Event ID 521: Troubleshooting Issues with Logging to the Security Log
If you encounter an Event ID 521 error accompanied by a message stating Unable to log events to the security log on Windows Server, you can resolve this issue by adjusting the maximum log size. This error typically arises when the set maximum log size is lower than the minimum required values.
To correct this, you have two options for changing the maximum log size: via the Event Viewer or through the Group Policy Management Console (GPMC).
Event ID 521, Unable to log events to security log
To resolve the Event ID 521 issue related to security log events on a Windows Server, you can follow one of these approaches:
- Configure the maximum log size through Event Viewer
- Configure the maximum log size via GPMC
Steps to adjust the maximum security log size in Windows Event Viewer
1] Adjusting the maximum log size using Event Viewer
Begin by opening the Event Viewer. You can either type event viewer in the search bar on the Taskbar or use the shortcut Win+R, then type eventvwr and press Enter.
Once opened, navigate to the Windows Logs section, right-click on Security, and select Properties from the context menu.
In the resulting window, locate the Maximum log size option. If it’s set to less than 10240 KB, change it to 10240. If it’s already at 10240, increase it to 20480.
Make sure the option for overwrite events as needed is selected.
Finally, click the OK button to apply your changes.
2] Adjusting the maximum log size with GPMC
To set the maximum log size using the Group Policy Management Console, start by opening it. Press Win+R, type gpmc.msc, and hit Enter.
Select Domains, then pick the domain your computer connects to. Next, select Group Policy Objects, right-click on Default Domain Controllers Policy, and choose Edit from the menu.
Navigate through the following path:
Computer Configuration > Policies > Windows Settings > Event Log
Here, you will see an option titled Maximum security log size. Set this value to 10240. If it already reads 10240, adjust it to 20480.
Then, ensure that the Retention method for security log is set to Overwrite events as needed.
Finally, click OK to save your settings.
These steps should remediate the issue. If the problem persists, it may be necessary to reinstall Active Directory Domain Services. This can be achieved through the Server Manager and Windows PowerShell. Below, find a brief guide on uninstalling and reinstalling it if you are unfamiliar with the procedure.
To uninstall Active Directory Domain Services, launch PowerShell with administrative rights and enter the following command:
get-help Uninstall-ADDSDomainController
If you wish to remove AD DS from an additional domain controller, use this command instead:
Uninstall-ADDSDomainController
If you prefer using Server Manager, deselect the Active Directory Domain Services checkbox within the Remove server roles tab.
A pop-up will appear, asking if you want to remove additional roles. If not, click OK.
Afterwards, you can reinstall it using PowerShell. Specify whether you intend to control your local or remote server. For a remote server, you will need to install Remote Server Administration Tools. For local installation, execute the following command:
Install-WindowsFeature -name AD-Domain-Services -IncludeManagementTools
Following this, launch the AD DS Deployment Module with the command:
Get-Command -Module ADDSDeployment
For more details, running help will provide you with available arguments.
Once you’ve completed these steps, your issue should be resolved.
How do I resolve Event ID 521?
Typically, Event ID 521 occurs when your system surpasses the allowed maximum log size. To address this, open the Event Viewer, navigate to Windows Logs, right-click on Security, then select Properties. Change the size limit to 10240 and click OK.
What Event IDs are associated with clearing Security logs?
The Event IDs related to clearing security logs are 1100 and 1102. You will encounter one of these Event IDs whenever you clear an event log. For instance, the message will read: Event ID 1102: The audit log was cleared. Additionally, clearing System Logs will show Event Code 104.
Leave a Reply