Windows Server warning in Netwrix Auditor System Health
|Symptoms||The Netwrix Auditor System Health log contains the following warnings when auditing Windows Server (in Netwrix Auditor 6.5 and below they are listed in Windows Server Сhange Summary emails):
Successful change auditing requires a certain configuration of native audit settings in the audited environment and on the computer where Netwrix Auditor (Netwrix Auditor Administrator Console in Netwrix Auditor 7.0 and above) resides. The errors and warnings indicate that audit settings are not properly configured.
You need to disable automatic configuration and configure settings mentioned in the warning message manually.
The startup type must be set to "Automatic" for both services.
The following audit permissions must be set to "Successful" for the HKEY_LOCAL_MACHINE\SOFTWARE, HKEY_LOCAL_MACHINE\SYSTEM, and HKEY_USERS\.DEFAULT nodes: Set Value, Create Subkey, Delete, Write DAC, Write Owner.
On pre-Windows Vista versions, the Audit object access and the Audit account management policies must be set to "Success".
On Windows Vista and above, the following advanced audit policies must be set to "Success":
The Application, Security, System, and TaskScheduler event log size must be increased (the recommended values are: 300MB on pre-Windows Vista, and 4GB on Windows Vista and above).
The retention method of the Application, Security, System, and TaskScheduler event logs must be set to "Overwrite as needed" or "Archive the log when full".
Also, check that the Maximum security log size policy does not overwrite your log settings.
For instructions on how to configure these settings manually, refer to Netwrix Auditor Installation and Configuration Guide.
NOTE: There are various methods for configuring the local audit policies. The product guide describes just one of them. It is recommended to consider the possible impact on your environment and select a method that suits your purposes best.