Netwrix Auditor System Health Log - Event ID 1245 / 1045

This article applies to Netwrix Auditor 6.0 and above. It explains the nature of the Event ID and provides resolution.
Email It to Me Print this Page
Depending on your Netwrix Auditor version, the Netwrix Auditor System Health Log contains the following EventID
Netwrix Auditor 9.0 and above: 1245 "Unable to remove the Netwrix Auditor configuration from site collection with <ID>" 
Netwrix Auditor 8.5 and below: 1045 "Unable to exclude events on site collection <ID> from the auditing scope due to the following error: <error>".


Make sure that the audited site collection is operational. To do this, contact your SharePoint administrator.
Or refer to the table below for a solution depending on the event details:
 
ErrorCauseSolution
Unable to exclude events on site collection <ID> from the auditing scope due to the following error: Attempted to perform an unauthorized operation.The product failed to exclude events on site collection <ID>  from the auditing scope as its status is lower than "Adding content prevented".

Otherwise, the Farm account or the Service account for the web application pool hosting the audited site collection, has been modified, and has not been granted the Logon as a batch job right on the machine that hosts SharePoint Central Administration.
Navigate to SharePoint Central Administration --> Application Management --> Configure quotas and locks --> <target site collection> and change its status to "Not locked".
Alternatively, you can unlock your site using SharePoint Management Shell.
If this does not resolve the issue, contact your SharePoint administrator.
Unable to exclude events on site collection <ID> from the auditing scope due to the following error: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).The product failed to exclude events on site collection <ID>  from the auditing scope as there are insufficient permissions for the web application hosting the target site collection.Navigate to SharePoint Central Administration --> Web Applications --> <target web application> --> User Permissions and verify the security settings for this web application. The minimum required permissions are "Manage Web Site".
Unable to exclude events on site collection <ID> from the auditing scope due to the following error: Access to this Web site has been blocked.The product failed to exclude events on site collection <ID>  from the auditing scope as its status is "Locked - No Access".Navigate to SharePoint Central Administration --> Application Management --> Configure quotas and locks --> <target site collection> and change its status to "Not locked".
Alternatively, you can unlock your site using SharePoint Management Shell.
To change site status to "Unlock" using SharePoint Management Shell, do the following:
  1. Make sure that your account complies with the requirements mentioned in the Microsoft technical article.
  2. In your SharePoint server, navigate to Start --> Microsoft SharePoint Products <version> SharePoint Management Shell.
  3. Execute the following command:  Set-SPSite -Identity "<SiteCollection>" -LockState "<State>"
Where:
<SiteCollection> is the URL of the site collection that you want to track or unlock.
<State> is one of the following values:
  • Unlock to unlock the site collection and make it available to users.

  • NoAdditions to prevent users from adding new content to the site collection. Updates and deletions are still allowed.

  • ReadOnly to prevent users from adding, updating, or deleting content.

  • NoAccess to prevent users from accessing the site collection and its content. Users who attempt to access the site receive an error.

Was this information helpful?