KBI 220701 Event IDs 516 and 521




1 Jul 2007


Windows Event ID 516 is logged when a server is overloaded, or event queues overflow.

Technical Background

This typically occurs when a server is unable to write more events to the event log. In either case, no future audit events are logged to the server until the situation is addressed.

To analyze the importance and possible consequences of these events, imagine someone attempts an unauthorized access to the system and wishes to hide this attempt.

One method is to overflow the server’s event log with countless entries, up to the point where 516 or 521 is logged – and auditing stops. This means future events are dropped until the queues are freed up.

As long as the event queues are kept busy with dummy entries, the attacker can freely perform operations on the server knowing they will not be audited.

A Denial of Service attack could be another cause of 516 being logged.

Argent Data Consolidator comes with a pre-installed Rule that monitors event logs for occurrences of 516 or 521 and alerts upon discovery.

Once Argent warns you about this event, an immediate action is required.

NOTE: It is possible for these events to occur if the maximum security event log size has been reached and log is NOT set to overwrite.