Jump to content


Photo

Who equals to "System", what does that mean ?


  • Please log in to reply
3 replies to this topic

#1 williamcheang

williamcheang

    Newbie

  • Members
  • Pip
  • 9 posts

Posted 16 April 2018 - 03:31 AM

In My Netwrix server, from the Search Result, it show that "Who: System" , what does that mean ?
 
NEWDC1 is my file server
I have created a text file remotely via NEWDC2 and login as cat\administrator
Am using Automatic Audit Setting, with no File Compression agent.
 
Who: system
Object type: File
Data source: File Servers
Monitoring plan: FileServer
Item: newdc1.cat.local (Computer)
Action: Added
What: \\newdc1.cat.local\NewShare_FrDC1\created remotely_DC2_Administrator_10_23am\xxxx10_23am.txt
Where: newdc1.cat.local
When: 4/16/2018 10:31:58 AM


#2 Paul.K

Paul.K

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 17 April 2018 - 06:04 AM

Hi William,

 

It means that the product was not able to find the corresponding event in the target server security log, and it caused 'System' in the 'Who' field.

 

What is your current version of the product?

 

Please check that auditing settings are configured according to the following article:

 

https://helpcenter.n...ows_Shares.html

 

Thanks!

 

 

 

 



#3 mike v

mike v

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 16 July 2018 - 07:13 PM

William,

Did you resolve this problem? I have the same issue. I'm going to look into what Paul said...



#4 williamcheang

williamcheang

    Newbie

  • Members
  • Pip
  • 9 posts

Posted 19 July 2018 - 06:28 AM

Based on what i experienced, in some cases, "Who=system" is due to Security Log size not set to 4GB and other audit policies that related to File Share Monitoring was set correctly.

 

But in other cases, where Audit Policy is set correctly and security Log is set 4GB and there is no error on collection.

The captured audit result still can show "Who=System", which i still do not understand...






0 user(s) are reading this topic

0 members, guests, anonymous users