In this article  :

• Issue description

• Prerequisites

• Possible causes

• Resolution

• Related topics and articles

• When and how to reach support

Issue description  

The File Audit reports in ADAudit Plus do not display any data. This issue can arise due to misconfigurations, missing prerequisites, or insufficient permissions for ADAudit Plus to access and monitor the file server and its shares.

Prerequisites  

• Ensure that the file servers are configured in ADAudit Plus.

• Make sure that the respective shares are configured for the file servers.

• Audit policies and SACLs (object-level auditing) are configured for the file server and the shares.

• Verify connectivity between ADAudit Plus and the file servers.

• Ensure necessary permissions are assigned to the configured service account.

Possible causes  

• Missing file server configuration: Not all required file servers are configured in ADAudit Plus.

• Blocked communication channels: Communication issues between ADAudit Plus and file servers ports or firewall rules are blocking the connection.

• Insufficient service account privileges: The account lacks required permissions for file share discovery, reading audit logs, or accessing NetApp C-Mode logs.

• Improper audit policy configuration: Audit policies or object-level auditing are not properly enabled for file servers.

• Event logs getting overwritten: Security log size is too small, causing older logs to be deleted before they are processed.

• Improper object-level auditing configuration: The required permissions are not set for the files and folders under audit.

• Files stuck in event data processing: Files are accumulating under Installation Directory/ADAudit Plus/event data/raw or processed, preventing new logs from being processed.

• Verification of data collection by the product: After completing the troubleshooting steps, check the product GUI to confirm if the timestamp is updating.

Resolution  

Step 1 Configure all required file servers for auditing  

1. Log in to ADAudit Plus and navigate to the File Audit tab settings.

2. Ensure that all required file servers are added.

Note: Security logs do not replicate, so configuring all necessary file servers in ADAudit Plus is essential.

Step 2 Ensure communication between the product server and file server  

• Open the required ports and configure firewall rules as per the ADAudit Plus Port Guide.

Step 3 Verify service account privileges  

1. Membership in the Power Users Group enables ADAudit Plus to discover shares on Windows file servers.

2. Have the appropriate permissions on audited shares.

• Method 1 Add the ADAudit Plus user to the Local Administrators Group.

• Method 2 Assign Share and NTFS Read Permissions on each audited share.

3. Have the appropriate DCOM and WMI permissions.

• Assign DCOM Grant Local Launch, Remote Launch, Local Activation, and Remote Activation permissions.

• Assign WMI assign Execute Methods, Enable Account, and Remote Enable permissions.

4. Have Read permission over the C$ share (\server_name\C$) for accessing NetApp C-Mode log files.

Step 4 Configure audit policies  

Create a security group for audited file servers  

1. Open Active Directory Users and Computers.

2. Right-click the domain > New > Group.

3. Name the group (e.g., ADAuditPlusFS), set Group Scope to Domain Local, and set Group Type to Security.

4. Add the Windows file servers to be audited as members.

Create and link a GPO  

1. Open the Group Policy Management Console (GPMC) with domain admin credentials.

2. Create a new GPO (e.g., ADAuditPlusFSPolicy) and link it to the domain.

3. Remove Authenticated Users and add ADAuditPlusFS.

Configure advanced audit policies  

1. Navigate to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration.

2. Set the following:

Enforce advanced audit policies  

• Enable Audit: Force audit policy subcategory settings under Local Policies > Security Options.

Configure legacy audit policies (Windows Server 2003 and earlier)  

1. Navigate to Computer Configuration > Windows Settings > Security Settings > Audit Policy.

2. Set Audit Object Access to Success, Failure.

Step 5 Configure object-level auditing  

Using windows explorer  

1. Right-click the target folder > Properties > Security .

2. Click Advanced > Auditing > add the Everyone group.

3. Assign the following permissions:

Using PowerShell cmdlets  

1. Prepare a CSV file listing the folders to audit with the path and audit type.

2. Open PowerShell and navigate to <Installation Directory>\bin.

3. Run the following script:

4. .\ADAP-Set-SACL.ps1 -file '.\shared_folders_list.CSV' -mode add -recurse true

Step 6 Configure event log Ssttings  

1. Open the GPMC > Edit GPO.

2. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Event Log.

3. Configure as follows:

• Retention method for security log: Overwrite events as needed.

• Maximum security log size: Ensure at least 12 hours of security logs are stored.

Step 7 Resolve files stuck in event data processing  

• If files are accumulating under <Installation Directory>/ADAudit Plus/event data/raw or processed, contact support@adauditplus.com.

Step 8 Check if the data is being collected by the product

• Log in to the ADAudit Plus GUI.

• Navigate to the File Audit tab.

• Configure file servers, click Run Now, and see if the timestamp is updated.

Related topics and articles  

• ADAudit Plus Port Guide

When and how to reach support