Jump to content


Photo

Audit Policies not returning any results


  • Please log in to reply
3 replies to this topic

#1 antros48

antros48

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 12 May 2017 - 10:27 AM

Hi everyone,

I recently purchased Netwrix software for AD and Fileservers. I have successfully installed the modules and the AD part is working just fine.

However i cannot manage the File Server part to work. I already added the appropriate i believe GPOs and auditing policies on my file shares.

When i try to extract reports with results on who, where etc there is nothing show up.

Is there something that usually users forget to setup to have a look at? 

Thank you



#2 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 348 posts
  • Gender:Male

Posted 12 May 2017 - 05:05 PM

Hello,

 

If you are current on support/maintenance you are welcome to give us a call or create a case on our Customer Portal.  The reasons this is happening could be quite extensive so i recommend this.  However the most common is audit settings were configured but not applied by GPO because of precendence, conflict or some other reason.  The best way to verify audit configuration is to run the following command from an elevated command prompt on the fileserver: auditpol /get /category:* .  This will list audit settings that are APPLIED to the machine.  Also, SACLs have to be set on the files/folders that you want to audit and it is not enough to just configure auditing at the server level.  Another potential reason is event log overwrites.  These 3 reasons are typically well documented in the errors and warnings that you receive however.  Anything beyond that i recommend a support case for further clarification on the above as well as other options once those 3 have been confirmed on our end.

 

-Jeff



#3 antros48

antros48

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 16 May 2017 - 07:32 AM

Thanks for the response. I followed your instructions and added the appropriate auditing policies on the shared folder. Now i get the modifications on the files and folders on the shared folder but the field "Who" is always filled with "system". Also i noticed in the Netwrix event viewer that i keep getting a Warning with event ID 6136 that says "Cannot resolve a drive letter for the object:\Device\HarddiskVolume4\%Sharename%. The drive record cannot be found in the mount manager's persistent name database for target host. This may lead to the loss of detected changer."

 

I don't know whether these two relate to each other. 

If i cannot find a solution for this either, then i will open ticket for support, since i already purchased the product a week ago.

 

Thanks again and i hope you can give me some advice to finally get it working.



#4 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 348 posts
  • Gender:Male

Posted 16 May 2017 - 07:28 PM

Yes I would recommend opening a case with us because the second issue as well as the first require tracing logs to understand the problem and make an appropriate recommendation.

 

-Jeff






0 user(s) are reading this topic

0 members, guests, anonymous users