In this article:    

• Issue description

• Possible causes

• Prerequisites

• Resolution

• Related topics and articles

• How to contact Support

 Issue description   

The File Integrity Monitoring reports in ADAudit Plus may display No Data Available, preventing the tracking and auditing of file and folder modifications. This issue may occur due to missing prerequisites, misconfigured audit policies, or insufficient permissions assigned to the service account, leading to failure in event log collection.

 Prerequisites 

• Ensure the monitored system is added and configured in ADAudit Plus.

• Confirm that the target drive is configured in ADAudit Plus.

• Verify that the ADAudit Plus service account has the necessary privileges for log collection.

• Confirm that the required audit policies are enabled to the changes.

• Ensure the event log size is sufficient to retain logs before collection.

 Possible causes   

1. Drive not configured for auditing: The target drive isn't configured for auditing and is unable to capture file integrity events.

2. Insufficient privileges: The configured service account lacks the required permissions to read security logs and monitor file activities.

3. Log collection failure: The Remote Procedure Call (RPC) service is unavailable or blocked due to firewall restrictions, preventing log retrieval.

4. Event log retention issue: The security log size is incorrectly configured, causing older logs to be purged before ADAudit Plus can collect them.

5. Event ID 521 - Unable to log events to the security log: The security event log is either full, event logging is disabled, or system audit policies are misconfigured.

6. Misconfigured audit policies: The necessary audit policies are not enabled, preventing event logging.

7. Object-level auditing not set up: Auditing settings are not properly applied to the specific files or folders being monitored.

Resolution steps  

 Step 1:  Drive not configured in File Integrity Auditing   (Reference Document)  

1. Ensure the target drive is added for monitoring in ADAudit Plus.

2. Navigate to the Server Audit tab.

3. Expand Configured Server(s).

4. From the left pane, navigate to File Integrity.

5. In FIM Configuration, click the edit icon.

6. Verify that the drive is configured in ADAudit Plus.  

 Step 2: Insufficient privileges  (Reference Document) 

• Ensure that the service account configured in ADAudit Plus has the required privileges to collect and report File modification events. If the necessary permissions are not assigned, event logs may not be captured.

 Step 3: Log collection failure (RPC Service Unavailable) 

• Ensure the required ports are enabled in the Firewall rules.

• The required ports are listed below:

• COM+ Network Access (DCOM-In)

• Remote Event Log Management( RPC)

• Remote Event Log Management( NP-IN)

• Remote Event Log Management( RPC-EPMAP)

 Step 4: Validate and test the event log retention settings  (Reference Document) 

1. Ensure the maximum log size is set to at least 4GB.

2. Open GPMC 

3. To dit the <ADAuditPlusPolicy> GPO, go to Computer Configuration > Policies > Windows Settings > Security Settings > Event Log.

4. In the right pane, right-click Retention method for security log > Properties.

5. Set to Overwrite events as needed.

6. In the right pane, right-click Maximum security log size > Properties.

7. Define the size sufficient to hold 12 hours of data.

 Step 5: Event ID 521: Unable to log events to security log 

Since ADAudit Plus relies on Event Viewer, it only retrieves the events logged there. If Event ID 521 appears, it indicates that the system failed to log security events.

 Step 6: Possible causes for 521 Event ID and fixes  (Reference Document)

Security log full

1. Open Event Viewer.

2. Navigate to Windows Logs > Security.

3. Check if the log size has reached its limit.

4. Increase the maximum log size in GPMC as described in Step 4.

Event logging is disabled

1. Open Command Prompt as an Administrator.

2. Run: auditpol /get /category:*

3. Ensure that Audit Policy Change is enabled.

Windows event log service is not running

1. Open Run (Win + R), type services.msc, and press Enter.

2. Locate the Windows Event Log service, ensure it is running and set to Automatic.

 Step 7: Ensure required audit policies are enabled   

For the Event Viewer to capture events when changes occur, enable the necessary audit policies.

Steps to enable audit policies  

1. Log in to a system with Group Policy Management Console (GPMC) using Domain Admin credentials.

2. Open GPMC and navigate to:

• Default Domain Controllers Policy

• ADAuditPlusMSPolicy

• ADAuditPlusWSPolicy

3. In the Group Policy Management Editor:

1. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings.

2. Navigate to Advanced Audit Policy Configuration, and configure the following settings:

Required audit policies   (Reference Document)

Ensure required object-level auditing is enabled  

1. Right-click the target folder. 

2. Select Properties.

3. Go to the Security tab.

1. Click Advanced

2. Select the Auditing tab and enable the following settings.

Required object-level auditing (SACLS)   (Reference Document)

Related topics and documentation  

• Steps to enable required audit policies

• Steps to enable the required object-level auditing

• Required ports for ADAudit Plus

• Required privileges for service account configured

• Configuring Event Log settings 

• Understanding Windows Security Log Event ID 521

 How to reach support 

If the issue persists, contact our support team here.