Dear MS security team,
setting the GPO "Audit: Shut down system immediately if unable to log security audits"
does not have the desired effect on server 2019 (Version 10.0.17763.3770).
To test whether it works or not, I setup the security event log not to overwrite old events when it becomes full and then I waited until it became full. The eventlog then states that it's full, but no shutdown occurs.
I would also like to share the observation, that when you taskkill the eventlog service process and it restarts after a minute, it will populate the log with everything that happened in between the taskkill and the restart (which is fine!), but it will NOT trigger any event-triggered tasks that might be attached to the events it just wrote to the log. Is this expected behavior?