I just moved Netwrix Auditor to a new server (2025). Same for the SQL server. (2025)
No issue during the migration process !
But now, on “Netwrix Auditor Health Log” a I have got some warnings… :
Source : Active Directory Audit Service
Event : 2001
The following error has occurred while processing “domain.name“:
Error collecting the security log of the domain domaine.name. Failed to process the domain controller DC.domain.name due to the following error: The system cannot find the file specified.
and also the same for Group Policy Audit Service
I have 3 DCs, and warning are only for one of the three DCs !
I pass through all my config… Don’t find anything special… nearly everything is setup by GPO…
Also pass a lot of time on KBs from Netwrix, nothing..
Any idea ? Otherwise I’ll open a ticket to the Netwrix support.
Welcome to the Netwrix Community! I’ll do my best to help you get this resolved. If we’re unable to fix it here, I can assist you in opening a ticket with one of our Support Engineers.
This error message can have a few different causes. Most commonly, it’s related to permissions or a firewall configuration. Let’s go through some things you can check.
Verify permissions
Make sure the account configured in your Monitoring Plans is a local administrator on the new Netwrix Auditor server. Even if the account is a Domain Admin, it might not automatically be a local admin—especially if any of the default Windows permission groups have been modified.
Ensure the old server is fully decommissioned
If your previous Netwrix Auditor server is still running, it could be trying to collect data simultaneously. If so, I recommend stopping all Netwrix services on that server. You can do that by opening PowerShell (as Administrator) and running:
stop-service -displayname Netwrix*
Test access to the domain controller event logs
If you’re using a gMSA account, confirm the new server has permission to use that existing gMSA. If you need help updating it, let me know.
If you’re not using a gMSA account, try this test:
On the new Netwrix Auditor server, open Event Viewer.
Select Action > Connect to Another Computer, and enter the full FQDN of one of your domain controllers.
If you’re not logged in with the Auditor Data Collection account, select “Connect as another user” and provide those credentials.
If you’re unable to connect, it’s likely a firewall or account access issue—especially if this affects only one domain controller.
Firewall ports
Verify that the necessary ports are open between the Netwrix Auditor server and your domain controllers. You can reference the documentation here:
I double check everything… :
Permissions, gMSA, Firewall ports, with no luck !
My question is : Netwrix parse event logs from all DCs ? or just one ?
I ask because we have 3 DCs… And Netwrix give me errors only for 1 DC.
I maybe have an issue just with this DC (Windows serveur 2022) ?
One more example of error that I get :
Error collecting the security log of the domain xx.abc.xx. Failed to process the domain controller xx-abc-xx.xx.abc.xx due to the following error: Event log read failure. Error details: The array bounds are invalid.
To gives you more info, we have Tiers in place, but “Enable network traffic compression” is off for monitoring plans involved DCs and “Manage auditing and security log” is allowed for the gMSA account.
Thanks for the update and sorry to hear that you are still having issues. When Netwrix Auditor does collect, it collects from every domain controller so we would be reaching out to the logs on all three DCs.
When you moved Auditor to a new server, did you go ahead and upgrade to the latest version of 10.8 or are you on an earlier version of Netwrix Auditor?
Can you also look at the Domain Controller in question and let me know how large the Security Event Log is set to? You can check in Properties.
Once you get back to me with this information, I’ll let you know the next steps.
Michael Purdin
Manager, Technical Support Engineering
Thanks for the update. Were you able to reach the Event Log FROM the Auditor server or did you get that Event Log screenshot from the DC itself?
If you were you were able to reach that from the Auditor server, I believe the best thing to do would be for me to open a support ticket for you and let one of our engineers work with you and review logs to see what might be causing the issue.
If you are okay with that, please send me a direct message with your email address and I’ll get that ticket open for you.
Michael Purdin
Manager, Technical Support Engineering
