Refer to the KB258 for details about how Netwrix Auditor for VMware works.
Overwrites warnings occur because there is some gap between the last collected and the oldest of newly received events.
Try running collections more frequently by changing the notifications frequency under Monitoring Plan settings.
If this doesn’t help please perform the following steps to troubleshot this and localize the problematic place:
After receiving a change report for VMware with event overwrites warning and changes, which as a results of event overwrites were reported as made by system, retrieve audit events using VMware PowerCLI cmdlets by connecting to vCenter and ESX hosts:
1. Download and install VMware PowerCLI, this package contains set of Powershell cmdlets which can be used to retrieve audit events from ESX server vCenter.
2. Install-Module -Name VMware.PowerCLI -Scope CurrentUser
3. Import-Module VMware.PowerCLI
4. Set-PowerCLIConfiguration -InvalidCertificateAction Ignore
5. Run the Connect-VIServer cmdlet and connect to the VMware host (https://www.vmware.com/support/developer/windowstoolkit/wintk40u1/html/Connect-VIServer.html) by running this command:
Connect-VIServer “ESX hostname”
- A credentials window will appear. Enter the account that will read data from the vCenter.
6. Run Get-VIEvent cmdlet (https://www.vmware.com/support/developer/windowstoolkit/wintk40u1/html/Get-VIEvent.html) and get all events for last 24 hours by running the command:
Get-VIEvent -Entity * -Start (Get-Date).AddDays(-1) >> C:\%ESX_host_name%.txt
If the cmdlet returns timeout error, you might try to reduce the timeframe of requested events:
Get-VIEvent -Entity * -Start (Get-Date).AddHours(-1) >> C:\%ESX_host_name%.txt
Perform these steps for every ESX host which is managed with vCenter specified in Netwrix Auditor for VMware
7. Submit a ticket and provide us the following information:
- Events retrieved with VMware PowerCLI cmdlets from vCenter and ESX hosts (files created during the steps described in the section 6 above)
- Received the change report of VMware (after that receiving which the event files were generated) and inventory report
- Events (file with .events extension) from the following directory “C:\ProgramData\Netwrix Auditor\ShortTerm\VMA\GUID” after receiving the change report of Netwrix Auditor for VMware
Archive these files and provide them within the support ticket with our Technical Support team.