Netwrix Auditor System Health Log - Event ID 1237/1238 or 1037/1038

This article applies to Netwrix Auditor 6.0 and above. It explains the nature of the EventID and provides resolution.
Email It to Me Print this Page
Symptoms Depending on your Netwrix Auditor version, the Netwrix Auditor System Health Log contains the following Event ID:

Netwrix Auditor 9.0 and above: Event ID 1237/1238
Netwrix Auditor 8.5 and below: Event ID 1037/1038.


These Event IDs  may contain 3 error types:

Error type 1:
Unable to collect content/security events from site collection <ID>: Attempted to perform an unauthorized operation.

Error type 2:
Unable to collect content/security events from site collection <ID>: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).

Error type 3:
Unable to collect content/security events from site collection <ID>: Access to this Web site has been blocked.

 
Cause Review the possible errors' causes:

Error type 1:
The product failed to collect content/security changes from the audited site collection as its status is lower than "Adding content prevented".

Otherwise, the Farm account or the Service account for the web application pool hosting the audited site collection, has been modified, and has not been granted the Logon as a batch job right on the machine that hosts SharePoint Central Administration.

Error type 2:
The product failed to collect content/security changes from the audited site collection as there are insufficient permissions for the web application hosting the target site collection.

Error type 3:
The product failed to collect content/security changes from the audited site collection, as its status is
 "Locked - No Access".
 
Resolution Depending on the received error type, follow the corresponding  resolution prompts:

Error type 1:
Navigate to SharePoint Central Administration --> Application Management --> Configure quotas and locks --> <target site collection> and change its status to "Not locked". If this does not resolve the issue, contact your SharePoint administrator. Alternatively, you can unlock your site using SharePoint Management Shell

Error type 2:
Navigate to SharePoint Central Administration --> Web Applications --> <target web application> --> User Permissions and verify the security settings for this web application. The minimum required permissions are "Manage Web Site".

Error type 3:
Navigate to SharePoint Central Administration --> Application Management --> Configure quotas and locks --> <target site collection> and change its status to "Not locked". Alternatively, you can unlock your site using SharePoint Management Shell

To change site status to "Unlock" using SharePoint Management Shell, do the following:
  1. Make sure that your account complies with the requirements mentioned in the Microsoft technical article.
  2. In your SharePoint server, navigate to Start --> Microsoft SharePoint Products <version> SharePoint Management Shell.
  3. Execute the following command:  Set-SPSite -Identity "<SiteCollection>" -LockState "<State>"
Where:
<SiteCollection> is the URL of the site collection that you want to track or unlock.
<State> is one of the following values:
  • Unlock to unlock the site collection and make it available to users.

  • NoAdditions to prevent users from adding new content to the site collection. Updates and deletions are still allowed.

  • ReadOnly to prevent users from adding, updating, or deleting content.

  • NoAccess to prevent users from accessing the site collection and its content. Users who attempt to access the site receive an error.



 
Was this information helpful?