4612 Audit messages have been lost
Written when the queue that buffers audit messages fills up and some events have to be discarded. It is a sign that a gap has formed in the audit trail.
Overview
The subcategory is Audit System Integrity. It occurs when security events are generated faster than they can be written to disk, so the queue overflows and discards occur. The number of discarded messages is included in the event. It does not fire when the event log service is stopped, or when the log is full with overwriting disabled (those show up as other events).
How it is triggered
- When a large number of security events occur in a short time and writing cannot keep up.
- Strain on system resources, such as hardware problems or a shortage of memory (RAM).
Security review points
- Events are being dropped, meaning the trail for that period is incomplete, so monitoring it and investigating the cause is recommended.
- An attacker could deliberately generate a flood of events to make important records drop out and get buried. Check what was occurring in volume just before.
Notes for log review
- Read the period where discards happened on the assumption that other logs are partially missing. Reconcile against data already forwarded to a SIEM to fill the hole.
- If it appears chronically, suspect an over-broad audit policy (too many things logged) or a resource shortage, and tune accordingly.
Key fields
| Field | Meaning |
|---|---|
| Number of audit messages discarded | The count of events dropped on overflow |