No data available in computer startup and shutdown auditing
In this article
Issue description
Prerequisites
Possible causes
Resolution
Related topics and articles
When and how to contact support
Issue description
The Computer Startup and Shutdown reports in ADAudit Plus display "No Data Available," preventing the monitoring and auditing of system startup and shutdown events. This issue may occur due to missing prerequisites, misconfigured audit policies, or insufficient permissions assigned to the service account.
Prerequisites
Ensure the monitored system is added and configured in ADAudit Plus.
Verify that the ADAudit Plus service account has the necessary privileges for event collection.
Confirm that the required audit policies are enabled to track local account management events.
Ensure the Event Log size is sufficient to retain logs before collection.
Possible causes
Insufficient Privileges The service account lacks the required permissions.
Log Collection Failure Required RPC ports (135, dynamic ports 49152-65535) are open bidirectionally or at least inbound on the target server. Windows Firewall allows Remote Event Log Management and COM+ Network Access (DCOM-In).
Event Log Retention Issue Logs are purged before collection due to incorrect settings.
Event ID 521 Unable to Log Events to Security Log The security event log is failing to capture relevant events.
Misconfigured Audit Policies Startup and shutdown auditing policies are not configured properly.
Resolution
Insufficient privileges
Ensure that the service account configured in ADAudit Plus has the required privileges to collect and report Computer Startup and Shutdown events. If the necessary permissions are not assigned, event logs may not be captured.
Fix log collection failure (RPC Service Unavailable)
Ensure the required ports are enabled in the Firewall rules.
COM+ Network Access (DCOM-In)
Remote Event Log Management( RPC)
Remote Event Log Management( NP-IN)
Remote Event Log Management( RPC-EPMAP)
To enable
Open Windows Defender Firewall and navigate Advanced Security.
Navigate to Inbound Rules.
Locate and enable the required rules.
https//www.manageengine.com/products/active-directory-audit/help/quickstart/ports.html
Validate and configure event log retention
Ensure the maximum security log size is set to at least 4GB.
Open GPMC and edit the ADAuditPlusComputerStartupPolicy GPO.
Navigate to
Open Computer Configuration
Navigate to Policies
Open Windows Settings
Navigate to Security Settings
Open Event Log
Configure the following settings
Retention method for security log Overwrite Events As Needed
Maximum security log size Set to 4GB
Fix Event ID 521 (Unable to log events to security log)
Since ADAudit Plus relies on Event Viewer, it only retrieves the events logged there. If Event ID 521 appears, it indicates that the system failed to log security events.
Possible causes
Security log full
Open Event Viewer
Navigate to Windows Logs
Security.
Check if the log size has reached its limit.
Increase the maximum log size in GPMC as described in Step 2.
Event logging is disabled
Open Command Prompt as an Administrator.
Run auditpol /get /category*
Ensure that Audit Policy Change is enabled.
Windows event log service not running
Open Run (Win + R), type services.msc, and press Enter.
Locate Windows Event Log service, ensure it is running and set to Automatic.
For more details, refer to Microsoft's official documentation on Event ID 521.
Ensure required audit policies are enabled
Log in to a system with Group Policy Management Console (GPMC) using Domain Admin credentials.
Open GPMC and navigate to
Default Domain Controllers Policy
ADAuditPlusComputerStartupPolicy
Right-click the policy and select Edit.
In the Group Policy Management Editor, go to Computer Configuration
Navigate to Policies
Open Windows Settings
Navigate to Security Settings
Open Advanced Audit Policy Configuration move to Audit Policy.
Double-click on the relevant policy setting.
Required audit policies
Category | Subcategory | Audit Events |
System | Audit Other System Events | Success, Failure |
Audit System Integrity | Success, Failure | |
Audit Security State Change | Success |
Related topics & documentation
When and where to reach support
New to ADSelfService Plus?
Related Articles
No data available in Computer Management report in ADAudit Plus
In this article: Issue description Prerequisites Possible causes Resolution Related topics and articles How to reach support Issue description In ADAudit Plus, the Computer Management Reports profile provides insights into various computer-related ...No Data Available in the Printer Auditing report
In this article: Issue description Possible causes Prerequisites Resolution Related topics and articles How to reach support Issue description This issue occurs when ADAudit Plus is unable to collect logs related to printer auditing. This can be due ...No data available in powerShell auditing report
In this article Issue description Prerequisites Possible causes Resolution Related topics and articles When and how to reach support Issue description The PowerShell auditing report in ADAudit Plus does not display any data, even though there has ...No data available in Configuration Auditing reports
In this article : Issue description Prerequisites Possible causes Resolution Related topics and articles How to reach support Issue description In ADAudit Plus, the Configuration Auditing reports provide insights into modifications made to critical ...No data available in LDAP auditing reports
In this article: Issue description Prerequisites Possible causes Resolution Related topics and articles How to contact support Issue description This article provides troubleshooting guidance for cases where no data appears under LDAP auditing ...