Netwrix Auditor System Health Log - eventID 1016-1019 / 1216-1219

This article applies to Netwrix Auditor 6.0 and above. It explains the nature of the EventIDs and provides resolution.

KB2051 | Last review: Dec 06, 2017 | Netwrix Auditor for SharePoint | Netwrix Auditor 6.0 and above

Email It to Me Print this Page

Symptoms	Depending on your Netwrix Auditor version, the Netwrix Auditor System Health Log contains the following EventIDs: Netwrix Auditor 9.0 and above: Event ID 1216 Netwrix Auditor 8.5 and below: Event ID 1016 The following error occurred when trying to launch the component responsible for collecting AD group membership from forest <forestName>: <error> Netwrix Auditor 9.0 and above: Event ID 1217 Netwrix Auditor 8.5 and below: Event ID 1017 The following error occurred when trying to delete temporary data on AD group membership from the local storage: <error> Netwrix Auditor 9.0 and above: Event ID 1218 Netwrix Auditor 8.5 and below: Event ID 1018 The following unexpected error occurred when trying to collect AD group membership: <error> Netwrix Auditor 9.0 and above: Event ID 1219 Netwrix Auditor 8.5 and below: Event ID 1019 AD group membership was resolved with the following error; <error>
Cause	The product is unable to collect data on group membership of users who made changes. This does not affect audit data integrity and only affects the possibility to filter data by groups in audit reports. Most likely, this is due to access issues to the AD domain that users belong to, or the membership database. The default path to the database for Netwrix Auditor 7.0 - 8.0: %ProgramData%\Netwrix Auditor\Netwrix Auditor for SharePoint\Configuration\<Managed Object GUID>\Temp\AuditArchive\Membership\Memberships.db.* The default path to the database for Netwrix Auditor 8.5 and above: %ProgramData%\Netwrix Auditor\ShortTerm\Netwrix Auditor for SharePoint\<GUID>\Temp\AuditArchive\Membership\Memberships.db.*
Resolution	Select one of the possible resolutions. Resolution If the error contains a file name, make sure that it is accessible. You can also exclude these events from being logged to the Netwrix Auditor System Health log (Netwrix Auditor Event Log for Netwrix Auditor 6.5 and below) if you do not need to filter changes by groups. Navigate to: *%ProgramData%\Netwrix Auditor\Netwrix Auditor for SharePoint\Configuration\<GUID>\omiteventloglist.txt.** * To view your Managed Object GUID, navigate to %programdata%\Netwrix Auditor\Audit Core\Config Server\Configuration.xml. Find your monitoring plan name in the configuration file: -<n n="ManagedObjects"> .... <a n="Name" t="2" v="your_SharePoint_Managed_Object_name"/>

Was this information helpful?