In this article:

• Issue description

• Prerequisites

• Possible causes

• Resolution

• Related topics and articles

• How to contact support

Issue description  

This article provides troubleshooting guidance for cases where no data appears under Sysmon reports in ADAudit Plus. It covers common causes, verification steps, and solutions to ensure proper logging of Sysmon activities performed on domain controllers (DCs).

Prerequisites  

• The DC where Sysmon is installed is properly configured in ADAudit Plus.

• There is proper communication between the product server and the respective machine.

• The service account has the necessary privileges assigned to avoid access denial errors.

• Sysmon is correctly installed and configured on the server.

• Sufficient retention size is set on the configured servers to prevent overwriting of logged events.

Possible causes  

• The DC where Sysmon installed is not configured in ADAudit Plus.

• There is no communication between the product server and the respective machine (RPC error).

• Required privileges are not assigned to the service account (access denied error).

• You're encountering a security-package-specific error.

• Sysmon is not correctly configured on the server.

• There is insufficient retention size on the configured servers, leading to overwriting of logged events.

• Files are stuck under <Installation Directory>/ADAudit Plus/event data/raw or processed.

Resolution  

Step 1. Configuring all Sysmon servers  

• Log in to the ADAudit Plus web console.

• Navigate to Domain Settings and ensure that all servers where Sysmon installed are configured.

• To verify, click Manage Domain Computers on the Domain Settings page.

Step 2. Ensuring communication from the product server to the respective machine  

Follow the official documentation to open the necessary ports and firewall rules.

Step 3. Assigning required privileges to the service account  

• Log in to the target server where Sysmon auditing is required.

• Click Builtin > right-click the Event Log Readers group > select Members.

• Add the configured service account (used under Domain Settings in ADAudit Plus) to this group.

• Step 4. Checking if a security-package-specific error occurred
  
  This is a native error due to conflicting IPs or multiple machines having the same Service Principal Name.

• Ensure that the corresponding DC has forward and reverse lookup entries in DNS.

Step 5. Configuring Sysmon   

Ensure that Sysmon is properly configured on the target server. Follow these steps:

• Install Sysmon on the required server if not already installed.

• If there are discrepancies in event logging, use the following command to reinstall Sysmon with a custom configuration file:

• sysmon -accepteula -i <installation_directory>/config.xml (click here to download the custom config.xml file)

• Example sysmon -accepteula -i c\windows\config.xml

• Refer to the official Sysmon documentation for detailed configuration steps.

  Step 6. Configuring event log settings    

To prevent audit data loss due to event overwrites, define event log size and retention settings.

Sysmon-related events are logged under Applications and Services Logs/Microsoft/Windows/Sysmon/Operational in the Event Viewer.

• Open the Group Policy Management Console.

• Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Application Log.

• Configure as follows:

• Maximum application log size: Define at least 2GB.

• Note: Ensure that the log category holds a minimum of 12 hours of data.

Step 7. Handling stuck event data files  

If files are stuck under <Installation_Directory>/ADAudit Plus/event data/raw or processed, contact ManageEngine support for further assistance.

Related topics and articles

• Click here to download the custom config.xml file

• Sysmon configuration guide

• General errors | Troubleshooting | ADAudit Plus

• Understanding Windows security log event ID 521
  

How to contact support