You receive reports containing no information or ‘System’ value in the ‘Who’ column. and there are no errors and warnings in the Netwrix Auditor System Health log.
There possible cause of this issue is Security Event Log on the File Server:
- The Security event log is not populated with new events.
- The Security event log was relocated.
- If you changed the Security event log location and did not reboot your file server, the system services may fail to update their settings based on the updated configuration. Therefore, you must reboot your file server.
- If you did not relocate the Security event log, perform one of the following to resolve the issue:
- Open the Security event log using the Event Viewer. If the log is corrupted or contains events with ID 521, this may indicate that there is not enough free disk space to store new information. Provide more disk space and clear the log. Refer to the The disk on a monitored file server is overfilled knowledge base article for more information.
- Make sure that either the Overwrite events as needed retention method is selected, or the Security log automatic archiving option is enabled. Refer to Netwrix Auditor Installation and Configuration Guide for more information.
- Verify your settings are not overwritten by Group Policies using the Resultant Set of Policies (RSoP) snap-in.