Event ID 521 - Critical Logging Failure on Domain Controllers

I'm tasked with the monitoring and analysis of variious logs via our SIEM solution; LogRhythm.

I noticed a few weeks back that we had large volumes of this event originating from all of our domain controllers. The log data is as follows:

EventID: 521

Event Data: unable to log events to the security log

Status code: 0x80000005

Value of CrashonAuditFail: 0

Number of failed audits: 1

I've ensured that all domain controllers have sufficient disk space to write to the log & that the logs are configured to overwrite the oldest logs first. Servers have been bounced in the last few days but the issue remains.

I have read some suggestions about renaming the security event and restarting the machine so that a new event file is created but I can't believe that the event file has become corrupt on all domain controllers.

It's also worth noting that all of the impacted domain controllers are in fact writing other events to the security event log!

We are getting ~61.34k of these events a day.

Any pointers would be massively appreciated.

The 0x80000005 status code in the event description means "access denied". So it is possible that some application is trying to record events in the security log but it doesn't have the required permissions (for more reasons for an "access denied" error see http://www.eventid.net/errorsdisplay.asp?error_code=5 - sometimes the message is deceiving). A corrupted log would cause a status code of 0xc0000008 (Invalid handle) so I don't think that's the case here.

Based on the number of events that you mentioned and assuming that the 19 DCs have a similar number of events recorded, it looks like this event is recorded every 30 seconds? Can you verify that? If that's not the case, what is the frequency of the 521 events?