Netwrix Auditor System Health Log - eventID 1016-1019 / 1216-1219

This article applies to Netwrix Auditor 6.0 and above. It explains the nature of the EventIDs and provides resolution.
Email It to Me Print this Page
Symptoms Depending on your Netwrix Auditor version, the Netwrix Auditor System Health Log contains the following EventIDs:

Netwrix Auditor 9.0 and above: Event ID 1216
Netwrix Auditor 8.5 and below: Event ID 1016

The following error occurred when trying to launch the component responsible for collecting AD group membership from forest <forestName>: <error>

Netwrix Auditor 9.0 and above: Event ID 1217
Netwrix Auditor 8.5 and below: Event ID 1017

The following error occurred when trying to delete temporary data on AD group membership from the local storage: <error>

Netwrix Auditor 9.0 and above: Event ID 1218
Netwrix Auditor 8.5 and below: Event ID 1018
The following unexpected error occurred when trying to collect AD group membership: <error>

Netwrix Auditor 9.0 and above: Event ID 1219
Netwrix Auditor 8.5 and below: Event ID 1019

AD group membership was resolved with the following error; <error>
 
Cause The product is unable to collect data on group membership of users who made changes. This does not affect audit data integrity and only affects the possibility to filter data by groups in audit reports.
Most likely, this is due to access issues to the AD domain that users belong to, or the membership database.
  • The default path to the database for Netwrix Auditor 7.0 - 8.0: %ProgramData%\Netwrix Auditor\Netwrix Auditor for SharePoint\Configuration\<Managed Object GUID*>\Temp\AuditArchive\Membership\Memberships.db.
  • The default path to the database for Netwrix Auditor 8.5 and above: %ProgramData%\Netwrix Auditor\ShortTerm\Netwrix Auditor for SharePoint\<GUID*>\Temp\AuditArchive\Membership\Memberships.db.​
Resolution Select one of the possible resolutions.
Resolution
If the error contains a file name, make sure that it is accessible. 

You can also exclude these events from being logged to the Netwrix Auditor System Health log (Netwrix Auditor Event Log for Netwrix Auditor 6.5 and below) if you do not need to filter changes by groups.
Navigate to: %ProgramData%\Netwrix Auditor\Netwrix Auditor for SharePoint\Configuration\<GUID*>\omiteventloglist.txt. ​* ​To view your Managed Object GUID, navigate to %programdata%\Netwrix Auditor\Audit Core\Config Server\Configuration.xml.

Find your monitoring plan name in the configuration file:

-<n n="ManagedObjects">
....
<a n="Name" t="2" v="your_SharePoint_Managed_Object_name"/>
Was this information helpful?