Share via

How to set BufferSize and MaximumBuffers on Security Event Log

KKoop 10 Reputation points
2024-10-16T12:53:32.9133333+00:00

Working on Domain Controllers running Windows Server 2022 21H2

I am getting a slew of Event 521 in Security log on about half of my DCs. The status code is 80000005, which I am told is a buffer overrun that can be resolved by increasing the Buffersize and MaximumBuffers.

I made that change in 

HKLM/System/CurrentControlSet/Control/WMI/Autologger/EventLog-Security

Set BufferSize to 256 and MaximumBuffers to 64, and then rebooted. The 521 Events continue to accumulate and trigger Critical Alerts in ADAudit.

When I check the Security Log settings via Powershell like this:

	get-winevent -ListLog security -computername dc-deadhorse-vm | fl *

I get this info back:

FileSize: 497094656

IsLogFull: False
RecordCount: 378351
LogName: Security IsEnabled : True LogFilePath: %SystemRoot%\System32\Winevt\Logs\Security.evtx

MaximumSizeInBytes: 537067520

LogMode: AutoBackup

ProviderBufferSize: 64 ProviderMinimumNumberOfBuffers: 0

ProviderMaximumNumberOfBuffers: 16

ProviderLatency: 1000

ProviderControlGuid:

Note that the BufferSize and MaximumBuffers appear to still be at the default values of 64 and 16 respectively, which would explain why changing the registry as I did made no difference. Is this correct? What is the proper method to set these buffer values?

For additional information, I also did the following as advised on other forum discussion about event 521, all resulted in no change

  • Increased Log Size to 1GB
  • Enabled AutoArchive
  • Cleared the Security Log
  • Deleted and re-create the Security .evtx file
  • Confirmed permissions on the .evtx file
  • Confirmed adequate disk space
  • Rebooted the DC
Windows for business | Windows Server | User experience | Other
0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-10-18T09:36:35.3866667+00:00

    Hello,

    Thank you for posting in Q&A forum.

    To further troubleshoot this issue, please kindly try below steps:

    1.Check if there's any wrong GPO configuration.

    2.Meanwhile you can try editing the registry to disable the virtual smart card emulation in below path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\EnableVirtualizationBasedSecurity -> set the value to 02.

    3.Ensure the group policy is up to date and applied to the machine.

    To help other customers who may be facing the same issue, please don't forget to vote if the reply is helpful.

    Best Regards

    Zunhui

  2. KKoop 10 Reputation points
    2024-10-21T16:18:45.96+00:00

    Thanks for suggestion, Zunhui.

    I created a DWORD EnableVirtualizationBasedSecurity

    in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard

    Set value = 2

    Rebooted

    Still getting 521 Events

    I'm open to further suggestions.

    0 comments
  3. KKoop 10 Reputation points
    2024-10-21T16:28:14.61+00:00

    So, Lucky Luke on StackExchange recommended editing the Registry Key

     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security

     And adding DWORDs BufferSize and MaxBuffers with my values, then reboot

     

    That done, I now see the values of 256 and 64 respectively when I query the Security Log using 

     Get-WinEvent -ListLog Security | fl *

     

    Sadly, it has no effect on the 521 Events

    0 comments
  4. KKoop 10 Reputation points
    2024-10-21T16:40:25.66+00:00

    One effect this new DWORD—EnableVirtualizationBasedSecurity—does have is an RPC Call Failed error when querying the Security Log configuration remotely

    get-winevent -ListLog security -computername DC-DEADHORSE-VM1 | fl *

    Removing the DWORD returns the ability to remotely query my DC.

    Just FYI

    0 comments
  5. KKoop 10 Reputation points
    2024-10-22T17:07:17.75+00:00

    Since I can't mark my own post as The Answer™ I will post it separately here, and declare this The Answer™

    My Original Question was how to correctly set the BufferSize and MaximumBuffers on the Windows Security Event Log. Here's how you do it:

    Edit registry key:
     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security

     Add DWORDs BufferSize and MaxBuffers with your values—multiples of 64, such as 128 and 32 respectively—then reboot.

    After reboot, you will find that these values are updated when you query with this PowerShell command:

    get-winevent -ListLog security -computername dc-deadhorse-vm | fl *
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.