If you see Event ID 521 along with a message saying Unable to log events to security log on Windows Server, here is how you can fix the problem. It appears when the maximum log size is set to minimum or anything lower than maximum.
In order to fix this issue, you need to change the maximum log size. There are two ways to do that. First, you can use the Event Viewer and second, you can use the Group Policy Management Console.
Event ID 521, Unable to log events to security log
To fix Event ID 521, Unable to log events to security log error in Windows Server, follow any one of these solutions:
- Set maximum log size using Event Viewer
- Set maximum log size using GPMC
How to change the maximum security log size in Windows Event Viewer
1] Set maximum log size using Event Viewer
To set the maximum log size using Event Viewer, open it first. You can search for event viewer in the Taskbar search box and click on the individual search result – or press Win+R, type eventvwr and hit the Enter button.
Once it is opened, expand the Windows Logs section, right-click the Security menu, and choose the Properties option from the context menu.
Here you can find an option called Maximum log size. If it is set to anything lower than 10240, set it as 10240. However, if it is set to 10240, set it as 20480.
Then, ensure that the overwrite events as needed option is selected.
Finally, click the OK button to save the change.
2] Set maximum log size using GPMC
To set the maximum log size using the Group Policy Management Console, you need to open it first. For that, press the Win+R to open the Run prompt, type gpmc.msc and hit the Enter button.
Click on the Domains option and choose the domain your computer is connected to. Then, select the Group Policy Objects, right-click on the Default Domain Controllers Policy, and choose the Edit option from the right-click context menu.
After that, navigate to this path:
Computer Configuration > Policies > Windows Settings > Event Log
Here, you can find an option called Maximum security log size. Set the maximum log size as 10240. However, if it is already set to 10240, set it to 20480.
Then, head to the Retention method for security log and choose the Overwrite events as needed option.
Finally, click the OK button to save all the changes.
This solution should fix your problem. However, if it doesn’t do anything, you must re-install Active Directory Domain Services. You need to use the Server Manager and Windows PowerShell to do this. Here is a brief explanation of how to uninstall and re-install it on Windows Server if you don’t know how.
To uninstall Active Directory Domain Services, you need to open the PowerShell with administrator permission and enter this command:
get-help Uninstall-ADDSDomainController
However, if you want to remove AD DS from an additional domain controller, enter this command:
Uninstall-ADDSDomainController
However, if you want to do the same using Server Manager, you need to remove the tick from the Active Directory Domain Services checkbox in the Remove server roles tab.
Following that, a pop-up window asks whether you want to remove other roles. If not, click the OK button.
Next, you need to install it again, and you can use Windows PowerShell. However, you must indicate whether you want to install AD DS to control your local or remote server. If you want to control a remote server, install Remote Server Administration Tools. Otherwise, you can use this command:
Install-WindowsFeature -name AD-Domain-Services -IncludeManagementTools <<Windows PowerShell cmdlet and arguments>>
Following that, you need to run the AD DS Deployment Module. The following command will do the job:
Get-Command -Module ADDSDeployment
For your information, you can run the help to find out all the arguments.
Once you do that, your problem will be resolved.
Related: The security log is now full (Event ID 1104)
How do I fix Event ID 521?
In general, Event ID 521 appears when your computer exceeds the maximum log size. To fix the issue, you need to maximize it as soon as possible. To do so, open the Event Viewer, go to Windows Logs, right-click on Security, and choose Properties. Then, change the size limit to 10240 and click the OK button.
Read: Verification of prerequisites for Domain Controller promotion failed
What is the Event ID for clearing Security logs?
There are two Event IDs for clearing security logs, 1100 and 1102. You can find the same Event ID when you clear an event log. For example, the message looks like this: Event ID 1102: The audit log was cleared. On the other hand, if you clear System Logs, it will appear as Event Code 104.
Read: The system cannot contact a domain controller to service the authentication request.