We are getting entries in our security log which indicate windows is unable to log events to the security log on our windows 2008 x86 servers. The security log is set to auto-overwrite after it reaches 80MB (the size recommended by our PCI/CISP server hardening tool) I've done some googling online and found a few other people with this issue but no one seems to know precisely what causes it or how to fix it. Anyone have any ideas? Thanks Brad Log Name: Security Source: Security Date: 12/14/2009 9:07:25 AM Event ID: 521 Task Category: System Event Level: Information Keywords: Classic,Audit Success User: SYSTEM Computer: SERVER.DOMAIN.net Description: Unable to log events to security log: Status code: 0xc0000017 Value of CrashOnAuditFail: 0 Number of failed audits: 50 Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Security" /> <EventID Qualifiers="0">521</EventID> <Level>0</Level> <Task>1</Task> <Keywords>0xa0000000000000</Keywords> <TimeCreated SystemTime="2009-12-14T14:07:25.000Z" /> <EventRecordID>13582756</EventRecordID> <Channel>Security</Channel> <Computer>SERVER.DOMAIN.net</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data>0xc0000017</Data> <Data>0</Data> <Data>50</Data> </EventData> </Event>

the status 0xC0000017 is STATUS_NO_MEMORY which probably means your machine is running out of memory somewhere, probably in kernel mode or the service has some other problems. do you log lots of events? may be your server is so overloaded with events to be logged that they cannot fit into memory before they are flushed to disk. I would go for some memory counters in taks manager and the performance monitor and would try to establish what consumes the memory. do you also have enough free disk space?ondrej.

We have 241GB of free disk space so that shouldn't be a problem. The server is running Windows 2008 x86 Enterprise with 4GB of RAM. As for the number of events we collect - we are required by PCI/CISP regulations to enable auditing for all sorts of things. So we do tend to create a lot of entries. To get you an idea between 12/8/2009 and 12/15/2009 we generated 147,162 events so thats about 21,000 per day or 875 per hour. In Task Manager I am seeing the following information: Physical Memory (MB) Total: 4090 Cached: 3359 Free: 8 Kernal Memory (MB) Total: 424 Paged: 319 Nonpaged: 104 System Handles: 20495 Threads: 1028 Processes: 60 Up Time: 574:58:38 Page File: 1209/841M The free physical memory seems low? But maybe that's normal? Looking at the processes tab in task manager I don't see anyone process thats consuming a lot of RAM. Any other suggestions? Thanks Brad

it's seems like that you have a long disk queue and/or slow disk subsytem. Please configure your performance monitor with Avg. Disk Queue length counter and check this length is less than 1 for some time (30-60minutes). http://www.sysadmins.lv

These seem to come in spates. I setup perfmon with the counter you mentioned above and let it run for about an hour and forty minutes. During that time frame there were three occurrences of this issue. Looking at the perfmon counters I see the following: Last: 0.000 Average: 0.000 Maximum: 0.006 That seems to be less than 1 as you mentioned above. Any other ideas?

Anyone else have any input on this situation? Its still occurring.....

I too am getting this same error. Details below... Unable to log events to security log: Status code: 0xc0000017 Value of CrashOnAuditFail: 0 Number of failed audits: 50 I have cleared the security log and it still occurs so it's not a problem with it being full. This is occurring on 1 of our 2 DC's, despite them being built from the same Server 2008 image with the same SP's and patches installed and with the same group policy applied. Therefore I don't think it's a disk i/o problem. Not sure what else to do. Anyone got any suggestions?