In this article     :

• Issue description

• Prerequisites

• Possible causes

• Resolution     

• Related topics and articles

• How to contact support

 Issue description  

ADAudit Plus will report all local logons and logoffs against a machine in your organization, such as a laptop. However, if ADAudit Plus displays the No Data Available message, this may indicate various issues, including a lack of auditing policies, log collection issues, or more specifically, the lack of access to read the Security logs of the target machine's Event Viewer.

 Prerequisites       

• The machine where logon activity occurs must be configured in ADAudit Plus.

• The target machine should be reachable from the server where ADAudit Plus is installed.

• Required RPC ports (135, dynamic ports 49152-65535) are open bidirectionally or at least inbound rules on the target server.

• The account configured in ADAudit Plus should either be a part of the domain admins group or should have all the necessary privileges listed here.

• Logon/logoff audit policies must be enabled to capture local logon events.

• Event log settings must be properly configured to retain logs until they are collected.

 Possible causes  

• Target machine may not be configured within the application.

• Target workstation or Windows server is not reachable.

• Required privileges are not assigned to the configured service account.

• Log collection failure when the RPC service is unavailable or blocked due to firewall restrictions.

• Log size is not configured correctly, leading to data being purged before collection.

• Unable to log events to the security log (Event ID 521), security log is full, event logging is disabled, or system audit policies are misconfigured.

• Misconfigured local logon-logoff audit policies on the monitored machine.

Resolution

Step 1: Ensuring all machines where logon activity occurs are configured in ADAudit Plus  

1. Log in to ADAudit Plus.

2. If the target machine is a domain controller, navigate to Domain Settings and verify that all domain controllers where local logon activity occurs are configured within the application.

3. If the target machine is a member server or a workstation, navigate to Server Audit > Configured Server(s) > Member Servers/Workstations and ensure that any servers or workstations where local logon activity takes place are configured in ADAudit Plus.

Step 2: Verify network connectivity

1. Ping the target server from the ADAudit Plus server.

2. To ping a server, open Command Prompt (Run > CMD)

3. Type ping <target_server name> -4. i.e ping terminal01

Step 3:  Insufficient privileges 

Ensure that the service account is configured in ADAudit Plus:

1. Log in to ADAudit Plus and navigate to Domain Settings.

2. Under Configured Domain(s), click the domain drop-down menu and select Modify credentials.

3. In the Modify Domain Credentials window, check the Authentication box and add the user account in ADAudit Plus. If the account is already configured, please proceed with the next troubleshooting step.

Ensure the service account is part of the domain admin group:

1. Navigate to one of your domain controllers.

2. Click Start > Run > dsa.msc and double-click the service account associated with ADAudit Plus.

3. Click the Member Of tab and add the group Domain Admins.

4. Click Apply and see if the log collection resumes.

Ensure the service account is part of the Eventlog Readers group:

1. Remote into a server which has Group Policy Management Console (GPMC) installed.

2. Open GPMC and right-click ADAudit Plus Permission GPO > Edit.

3. Navigate to Computer Configuration > Preferences > Control Panel Settings.

4. Right-click Local Users and Groups > New > Local Group.

5. Select the Event Log Readers group > Add the service account configured in ADAudit Plus.

Note: If you are still unable to resolve the Access Denied error message, click here for our additional privileges documentation.

Step 4: Fix log collection failure (RPC service unavailable)  

Enable the following Inbound Rules on the target server:

1. Open Windows Defender Firewall and navigate to Advanced Security.

2. Click Inbound Rules.

3. Locate and enable the following rules:

• Remote Event Log Management (NP-In)

• Remote Event Log Management (RPC)

• Remote Event Log Management (RPC-EPMAP)

• COM+ Network Access (DCOM-In)

Note: For additional ports, external firewalls, or a centralized firewall, you must enable all ports listed in this guide.

Step 5: Validate and test the event log retention settings   in the Event Viewer

Ensure the maximum log size is set to at least 4GB:

1. Log in to the domain controller.

2. Go to Start > Run > eventvwr.

3. Double-click Windows Logs, right-click Security > Properties.

4. Set the Maximum log size (KB) to 4194240KB (4GB).

5. Click Apply and OK.

To achieve the event log retention settings configuration via Group Policy:

1. Log in to the domain controller.

2. Go to Start > Run > GPMC.msc.

3. Find and edit the ADAuditPlusPolicy GPO or the GPO assigned to your servers or workstations.

4. Under Computer Configuration, navigate to Policies > Windows Settings > Security Settings > Event Log.

5. In the right pane:

• Right-click Retention method for security log > Properties, and set it to Overwrite events as needed.

• Right-click Maximum security log size, select Properties, and set the size to 4194240 kilobytes (4GB).

Note: For more information on the required event log retention size, see this guide.

Step 6: Fix Event ID 521 (Unable to log events to security logs)

ADAudit Plus requires events to be logged correctly in the Event Viewer. If Event ID 521 is generated, it indicates that the system has failed to log security events, resulting in log collection failure. To increase the security log size in the Event Viewer:

1. Log in to the domain controller.

2. Go to Start > Run > eventvwr.

3. Double-click Windows Logs, then right-click Security > Properties.

4. Set the Maximum log size (KB) to 4194240 kilobytes (4GB).

5. Click Apply and OK.

 Ensure the Windows Event Log service is running :

1. Press Win + R to open the Run dialog, type services.msc, and press Enter.

2. Find Windows Event Log in the list and check if it is running and set to Automatic.

3. If the service is stopped, right-click it and select Start.

 Step 7: Ensure required audit policies are enabled

1.  Log in to a system with GPMC using Domain Admin credentials.

2. Open GPMC and navigate to:

1. Default Domain Controllers Policy for managing domain accounts.

2. ADAuditPlusMSPolicy, ADAuditPlusWSPolicy, or the relevant audit policy applied to the workstation or member server for local logon-logoff auditing.

3. Right-click the selected policy and click Edit.

A udit policies  to be enabled:

Note: To find more information on the audit policies and how to create a GPO for ADAudit Plus, see this guide.

 Related topics and articles 

• How to configure Eventlog retention settings

 How to reach support