Home | Site Map | Cisco How ToNet How To | Wireless |Search | Forums | Services | Donations | Careers | About Us | Contact Us|

Event ID 521: Unable to log events to security log

Active Directory, Domain, DNS, WINS, DHCP, SBS, New Releases.

Event ID 521: Unable to log events to security log

Postby chicagotech » Mon Oct 16, 2017 12:40 pm

Situation; The client has windows server 2008 R2. It keeps get lower spaces. The event viewer log ID 521: Unable to log events to security log.

After study this event, I summary some cause and recommended resolutions. I think the best resolution for us is disable login success.
1. Cause: corrupt security event log. Resolution: rename the security event log %SystemRoot%\System32\Winevt\Logs\Security.evtx.
2. Third party software.
3. Add more CPU, RAM
4. Change the Audit Policy settings
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 7066
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA

Re: Event ID 521: Unable to log events to security log

Postby chicagotech » Mon Oct 16, 2017 12:41 pm

This issue may occur if the AutoBackupLogFiles key was not created.

Add registry keys AutoBackupLogFiles to the following location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\DNS Server

Value: AutoBackupLogFiles
Type: DWORD
Data value: Value not present or 0 (zero) equals "disabled." (This is the default.) Any non-zero value equals "enabled."

Note You must restart the computer or clear the corresponding event log before the new behavior takes effect. You must configure the event log to have the Do not overwrite events (clear log manually) setting.
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 7066
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA

Re: Event ID 521: Unable to log events to security log

Postby chicagotech » Tue Oct 17, 2017 10:10 am

Quoted:
"An Invalid Handle means that a process tried to open a file and failed. In this case the file was likely the %SystemRoot%\System32\Winevt\Logs\Security.evtx Security Event Log file. You need to start investigating why that file was unable to be opened.

Start by creating a new .evtx file and checking the Overwrite Event Log settings. Make sure another process (local or remote) is not holding onto the it while it scrapes events. Make sure you have enough hard drive space that there is actually room to write to the file. Check for underlying hardware failure and or file system corruption.

If that doesn't sus out something that looks like a possible cause you are going to need to gather more information. SysInteral's ProcMon can be useful here if you attach it the EventLog process (see my answer here for an example of how to do this). If you still do not find anything that looks like an obvious cause your best bet would be to go to Microsoft Support".

When I tried to rename Security.evtx, I got access is denied because it is in use. What I did is go to the Event properties to change the log name from Security.evtx to Security1.evtx. That seems to fix the problem..
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 7066
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA


Return to Windows

Your Ad Here

Who is online

Users browsing this forum: No registered users and 5 guests