Working on Domain Controllers running Windows Server 2022 21H2 I am getting a slew of Event 521 in Security log on about half of my DCs. The status code is 80000005, which I am told is a buffer overrun that can be resolved by increasing the Buffersize and MaximumBuffers in the Windows Registry.
I made that change in
HKLM/System/CurrentControlSet/Control/WMI/Autologger/EventLog-Security
Set BufferSize to 256 and MaximumBuffers to 64, and then rebooted. The 521 Events continue to accumulate and trigger Critical Alerts in ADAudit.
When I check the Security Log settings via PowerShell with this:
get-winevent -ListLog security -computername dc-deadhorse-vm | fl *
I get this info back:
FileSize : 497094656
IsLogFull : False
RecordCount : 378351
LogName : Security
IsEnabled : True
LogFilePath :%SystemRoot%\System32\Winevt\Logs\Security.evtx
MaximumSizeInBytes : 537067520
LogMode : AutoBackup
ProviderBufferSize : 64
ProviderMinimumNumberOfBuffers : 0
ProviderMaximumNumberOfBuffers : 16
ProviderLatency : 1000
ProviderControlGuid :
Note that the BufferSize and MaximumBuffers appear to still be at the default values of 64 and 16 respectively, which would explain why changing the registry as I did made no difference.
Is this correct? What is the proper method to set these buffer values?
For additional information, I also did the following as advised on other forum discussion about event 521, all resulted in no change:
Increased Log Size to 1GB
Enabled AutoArchive
Cleared the Security Log
Deleted and re-create the Security .evtx file
Confirmed permissions on the .evtx file
Confirmed adequate disk space
Rebooted the DC
Your input is appreciated!