Event ID 4621: Administrator recovered system from CrashOnAuditFail.
This event logs the following information:
Value of CrashOnAuditFail: %1
Reasons to monitor this event:
- We recommend triggering an alert for any occurrence of this event.
- The event shows that the system halted because it could not record an auditable event in the Security Log, as described in CrashOnAuditFail.
- If your computers don’t have the CrashOnAuditFail flag enabled, then this event will be a sign that some settings are not set to baseline settings or were changed.
Event 4621 applies to the following operating systems:
- Windows 2008 R2 and 7
- Windows 2012 R2 and 8.1
- Windows 2016 and 10
Explore Active Directory auditing and reporting with ADAudit Plus.
- Related Products
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- EventLog Analyzer Real-time Log Analysis & Reporting
- ADSelfService Plus Self-Service Password Management
- AD360 Integrated Identity & Access Management
- Log360 Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools