4621 Administrator recovered system from CrashOnAuditFail
Written when an administrator recovers and restarts the system after it halted because it could not write to the audit log (CrashOnAuditFail). It is a serious sign that auditing was temporarily not functioning.
Overview
The subcategory is Audit Security State Change. CrashOnAuditFail is a setting that halts the system when it cannot record an audit event to the Security log; it takes effect when the value is 2. After the halt and a reboot, when the administrator recovers the system, this event is logged. Recovery also lets non-administrator users log on again.
How it is triggered
- In an environment with
CrashOnAuditFail = 2, when the system halts due to a failure to write to the audit log and an administrator then recovers and restarts it. - It does not occur where the setting is not enabled.
Security review points
- Alerting on any occurrence is recommended. It means the system fell into a state where it could not record audits, and the auditing during that time may be missing.
- If it appears in an environment that should not have
CrashOnAuditFailenabled, it is a sign the setting was changed from baseline. It can also relate to an attacker trying to stop auditing by overflowing the log.
Notes for log review
- Read the period from halt to recovery on the assumption the audit trail is missing. Fill that window using data forwarded to a SIEM or logs from other hosts.
- Also investigate the root cause of auditing stopping (a full log 1104, a resource shortage, and so on).
Key fields
| Field | Meaning |
|---|---|
Value of CrashOnAuditFail | The setting value at the time of recovery |