Troubleshooting missing initiator issues in Cayosoft Guardian

This article explains why the Who field may be empty in Change History and how to troubleshoot initiator discovery issues in Cayosoft Guardian.

How initiator discovery works

Cayosoft Guardian collects changes by using Change Collection jobs and stores them as Change History records. These records show what changed, but they do not contain initiator information by themselves.

To populate the Who field, Cayosoft Guardian uses audit events collected by Event Collection jobs.

1. When a change occurs, the audited system writes an event to its internal event log.
2. Cayosoft Guardian collects that event through the Event Collection job.
3. Cayosoft Guardian correlates the event with the matching Change History record and populates the Who field.

Initiator discovery statuses

• Pending — The change has been collected, but Cayosoft Guardian has not yet found a matching event.
• Discovered — Cayosoft Guardian found a matching event and populated the Who field.
• Expired — Cayosoft Guardian did not find a matching event within 24 hours and stopped discovery for that record.

It is not recommended to change the expiration period without guidance from Cayosoft Technical Support.

You can filter Change History by using advanced filters such as:

• discoveryStatus eq 'Discovered'
• discoveryStatus eq 'Pending'
• discoveryStatus eq 'Expired'

Common causes

Missing initiator information usually means one of the following:

• Auditing is not configured correctly for the managed domain.
• Required audit policies are not enabled on domain controllers.
• The Event Collection job is failing or cannot connect to domain controllers.
• Security Event Logs are too small and events are overwritten before Cayosoft Guardian collects them.
• Event processing is delayed because of high event volume or limited Guardian or SQL resources.
• The change does not presume an initiator by design.

Identify the pattern

Review Change History for the last week, excluding the most recent 24 hours, and look for the following patterns:

Verify domain auditing

When you add a domain in Cayosoft Guardian, the Audit enabled option must be selected. This setting ensures that the required SACL entries exist at the root of the audited partition so that supported changes generate audit events.

1. Open the Cayosoft Guardian web portal.
2. Go to Configuration > Managed Domains.
3. Select the domain and click Properties.
4. Make sure Audit enabled is selected.

If this setting was previously enabled and is now cleared, another application or administrator may have modified the ACL. Re-enable auditing and monitor the setting for several days.

For background information, see:

• Access control lists
• 4662(S, F): An operation was performed on an object

Verify audit policies

Cayosoft Guardian does not configure audit policies directly. The required audit policies must be enabled on each domain controller so that the relevant events are generated.

To review effective audit policy locally on a domain controller, run:

auditpol /get /category:*

To check audit policy remotely from the Guardian server, run:

Invoke-Command -ComputerName DC01 -ScriptBlock { auditpol /get /category:* }

If the expected policy is configured in GPO but is not effective on the domain controller, generate a Resultant Set of Policy report:

gpresult /h c:\temp\gp.html

For more information, see Troubleshooting issues with managed domains.

Verify the Event Collection job

If the Event Collection job is stopped or fails with errors, Cayosoft Guardian cannot populate the Who field.

1. Open the Cayosoft Guardian web portal.
2. Go to Configuration > Jobs.
3. Select the Event Collection job and click Properties.
4. Open the Execution History tab.
5. Review the Execution result column for errors.

If an execution failed, open the failed entry and review the workflow steps to identify where the error occurred.

WinRM connectivity is a common cause of collection failures. For more information, see How to troubleshoot WinRM connectivity issues.

If a domain controller is permanently unavailable but still exists in Active Directory configuration, you can exclude it from event collection:

1. Go to Configuration > Jobs.
2. Select the Event Collection job and click Properties.
3. Select Collect Active Directory Audit Logs and click Properties.
4. In Exclude domain controllers, enter the domain controller names to exclude.
5. Click OK.

Check for slow event processing

Sometimes Cayosoft Guardian collects events successfully, but initiator discovery is delayed because event processing is slower than event collection.

This usually happens when Security Event Logs contain very large numbers of events or when the Guardian server or SQL Server does not have enough resources.

1. Go to Change Monitoring > Event log.
2. Review recent events for repeated actions, mass updates, or large numbers of events from the same initiator.
3. Open events logged a few hours earlier and review the Change Records tab.
4. If matching events exist but related Change History records still do not show initiator information, Guardian may be processing events too slowly.

Also review CPU, memory, disk, and SQL performance. Confirm that the environment meets the requirements in Planning and preparation: Cayosoft Guardian System Requirements.

Check Security Event Log size and retention

If the Security Event Log is too small, relevant events may be overwritten before Guardian collects them. Make sure the log retains events for at least 24 hours.

To change Security Event Log settings locally on a domain controller:

1. Press Win + R, type eventvwr.msc, and press Enter.
2. Go to Event Viewer > Windows Logs > Security.
3. Right-click Security and select Properties.
4. Adjust Maximum log size as needed.
5. Set the retention method to Overwrite events as needed.
6. Click OK.

To configure the same setting through Group Policy:

1. Open the Group Policy Management Console.
2. Open the GPO applied to domain controllers.
3. Go to Computer Configuration > Policies > Windows Settings > Security Settings > Event Log.
4. Configure Maximum security log size.
5. Set the retention method to Overwrite events as needed.

After making changes, let the product run for at least 24 hours before reevaluating initiator discovery.

Use Health Check

Health Check can help validate whether domain auditing and effective audit policies are configured correctly.

To review Health Check results, use the managed domain properties or download the latest report from Settings > Service Settings > Health Check Settings.

For more information, see Health check in Cayosoft Guardian.

NOTE: If you use a read-only gMSA account for auditing, some audit policy checks may be suppressed because the account does not have permission to read those settings.

Changes that do not presume initiator

Some changes do not have initiator information by design because they are performed automatically by Active Directory or Microsoft services and do not generate a corresponding audit event.

Examples include:

• account lockout expiration
• automatic computer password reset
• deleted object recycling
• permissions propagation from AdminSDHolder
• temporary group membership removal caused by TTL expiration
• Teams summary updates
• group-based license assignment results

Contact Cayosoft Support

If initiator discovery issues continue after you verify auditing, audit policies, Event Collection, log retention, and system performance, collect the following information and send it to Cayosoft Support:

• a screenshot of Execution History showing timings
• screenshots of the error details
• a diagnostics package collected by using Collect diagnostics
• log files from C:\ProgramData\Cayo Software\Guardian\log
• Health Check results, if available