Windows 2008 R2 Server Security Log filling with event 521

Question

I understand that status code 0xc0000008 means Invalid Handle.

How do you resolve this issue (besides a restart)?

What is the best way to determine the cause for this?

Log Name:      Security
Source:        Security
Date:          5/22/2014 8:44:18 AM
Event ID:      521
Task Category: System Event
Level:         Information
Keywords:      Classic,Audit Success
User:          SYSTEM
Computer:      hostname
Description:
Unable to log events to security log:
    Status code:        0xc0000008
    Value of CrashOnAuditFail:  0
    Number of failed audits:    51

Answer 1

An Invalid Handle means that a process tried to open a file and failed. In this case the file was likely the %SystemRoot%\System32\Winevt\Logs\Security.evtx Security Event Log file. You need to start investigating why that file was unable to be opened.

Start by creating a new .evtx file and checking the Overwrite Event Log settings. Make sure another process (local or remote) is not holding onto the it while it scrapes events. Make sure you have enough hard drive space that there is actually room to write to the file. Check for underlying hardware failure and or file system corruption.

If that doesn't sus out something that looks like a possible cause you are going to need to gather more information. SysInteral's ProcMon can be useful here if you attach it the EventLog process (see my answer here for an example of how to do this). If you still do not find anything that looks like an obvious cause your best bet would be to go to Microsoft Support.

Answer 2

Reboot the server to resolve this issue

ms technet source