@ -124,13 +126,17 @@ The rate at which AD DS generates audit events depends on factors that include t
124
126
- How many event sources that you configured for auditing
125
127
- The type of auditing (such as success auditing, failure auditing, or successful read auditing). For example, all the following categories of operations can generate failure or success auditing:
126
128
129
+
-[Sign in (aka Logon) auditing](/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-logon)
-[Kerberos Authentication Service auditing](/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-kerberos-authentication-service)
132
+
-[Kerberos service ticket operations auditing](/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-kerberos-service-ticket-operations)
127
133
-[File system auditing](/windows-hardware/drivers/ifs/auditing) (this category can also generate successful read auditing)
128
134
- Directory Service auditing (this category can also generate successful read auditing)
> Success auditing is typically very verbose, especially for authentication-related operations. Remember that Kerberos authentication applies not only to user requests but also to application and service communications.
134
140
135
141
### Cause 2: A single transaction generates too many audit events
136
142
@@ -198,7 +204,7 @@ To increase the capacity of the transaction audit queue, follow these steps:
198
204
199
205
- Value: `Maximum Audit Queue Size`
200
206
- Type: `REG_DWORD`
201
-
- Data: An integer between 17,000 and 4,294,967,295 (omit commas from the data). The default is `17000`, and the minimum is `100`.
207
+
- Data: An integer between `100` and `4294967295`. The default is `17000`.
202
208
203
209
> [!NOTE]
204
210
> The value measures the number of audit events that the queue can cache. It doesn't measure memory usage. If your issue is the number of audit events per transaction, make sure that the number you use is large enough to handle that number of events (for example, use a number that's larger than the number of members of the largest group).
0 commit comments