Overview
You may notice that there are no logs in the Events Browser for specific machines (e.g. domain controller). It may also be the case that logs are not captured from source machines when using a domain administrator account instead of a local administrator account.
This issue may have various root causes; please follow the steps below to exclude them one by one.
Solution
- Configure Logon Credentials used to connect to the affected source.
Note: You can enter the DNS server IP address (instead of domain name) to exclude issues with DNS name resolution (e.g.,192.160.XXX.XXX\<User>
). - Provide admin rights to the account used to connect to the machine.
This can be done by running the following command in CMD:net localgroup administrators <domain>\<username> /add
Alternatively, you can follow the steps described in the article Granting local administrative privileges to a domain account. - Enable the following rules in Windows Defender Firewall on the source machine:
- Open Windows Defender and navigate to Advanced Settings.
- Select Inbound Rules and enable the following items:
- Remote Event Log Management (NP-In)
- Remote Event Log Management (RPC)
- Remote Event Log Management (RPC-EPMAP)
- COM+ Network Access (DCOM-In)
- Open Windows Defender and navigate to Advanced Settings.
- Reconfigure the source machines by adding them to EventsManager again. In step 4 of the process, add the name of the source machine rather than the IP Address.
- If the issue persists, install the latest patches for EventsManager 13.2.
- If still no events are gathered for the affected machine, submit a request to GFI Support, including the EventsManager logs.
<supportagent>
L1 agents should review the logs provided by the customer and search for error messages (from the logs) in the knowledge base and historical tickets. If no matching articles are found, elevate the case to L2 for further troubleshooting.
</supportagent>