In this article  

• Issue description

• Prerequisites

• Possible causes

• Resolution

• Related topics and articles

• How to reach support

Issue description  

This issue occurs when ADAudit Plus is unable to collect logs related to network share activity. This can be due to configuration issues, permission restrictions, or missing audit policies.

Prerequisites  

• Ensure the monitored share's servers are added and configured in ADAudit Plus.

• The target machine should be reachable from the server where ADAudit Plus is installed.

• Required RPC ports (135, 49152-65535) must be open bidirectionally or at least inbound on the target server.

• Confirm that the required audit policies are enabled to track Network Share Auditing events.

• Verify that the ADAudit Plus service account has the necessary privileges for Network Share Auditing.

Possible causes  

1. Insufficient or incorrect audit policies: ADAudit Plus may lack the necessary audit policies to ensure that events are logged whenever any activity occurs.

2. Desired events are not getting logged: The required Event IDs are not being captured on Windows servers and workstations.

3. Incorrect search criteria: The specified search criteria for the required data may be incorrect.

4. Unable to log events to Security Log (Event ID 521): This error occurs when the security event log fails to log events.

5. Log collection failure: This might be due to Access Denied/RPC service unavailable error messages, preventing ADAudit Plus from collecting logs.

Resolution

Step 1: Verify audit policy configuration

1. Log in to a system with Group Policy Management Console (GPMC) using Domain Admin credentials.

2. Open GPMC and navigate to:

• Default Domain Controllers Policy (if managing domain accounts)

• ADAuditPlusMSPolicy

3. Right-click the relevant policy and select Edit > Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policy, and double-click the relevant policy setting.

4. Navigate to the right pane and right-click the relevant Subcategory > Properties, and select Success, Failure, or both, as directed below:

Step 2: Review if desired events are getting logged  

1. Log in with domain admin credentials.

2. Open Run, type eventvwr.msc.

3. Right-click Event Viewer, connect to the target server, and verify if the following event IDs are logged:

Event ID 5140, 5142, 5143, 5144.

Step 3: Verify search criteria  

1. Click the Server Audit tab > Network Share Auditing.

2. Choose the Report and select the Domain.

3. Set the Period (e.g., Today, Yesterday, This Week, This Month). Define a custom period if needed.

4. Choose the required hours and select the objects for which you need the report.

 Step 4: Resolve Event ID 521: Failure to write events to the Security Log 

Since ADAudit Plus relies on Event Viewer, it retrieves events from there. A high number of Event ID 521 entries may indicate an issue with event logging.

1. Restart the Windows Event Log service.

2. Restart the affected server.

3. Check the security log retention settings: 

• Ensure the maximum log size is sufficient and set to overwrite as needed.

Step 5: Resolve the log collection failure  

1. Fix the Access Denied/RPC Service Unavailable errors preventing log collection.

2. Ensure RPC ports (135 and dynamic range 49152-65535) are open in the firewall.

If you receive the error A security package specific error occurred,   this is due to conflicting IP addresses with the same SPN for multiple machines. Ensure that:

1. The domain controller showing the error has forward and reverse lookup entries in DNS.

Related topics and articles

• Network share auditing guide

• Configure event log settings

• Ports guide

• Service account configuration

When and how to contact support  

• If No Data Available persists after verifying configurations.

• If the report shows repeated failures or retrieval errors.

• If the dashboard continues to display incorrect or no data despite troubleshooting.

• If you suspect a bug in ADAudit Plus.