Depending on the specific audited system you may notice you are getting SYSTEM for Who Changed in some of the changes that come in your reports or you happen to notice a lot of event ID 521 in your security event logs.
This event 521 is logged any time Windows is unable to write to the security event log.
More information about this event ID and it’s possible reasons can be found here: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=521
In most cases a reboot of the server that is having his issue is required. Upon reboot check the security event logs and ensure that no more 521 events are being written. Most Netwrix systems rely on these security event logs being written in order to gather all possible information about changes performed in your environment.