Erin Stellato recommends putting the system health extended event on a diet:
In Aaron’s post he refers to the security_error_ring_buffer_recorded event as “unactionable noise”, and frankly I can’t think of a better term for it. I’ve never used it to troubleshoot it any authentication/security issue, and I’m very confident that Microsoft isn’t using it in its current state either. In terms of the volume of that event, for the new client system that I looked at recently the five system_health files covered about four (4) hours of time. Of the 1,851,741 million events captured in that time frame, the security_error_ring_buffer_recorded event showed up 1,838,882 times. That’s 99.3% of the events…absolute noise.
Erin shows you how to turn this off and get rid of a mess of unhelpful messages.