KBI 220308 Unable To Find Event ID Entries In Argent Data Consolidator

Version

7.0A-0407

Date

2 Nov 2004

Summary

A Customer may call in stating that he is consolidating data from security logs on his Windows servers, but is unable to build reports on some of the event IDs.

For example, the Customer may state that he is trying to build a report for Audit Successes on Event ID 624.

Technical Background

Often this is caused by the Customer having insufficient auditing enabled on his domain.

If Customer is not auditing the specific type of event on his domain, no entry is made in the event log and the Argent Data Consolidator cannot obtain the data.

There are numerous audit settings that must be considered:

  1. Auditing of account logon events
  2. Auditing of account management events
  3. Auditing of Directory Service Access
  4. Auditing of user logon events
  5. Auditing of object access
  6. Auditing of privilege use
  7. Auditing of process tracking
  8. Auditing system events

Resolution

Have the Customer check his domain controllers to ensure that the proper type of auditing is enabled for his domain before he tries to capture the events in the Argent Data Consolidator.