Recently, I started to experience this issue on a vast amount of servers in our domain environment. We have set Audit Policies so that user or system activity in specified event categories is recorded.
This is how our audit policy looks like:
We have created a plan before we implemented audit policy, and ran the collection across our organization. Everything seems to be perfect.
The log size for the security log has been set to 200MB, which was enough, based on our assumptions.
But recently, I started receiving notifications that there was an issue with the storing of security logs. Usually, the warning messages were regarding CrashonAuditFail, EventID: 521 and EventID: 1101
Next thing I did is I went to server and examined logs myself. I have filtered Security logs to show results only for EventID: 521
As you may see, the event description is that it could not log events to security log. At this point, I thought that I have reached the log size, which was 200MB.
I have written down the time and date, so now I will filter it by date.
I have noticed that there are literally thousands of success and failed logs written into Security Event Log prior the warning, and then it continued with the storing of the logs after around 12 minutes.
Next thing I did is I googled a bit of course 🙂
I have found that this could happen because either internal queue of the log has reached maximum or Security Log is full. But since the saving of logs in Security Event Log continued after 12 minutes, I assumed that the former is likely to be the issue here.
So, to solve this issue, there are two things which we could have done:
- Add more CPU, RAM
- Change the Audit Policy settings
Unfortunately, we could not add more power just like that, so we ended up changing policy settings. And it helped 🙂
Since we have changed audit policy setting, everything went back to normal.
To cut the story short, in case that you have encountered this issue, and you would like to review your audit policy settings, this is a good guide: