Share via

Archived Security filling up stroage (Windows 11 Pro 23H2)

Annoymous-9188 0 Reputation points
2025-08-19T15:16:21.83+00:00

Hello,

I’ve noticed that many of my users’ storage drives are filling up due to archived security logs. I’ve been manually deleting these logs, but this is time-consuming given the number of users I manage.

I attempted to fix the issue via Group Policy by creating a policy under: Computer Configuration > Windows Settings > Security Settings > Event Log Settings > Retain Security Log, and set it to delete logs older than 1 day. Then running gpupdate force then restarting the computer. It doesn’t seem to be working.

I also tried adjusting the maximum log size for the Security log, but that hasn’t helped either.

Screenshot 2025-08-19 104926

Screenshot 2025-08-19 110621

We are running Windows 11 Pro, version 23H2, and I’m looking for a solution that:

Doesn’t require disabling security logs

Doesn’t rely on third-party tools

Is there a recommended way to manage or auto-clear these logs through GPO or another built-in method? It's really slowing down our computers and its very frustrating!

I've already tried using this forum nothing worked.

https://free.blessedness.top/en-us/answers/questions/1085762/why-obtain-the-security-log-on-this-system-is-full

Any guidance would be appreciated!

Windows for business | Windows Client for IT Pros | Directory services | Deploy group policy objects
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Quinnie Quoc 5,840 Reputation points Independent Advisor
    2025-09-13T07:13:44.35+00:00

    Hi,

    This issue has been observed in Windows 11 (especially versions 22H2 and 23H2), where the “Overwrite events as needed” setting for the Security log may revert unexpectedly to “Do not overwrite events”, even after applying GPO settings. This behavior can prevent logs from auto-clearing and lead to storage issues.

    To address this, we recommend the following steps:

    In Group Policy Editor, navigate to: Computer Configuration > Administrative Templates > Windows Components > Event Log Service > Security Set “Control Event Log behavior when the log file reaches its maximum size” to Disabled. This forces the system to use the “Overwrite events as needed” setting.

    Ensure that Audit: Shut down system immediately if unable to log security audits is disabled under: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

    Confirm that the maximum log size is appropriate (e.g., 64MB or higher) and that retention is set to overwrite as needed, not based on time.

    After applying these changes, run gpupdate /force and restart the affected machines. These settings should persist across reboots and help prevent log overflow without disabling auditing or relying on third-party tools.

    Let us know if you'd like assistance validating these policies across your environment.

    If my answer is useful for you, please give me a vote.

    Best regards,

    Quinnie Quod.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.