1104 The security log is now full

Written when the Security log reaches its limit while the retention setting is “do not overwrite.” It is a warning just before a gap (a period that cannot be recorded) opens in the audit trail.

Overview

The subcategory is Other Events and the source is Microsoft-Windows-Eventlog. It occurs when the log file reaches its maximum size and the retention method is “do not overwrite events (clear manually).” It does not happen where overwriting is allowed.

How it is triggered

• The combination of the log reaching maximum size and a “do not overwrite” retention method.
• A burst of events filling the log suddenly. An attacker could deliberately generate noise events to fill the log and stop further recording.

Security review points

• No further events are recorded, meaning a hole opens in the audit trail, so it warrants priority operational action.
• A sudden fill leads to investigating what produced the burst just before it (a brute-force attempt, mass object access, and so on).

Notes for log review

• This state should be prevented up front through log management (rotation or forwarding to a SIEM). The appearance of 1104 itself is an indicator of a configuration gap.
• Fill the blank period after the log is full using data already forwarded to the SIEM.

Key fields

It carries no specific data fields (internally only a FileIsFull marker). Use Computer and TimeCreated to confirm the host and time.

References

• Microsoft Learn: 1104(S) The security log is now full.
• Ultimate Windows Security: Event ID 1104