@David Kim , Based on my research, The CrashOnAuditFail feature is a registry key that can be set to make sure that all auditable events are recorded in the security event log. When the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\CrashOnAuditFail is set to 1, anyone may log on if the system can audit the events and write the events to the security event log. If the security event log is full, the value for the CrashOnAuditFail key is changed to 2, and the server crashes. Here is a link with more detailed information for the reference:
https://learn.microsoft.com/en-us/troubleshoot/iis/users-cannot-access-web-sites-when-log-full
When the value is changed, event id 4906 is generated:
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4906
Here, we can create an event monitor in SCOM 2019 to monitor event id 4906. We can see more details in the following link:
https://social.technet.microsoft.com/wiki/contents/articles/51547.scom-monitor-a-specific-windows-event.aspx
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.