We are seeing an error where we are unable to Access the security log


Symptoms


We are seeing the following error
 "Event viewer cannot open the event log or custom view. Verify that the event log service is running or query is too long. Access is denied" when we try to open up the security logs on some of the domain controllers with the domain admin account.

Cause


We didn't have the right security permissions defined for the eventlog account in the registry

Resolution


To have us fix this problem for you, go to the "Fix it for me" section. If you prefer to fix this problem yourself, go to the "Let me fix it myself" section.

Fix it for me

To fix this problem automatically, click the Fix this problem link. Then click Run in the File Download dialog box, and follow the steps in this wizard.

Fix this problem
Microsoft Fix it 55046



Note This wizard may be in English only. However, the automatic fix also works for other language versions of Windows.

Note If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or to a CD so that you can run it on the computer that has the problem.

Note We would appreciate your feedback. To provide feedback or to report any issues with this solution, please leave a comment on the "Fix it for me" blog or send us an email message.

Let me fix it myself

1)      Checked NTFS permissions for C:\Windows\System32\winevt\Logs - Eventlog User has full control
 
2)      Checked HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security - Eventlog has no permissions there.

 

3)      Granted "NT service\EventLog" read permissions in HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security. (You have to do this by selecting the local computer account by clicking on "locations".

 

4)      Reopened Event Viewer and confirmed that we can now read the security logs.