In this article  

• Issue description

• Prerequisites

• Possible causes

• Resolution

• Related topics and articles

• How to reach support

Issue description  

Event ID 521 is generated when the system fails to write audit events to the Security Log. This typically indicates a serious problem with the auditing mechanism on the system. When this event occurs, critical audit data might be lost, impacting security monitoring, forensic investigations, and compliance requirements. It is essential to resolve this promptly to restore reliable audit logging.

Prerequisites  

• ADAudit Plus service account or local system account if used should have the Manage auditing and security log privilege.

• Ensure the Windows Event Log service is running and set to Automatic startup.

• Ensure no conflicting Group Policies restrict security logging or overwrite settings.

Possible cause  s

• The Security log is full and set to not overwrite events.

• Insufficient permissions for the audit process to write to the log.

• Corruption or misconfiguration in the Windows Event Log service.

• Group Policy settings that prevent overwriting or managing log sizes.

Resolution

ADAudit Plus requires events to be logged correctly in the Event Viewer. If Event ID 521 is generated, it indicates that the system has failed to log security events resulting in log collection failure. To increase the security log size in the Event Viewer:

• Start > run > eventvwr.

• Double click Windows Logs > right click > Security > Properties.

• Set the Maximum log size (KB): to 4194240 KB which is 4GB.

• Click Apply and OK.

Issue: Windows Event Log service is not running

• Open Run (Win + R), type services.msc, and press Enter.

• Locate the Windows Event Log service, ensure it is running and set to automatic.

• If the service is stopped, right-click and start the service.

Related topics and documentation

• Event collection troubleshooting - general errors

  When and where to reach support

• If the issue persists, contact our support team here.