Netwrix Auditor System Health Log contains the following EventIDs:
Event ID 1016
The following error occurred when trying to launch the component responsible for collecting AD group membership from forest <forestName>: <error>
Event ID 1017
The following error occurred when trying to delete temporary data on AD group membership from the local storage: <error>
Event ID 1018
The following unexpected error occurred when trying to collect AD group membership: <error>
Event ID 1019
AD group membership was resolved with the following error; <error>
The product is unable to collect data on group membership of users who made changes. This does not affect audit data integrity and only affects the possibility to filter data by groups in audit reports.
Most likely, this is due to access issues to the AD domain that users belong to, or the membership database.
- The default path to the database for Netwrix Auditor 7.0 – 8.0: %ProgramData%\Netwrix Auditor\Netwrix Auditor for SharePoint\Configuration\<Managed Object GUID*>\TempAuditArchiveMembershipMemberships.db.
- The default path to the database for Netwrix Auditor 8.5: %ProgramData%\Netwrix Auditor\ShortTerm\Netwrix Auditor for SharePoint\<GUID*>\TempAuditArchiveMembershipMemberships.db.
If the error contains a file name, make sure that it is accessible.
You can also exclude these events from being logged to the Netwrix Auditor System Health log if you do not need to filter changes by groups.
Navigate to: %ProgramData%\Netwrix Auditor\Netwrix Auditor for SharePoint\Configuration<GUID*>\omiteventloglist.txt.
* To view your Managed Object GUID, navigate to %programdata%\Netwrix Auditor\Audit Core\ConfigServer\Configuration.xml.
Find your monitoring plan name in the configuration file:
<a n=”Name” t=”2″ v=”your_SharePoint_Managed_Object_name”/>