Sentry-go®, Copyright © 2000-2012, 3Ds (UK) Limited
Sentry-go KnowledgeBase
 
Title   User access information is missing even though it is configured to be recorded.
Applies To   Sentry-go File Monitoring Component
Problem:
 
User access information is missing even though it is configured to be recorded.
   
Cause:
 
This is often caused by one of the following ...
 
  • The PC or server is not configured to generate file access information.
  • The domain is preventing the local PC or server from generating file access information.
  • The files/directories being monitored have not been configured to generate file access (audit) information.
  • The files/directories being monitored have not been configured to record user access information.
  • User access information has been mapped out - e.g. the user or path has been configured to be ignored.
  • The user running the monitoring server cannot access the Security EventLog, or the log is not configured correctly & records
    are being lost.

Solution:

Full information on configuring Sentry-go & your server environment etc. to allow file access information to be captured & recorded is
available here. 
 
To test the availability of user access information, follow these steps ...

  • Configure the monitor, select the "Files" tab.
  • Select one of the checks that is configured to retrieve user access information & click the "Verify user access" button.
  • The Console will connect to the monitor & display a web report. This report will show the test results for the given file/directory.
  • If these results indicate an error, then user access information is currently not available for the file/directory selected. In this case you should continue with the steps below.
  • If the result indicate that access is available, then Event Log records at runtime may be being missed or lost.

To ensure your domain & server are correctly configured ...

  • Run the Client Console & configure the monitor.
  • On the configuration windows, click the "Files" tab.
  • At the bottom of the this window, click the "User Access Settings" button.
  • From this window, click "Enable & Verify File Auditing". This in turn will request the monitor to verify and, if necessary, enable file auditing on the local server.
  • After the monitor has enabled access, it will automatically run a test to verify whether access is available.
  • If the tests indicate success, your server & domain are configured correctly.
  • If not, check the error message.
  • If the message indicates a permission-based error is preventing access, ensure the logon ID used to run the Sentry-go monitor is a local administrator or equivalent.
     
    By default, the Local System account will have been configured by Setup. If this is not, update the logon ID (or change it to an Administrator or equivalent).
     
  • If configuration worked, but the test failed, verify that your domain security policy is not preventing the local policy from configuring audit information.
     
    To do this, either contact your System Administrator or click here for information on how to do this.
     
  • Repeat the test shown above to see if the problem is now resolved.

To ensure your file Event Log is correctly configured ...

  • Run the Client Console & configure the monitor.
  • On the configuration windows, click the "Files" tab.
  • Click the "User Access Settings" button.
  • Now click the "Verify Event Log" button.
  • Review the results displayed in the web page.
  • If issues are reported, then it is possible that these settings are preventing some of the recorded information from being retained long wnough to be accessible to the monitor.
  • In some cases, where larger volumes of logging records are being recorded in the Event Log or the records are cleared or overwritten  before configuration information is read by the monitor, user access information may be lost.
     
    If you think this may be a possibility ...

    - Reduce the time interval between scans for the check
    - Increase the max. size of the Security Event Log using Windows Event Viewer (EventVrw.exe).
     
  • For more information. contact your System Administrator or click here for details on configuring the Event Log.

To ensure your file checks are correctly configured ...

  • Run the Client Console & configure the monitor.
  • On the configuration windows, click the "Files" tab.
  • Edit one of the monitoring checks that should record file access information.
  • Select the "User Access" tab.
  • Ensure the "Record user access details" option is ticked.
  • Check for any exclusions in the user/process field that may be causing the details to be ignored.
  • At the bottom of this window, ensure the "Configure Windows Auditing" & "Verify user access" options are ticked.
    The latter will also cause alerts to be generated if the monitor detects that user access information is unavailable.

To verify your file checks are correctly configured ...
 
  • On the main file list, select "User Access Settings".
  • From this window, click "Enable & Verify File Auditing". This in turn will request the monitor to verify and, if necessary, enable file auditing on the selected directories.
  • After the monitor has enabled access, it will automatically run a test to verify whether access is available.