Home / server / Questions / 1166683
Accepted
KBKoop
Asked: 2024-10-17 03:24:46 +0800 CST

Need to set Buffer values on Windows Security Event Log

  • 772

Working on Domain Controllers running Windows Server 2022 21H2 I am getting a slew of Event 521 in Security log on about half of my DCs. The status code is 80000005, which I am told is a buffer overrun that can be resolved by increasing the Buffersize and MaximumBuffers in the Windows Registry.

I made that change in

HKLM/System/CurrentControlSet/Control/WMI/Autologger/EventLog-Security

Set BufferSize to 256 and MaximumBuffers to 64, and then rebooted. The 521 Events continue to accumulate and trigger Critical Alerts in ADAudit.

When I check the Security Log settings via PowerShell with this:

get-winevent -ListLog security -computername dc-deadhorse-vm | fl *

I get this info back:

FileSize : 497094656

IsLogFull : False

RecordCount : 378351

LogName : Security

IsEnabled : True

LogFilePath :%SystemRoot%\System32\Winevt\Logs\Security.evtx

MaximumSizeInBytes : 537067520

LogMode : AutoBackup

ProviderBufferSize : 64

ProviderMinimumNumberOfBuffers : 0

ProviderMaximumNumberOfBuffers : 16

ProviderLatency : 1000

ProviderControlGuid :

Note that the BufferSize and MaximumBuffers appear to still be at the default values of 64 and 16 respectively, which would explain why changing the registry as I did made no difference.

Is this correct? What is the proper method to set these buffer values?

For additional information, I also did the following as advised on other forum discussion about event 521, all resulted in no change:

  • Increased Log Size to 1GB

  • Enabled AutoArchive

  • Cleared the Security Log

  • Deleted and re-create the Security .evtx file

  • Confirmed permissions on the .evtx file

  • Confirmed adequate disk space

  • Rebooted the DC

Your input is appreciated!

windows

2 Answers

  1. Best Answer

    It appears as if the correct registry location to adjust these values is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security.

    There you would add REG_DWORD values for BufferSize (in kb) and MaxBuffers (# of buffers).

    The default for BufferSize appears to be 64, and for MaxBuffers 20. There isn't much information on this available, so I can't guarantee that this works. I've never had to configure this on Windows, and I've been working with it for 25+ years.

    You'll definitely have to reboot after setting this, I don't think you need to clear the event log or anything like that. Let us know if that helps.

    • 1

  2. My Original Question was how to correctly set the BufferSize and MaximumBuffers on the Windows Security Event Log. To confirm what Lucky Luke recommended, here's how you do it:

    Edit registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security

    Add DWORDs BufferSize and MaxBuffers with your values—multiples of 64, such as 128 and 32 respectively—then reboot.

    After reboot, you will find that these values are updated when you query with this PowerShell command:

    get-winevent -ListLog security -computername dc-deadhorse-vm | fl *
    • 1