I'm having an issue where my security event log is not loggin any events, except for: Event ID 521 Source: Security Unable to log events to security log: Status code: 0xc0000008 Value of CrashOnAuditFail: 0 Number of failed audits: 50 The server is Windows Server 2008 Standard SP1 x64. The log is set to Archive when full, the disk has plenty of space (80G). I've seen some mention on various other forums suggesting changing the Bound key in HKLM\SYSTEM\CurrentControlSet\Control\LSA, but I don't actually know what to change it to, or how to change it. I've reduced some of the things I audit, to no avail. Any suggestions? Thanks in Advance! Mike Scott

Hi Mike, It seems this issue is related to GFI software: http://kbase.gfi.com/showarticle.asp?id=KBID001721 Have you installed GFI software on your computer? If so, I suggest contacting GFI for direct assistance. Does any related symptom appear on the computer? Tim Quan TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

No, I don't have any GFI software installed. The only non-microsoft Application I have installed is McAfee. One thing I neglected to mention is that the server is a domain controller. I've seen this issue on various forums, although most have different status codes. Here's what appears to be the identical issue on another Technet forum that was never solved, or at least never had a solution posted. Here's another case where the status code is different, but the same as this post. Those two have the same status code, and no resolution posted. By any strange chance can you tell me what a status code of "0xC0000008" means? I did update the registry key I mentioned above, and doubled the value in upper bound. So far that hasn't fixed the problem. I assume that I have to reboot or restart a service before it takes effect. Any suggestions?

I believe that restarting the server made it read the new registry value, and I'm able to log events now. Previously I had changed my audit policy to audit fewer events, I've put that back to the original settings, and I will monitor the server to see if the problem comes back.

Thank you for the update.