Windows Server warning in Netwrix Auditor System Health

Email It to Me Print this Page
Symptoms The Netwrix Auditor System Health log contains the following warnings when auditing Windows Server (in Netwrix Auditor 6.5 and below they are listed in Windows Server Сhange Summary emails):
  • Warning: Windows Registry audit permissions are not enabled for this server. Adjust Windows Registry audit permissions automatically or manually.
  • Warning: The Registry data provider failed to get the information on registry key "HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MRxDAV\EncryptedDirectories " due to the following error: " Access is denied ".
  • Warning: Unable to configure the following policies due to a conflict: Object Access\Other Object Access Events Success, Account Management\Security Group Management Success, Account Management\User Account Management Success.
  • Warning: Auditing of Object Access Success is not enabled for this server.
  • Warning: Auditing of Account Management\User Account Management Success is not enabled for this server.
  • Warning: Unable to configure the following audit policies on this computer because it is a domain controller: Object Access\Other Object Access Events Success. 
  • Warning: The following event log settings may lead to incorrect or incomplete data in reports: System event log retention method, Application event log retention method. 
  • Warning: Unable to detect the current Security event log retention policy to the following error: Access is denied.
  • Warning: Unable to detect the current Application event log retention policy to the following error: Access is denied.
  • Warning: Security log overwrites occurred on this computer since the last collection. Please increase the maximum size of the Security event log. 
  • Warning: Unable to detect audit policy settings for server...
  • Warning: Data provider <name> failed during data collection from server <name> due to the following error: “The Remote Registry service is not running”. 
  • Warning: Data provider <name> failed during data collection from server <name> due to the following error: "The interface is unknown. (Exception from HRESULT: 0x800706B5)".
  • Warning: Data provider <name> failed during data collection from server <name> due to the following error: “The network path was not found. (Exception from HRESULT: 0x80070035)”.
  • Error: The following error occurred when collecting data from the Application log: Failed to open log 'Application' (API used: NT). Error details: The interface is unknown. (Error number: 0x800706B5).
  • Error: The following error occurred when collecting data from the Application log: Failed to open log 'Application' (API used: NT). Error details: The network path was not found. (Error number: 0x80070035).
  • Error: Unable to configure the following policies due to a conflict: Security event log size.
Cause

Successful change auditing requires a certain configuration of native audit settings in the audited environment and on the computer where Netwrix Auditor (Netwrix Auditor Administrator Console in Netwrix Auditor 7.0 and above) resides. The errors and warnings indicate that audit settings are not properly configured.

Resolution

You need to disable automatic configuration and configure settings mentioned in the warning message manually. 
Below is a list of all audit settings required for the product to function correctly and collect full audit data on your Windows Servers:

  1. Remote Registry and Windows Management Instrumentation Services.
 The startup type must be set to "Automatic" for both services.
  1. Windows Registry Audit Settings

The following audit permissions must be set to "Successful" for the HKEY_LOCAL_MACHINE\SOFTWARE, HKEY_LOCAL_MACHINE\SYSTEM, and HKEY_USERS\.DEFAULT nodes: Set Value, Create Subkey, Delete, Write DAC, Write Owner.

  1. Local Audit Policies

On pre-Windows Vista versions, the Audit object access and the Audit account management policies must be set to "Success".

On Windows Vista and above, the following advanced audit policies must be set to "Success":

  • Account Management: Audit Security Group Management, Audit User Account Management
  • Object Access: Audit Registry, Audit Handle Manipulation, Audit Other Object Access Events
  1. Event Log Size and Retention Method

The Application, Security, System, and TaskScheduler event log size must be increased (the recommended values are: 300MB on pre-Windows Vista, and 4GB on Windows Vista and above).

The retention method of the Application, Security, System, and TaskScheduler event logs must be set to "Overwrite as needed" or "Archive the log when full".

Also, check that the Maximum security log size policy does not overwrite your log settings.
 

For instructions on how to configure these settings manually, refer to Netwrix Auditor Installation and Configuration Guide.

NOTE: There are various methods for configuring the local audit policies. The product guide describes just one of them. It is recommended to consider the possible impact on your environment and select a method that suits your purposes best.

(*) Netwrix Auditor replaces former Change Reporter products
Was this information helpful?