Update: on Windows server 2022, all works: it crashes as expected and tasks triggered by missed events work after the service is restarted.
The security option "crash on audit fail" has no effect
![](https://techprofile.blob.core.windows.net/images/VW0lwaQ5kUSLakxmNp8M6w.png?8D83C5)
Dear MS security team,
setting the GPO "Audit: Shut down system immediately if unable to log security audits"
does not have the desired effect on server 2019 (Version 10.0.17763.3770).
To test whether it works or not, I setup the security event log not to overwrite old events when it becomes full and then I waited until it became full. The eventlog then states that it's full, but no shutdown occurs.
I would also like to share the observation, that when you taskkill the eventlog service process and it restarts after a minute, it will populate the log with everything that happened in between the taskkill and the restart (which is fine!), but it will NOT trigger any event-triggered tasks that might be attached to the events it just wrote to the log. Is this expected behavior?