📄️ Audit Policy settings not applied on domain contro
Explains how to resolve when Audit Policy settings are not applied on a local domain controller due to enforced OU policies or obstructing audit.csv files.
📄️ Auditing Policies Not Enabled on Domain Controllers
If auditing policies are not being applied to some domain controllers, verify GPO distribution with Resultant Set of Policy and Local Group Policy Editor, and follow Microsoft troubleshooting resources to resolve GPO inheritance or application issues.
📄️ Auto-archiving Windows Security log
Shows how to enable automatic archiving of the Windows Security event log centrally for all domain controllers using Group Policy, and how to adjust retention settings for the archived logs on the Netwrix Auditor server.
📄️ Compression Service Encountered an Internal Error
Explains how to resolve the "Compression Service has encountered an internal error" (Event ID 2009) in a Windows Server Auditing monitoring plan by enabling TLS 1.2, configuring .NET and Schannel registry settings, and reviewing WinHTTP settings.
📄️ SSL/TLS Secure Channel Error
This article addresses the "Could Not Create SSL/TLS Secure Channel" error in Windows Server monitoring plans, detailing symptoms, causes, and resolutions.
📄️ Event Trace Session Does Not Exist or Is Configure
You encounter Event ID 1016 errors indicating "The event trace session does not exist or is configured incorrectly" in a Netwrix Auditor Windows Server monitoring plan. This article explains the possible causes and steps to resolve the issue, including adjusting event log settings and excluding removable media/hardware from monitoring on virtual machines.
📄️ High CPU usage on domain controllers
After you install Account Lockout Examiner (ALE), monitored domain controllers may show CPU spikes caused by WMI queries. This article describes two registry-based options to reduce CPU usage by changing how ALE communicates with domain controllers.
📄️ HKLM or HKU Error in Windows Server Auditing Monit
Describes and resolves Event ID 1016 'HKLM or HKU' error in the Health Log for the Windows Server Auditing monitoring plan in Netwrix Auditor by upgrading to build v10.7.13728 or later.
📄️ How do I enable security log autobackups on each d
Use the attached Security Log Autobackup.adm template to enable and configure automatic backups of the Security event log on domain controllers using Group Policy.
📄️ How Netwrix Auditor Collects Data from Replicated
Explains how Netwrix Auditor collects and displays data from replicated Domain Controllers, and how event log replication affects search results, reports, alerts, and emails.
📄️ How to Exclude Non-operable Domain Controllers fro
Shows how to exclude a non-operable or decommissioned domain controller from monitoring in Netwrix Auditor by adding it to the omitdclist.txt file in the Netwrix working folder.
📄️ Misconfigured Permissions and Policies Warnings in
This article lists common Health Log events related to misconfigured permissions and audit/policy settings in Windows Server monitoring plans, explains probable causes, and provides step-by-step resolutions to correct the configurations on target servers.
📄️ Monitoring CurrentControlSet Changes in Windows Se
Shows how to monitor changes to the CurrentControlSet subkey in Netwrix Auditor by specifying the ControlSet%%% subkeys in customregistrykeys.txt to avoid event mismatches.
📄️ Netwrix Auditor for Windows Servers: EventID 2007:
When the Netwrix Auditor for Windows Server Audit Service fails to run on the host, EventID 2007 appears in the System Health log and the service stops shortly after start. This article explains the cause and shows how to remove the invalid certificate to restore the service.
📄️ Nwx Executables Removed and Readded to Domain Cont
Explains why Nwx executables are regularly removed and re-added to domain controllers and confirms this is expected behavior related to the network traffic compression service.
📄️ Process Cannot Access the File in Windows Server M
When configuring a Windows Server monitoring plan, Netwrix Auditor may log an Event ID 1016 indicating that a file is in use. This article explains the cause and shows how to resolve it by specifying the computer FQDN.
📄️ Request Is Not Supported — Windows Server Auditing
This article describes the "The request is not supported" error (Event ID 2009) for a Windows Server monitoring plan and provides possible causes and step-by-step resolutions including firewall, antivirus exclusions, gMSA configuration, and enabling network traffic compression.
📄️ SCMLib.DataCollecting.DNSDataProviderException2 Error
This article addresses the SCMLib.DataCollecting.DNSDataProviderException2 error encountered in the Health Log for Windows Server monitoring plans and provides resolutions to fix the issue.
📄️ The Windows Security Log Contains Multiple Events
Explains why the Windows Security log on a server audited by Netwrix Auditor contains multiple Event ID 5140 entries and how to interpret them.
📄️ Unable to Configure Audit Policies in Domain Contr
Describes the error "Event ID:1016" that appears when creating a monitoring plan for Domain Controllers and explains why it occurs and how to resolve it by configuring audit policies via Group Policy.
📄️ Why does Risk Assessment Overview Dashboard Shows
When the Risk Assessment Overview dashboard shows unexpected infrastructure issues but the linked reports return no results, verify data collection and State-in-Time snapshots in Netwrix Auditor to resolve discrepancies.
📄️ Windows Server Inventory Report shows Windows Defe
Explains why the Windows Server Inventory Report in Netwrix Auditor lists Windows Defender as the only antivirus on Windows Server 2016/2019 systems and how to resolve it.
📄️ Workstations Cloned with Windows Server Auditing S
Describes symptoms, cause, and step-by-step resolution for duplicated AgentID values on cloned virtual machines that cause monitoring data loss in Netwrix Auditor.