What to do about Event ID 521 events in Security Log

Vincent Sprague 0 Reputation points
2024-05-29T13:35:12.5333333+00:00

I have limited auditing enabled on our Domain Controllers via a group policy. The auditing appears to be generating a lot of 521 events in addition to the other audit entries. We've increased the size of the security log up to 5gb and increased the buffer registry entries but the 521 events are still being generated. I've also seen some articles say this is being caused by permission issues but so far that doesn't appear to be the case here. I'd like to increase our level of auditing but if we're having these issues with the bare minimum I'm concerned that increasing the amount of auditing will only make the issue worse.

We have two DC's used for workstation authentication (about 1000 workstations) and those DC's show a lot more of these events than other DC's. My current thinking is that there are too many audit events being created for the DC's to keep up and I'm trying to figure out how best to deal with the the situation. The DC's do not appear to be heavily utilizing CPU/Memory so the only thing I can think of at this point is to add additional Domain Controllers for workstation authentication to spread the load and hopefully reduce the amount of audit logs being generated on each DC.

Here is an example of the entry.
Unable to log events to security log:

Status code:		0x80000005

Value of CrashOnAuditFail:	0

Number of failed audits:	1  

Any suggestions or recommendations would be greatly appreciated.

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,934 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Wesley Li 5,800 Reputation points
    2024-05-29T16:43:39.3966667+00:00

    Hello

    It seems you are experiencing a common issue with Event ID 521, which indicates that the system is unable to log events to the security log due to a status code of 0x80000005. This can be caused by the security log buffer being written to faster than it can be flushed to disk, leading to a backlog of events that cannot be processed in time.

    Suggested solution for the Event ID 521 issue is to adjust the BufferSize and MaximumBuffers in the registry to accommodate the volume of audit events. If the problem persists, it's recommended to identify and address any I/O bottlenecks or reduce the number of events being logged.

    [windows - Event ID 521 - Critical Logging Failure on Domain Controllers - Server Fault](https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fserverfault.com%2Fquestions%2F740281%2Fevent-id-521-critical-logging-failure-on-domain-controllers&data=05%7C02%7Cwesleyl%40wicresoft.com%7C7add48bf28c2449a845608dc7ffb0cc6%7Cb2ae8dd9097749768706861b488b1512%7C0%7C0%7C638525963477236010%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=f3ripHUlqW69JkLX%2FqR621dPaT4t0ZgNEJZ603e9jAo%3D&reserved=0"原始 URL: https://serverfault.com/questions/740281/event-id-521-critical-logging-failure-on-domain-controllers。如果你信任此链接, 请单击或点击。")

    Adding more Domain Controllers could help distribute the load and reduce the number of audit logs generated on each DC. However, before proceeding with this, you might want to consider the registry adjustments and check for any I/O issues as mentioned in the web resources. It's also worth reviewing your current audit policies to ensure they are not overly broad, which could lead to an excessive number of events being logged.