When I Add and/or change a file on that path it takes until the next day before I can see this in the Search.
If I manually click update in the monitoring plan, than after a few hours, that status changes from working to ready again, and then I can see the adds/changes until the time that I pressed the update button.
not anymore. Yersterday morning, I had the message: Could not locate the end of the event log for 'srv02'. The event log might have been overwritten.
But that was probably because I was monitoring all 4 actions (success and failed changes and read accessà) . Changed that yesterday morning to only successful changes.
However security log itself on the fileserver still contains data from 2 days ago, so I'm not sure why I even got this message.
The event id 1102 "The audit log was cleared." forces the full update of the snapshot which might take a while, so that was a good idea to reduce the scope of the audit to successful changes only, since usually the security event log overwrite is caused by successful reads, the auditing of such action generates a huge number of events.
Take a look for a few days how fast the data collection goes after changing to successful changes only, I think it should be better.
Just in case what is the maximum size of security event log on the file server?
The very first collection takes a few hours because it is collected snapshot, full update of the snapshot either, the common collection updates the snapshot based on the events and depending on a number of performed changes since the last data collection may be different from several minutes to hours.
Please share the logs I will take a look if there is any problem.
I need the entire folder "NwFileStorageSvc", it is located here C:\ProgramData\Netwrix Auditor\Logs\DataCollectionCore\
Based on the log security event log is overwritten twice a day, as I previously mentioned this forces the full update of the snapshot and may take a while.