Netwrix Auditor System Health Log contains the following EventIDs:
Event ID 1216
The following error occurred when trying to launch the component responsible for collecting AD group membership from forest <forestName>: <error>
Event ID 1217
The following error occurred when trying to delete temporary data on AD group membership from the local storage: <error>
Event ID 1218
The following unexpected error occurred when trying to collect AD group membership: <error>
Event ID 1219
AD group membership was resolved with the following error; <error>
The product is unable to collect data on group membership of users who made changes. This does not affect audit data integrity and only affects the possibility to filter data by groups in audit reports.
Most likely, this is due to access issues to the AD domain that users belong to, or the membership database.
- The default path to the database: %ProgramData%\Netwrix Auditor\ShortTerm\Netwrix Auditor for SharePoint\<GUID*>\TempAuditArchiveMembershipMemberships.db.
If the error contains a file name, make sure that the file is accessible.
You can also exclude these events from being logged to the Netwrix Auditor System Health log if you do not need to filter changes by groups.
Navigate to: %ProgramData%\Netwrix Auditor\Netwrix Auditor for SharePoint\Configuration<GUID*>\omiteventloglist.txt.
* To view your Monitoring Plan GUID, navigate to %programdata%\Netwrix Auditor\Audit Core\ConfigServer\Configuration.xml.
Find your monitoring plan name in the configuration file:
<a n=”Name” t=”2″ v=”your_SharePoint_Monitoring_plan_name”/>