Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 521 Source: Security

Source
Description
Unable to log events to security log:
Status code: <error code>
Value of CrashOnAuditFail: <value>.
Comments
 
Status code 0x80000005 - Systems with GFI EventsManager or GFI Languard installed may experience this type of problem. See EV100622 (GFI KBID001721) for details.
The event description contains a status code that may provide a first clue in regards to the source of the problem:

- 0x80000005 = "Buffer overflow"
- 0xc0000008 = "Invalid parameter" - See Error code 0xc0000008. - May indicate a full or a corrupted security event log. If the event log is full, adjust the size or the overwriting options.
- 0xc0000017 = No memory
The system drive (C:\Windows) on a Windows 2008 Server ran out of drive space. I cleared the Event logs after clearing up some drive space on the server. I continued to get the 521 events until I rebooted. May be a larger issue but it is working now.
This event indicates that for some reason (the clue being the error code specified in the event), the system cannot record any new event in the event log. This is considered a critical problem from a security perspective.

CrashOnAuditFail defines whether the system is configured to stop when it cannot record new security events, either because the Security Log in Event Viewer is full, or because the internal queue to the log has reached the maximum value that is established. This makes sure that an intruder cannot disable the logging in order to cover his tracks.

In any case, the administrator should check the obvious about the system's ability to record messages in the event log (restrictions on the log sizes, space on disk, corrupted disks, etc.). A reboot may temporarily fix the problem but not necessarily.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...