Skip to main content

Articles in this section

See more
Print

Troubleshooting missing initiator issues in Cayosoft Guardian

  • Updated

Troubleshooting missing initiator issues in Cayosoft Guardian

Core issue for Threat Detection accuracy

When monitoring changes in Active Directory using Cayosoft Guardian, identifying the initiator of an event is crucial for auditing and security purposes.

However, in some cases, the Who column in event logs may be empty, making it difficult to determine who performed a particular action. This issue typically arises due to misconfiguration in domain settings, group policies, event collection jobs, or security event log settings.

This article covers common causes and solutions for missing initiator information.

A domain is not properly configured

When a domain is added to Cayosoft Guardian using wizard, an Audit switch must be set to the Enabled state. If the switch is set to Enabled, Cayosoft Guardian adds necessary access control entries (find more information about ACE and SACL with the links below) for this domain. Once access control entries are added, a domain controller starts to generate an event every time when an operation is performed on an Active Directory object.

Find more information about ACE and SACL here:

To ensure that auditing is enabled, check the domain's configuration:

  1. Open the Cayosoft Guardian web portal.
  2. Select the Managed Domains node under Configuration.
  3. Select the domain and click Properties.
  4. Ensure the Audit enabled checkbox is enabled.

Group policies generating events are not configured

A corresponding group policy must be enabled before detecting an initiator of some specific changes or events like an account lockout or a password change. Learn more about events collected by Cayosoft Guardian and prerequisites such as Group Policies to be configured: Events collected by Cayosoft Guardian from the Windows Event Log related to the Active Directory operations.

Event collection job is not running properly

Event collection jobs process and correlate events from the domain controllers. If the job is stopped or it fails with errors, the Who column is not populated.

To collect events, Cayosoft Guardian connects to all domain controllers using Windows Remote Management (WinRM). If an Event Collection job reports a WinRM-related error, check that connection ports are not blocked by a firewall. Read more about WinRM troubleshooting.

Check that there are no errors in the execution history of the Event Collection job:

  1. Open the Cayosoft Guardian web portal.
  2. Select the Jobs node under Configuration.
  3. Select the Event Collection job and click Properties.
  4. Switch to the Execution History tab and check that the Execution result column to ensure there are no errors.
  5. If there are errors, send the Cayosoft team the screenshot of an error and log files from C:\ProgramData\Cayo Software\Guardian\log.
  6. If a job execution history contains errors related to Windows Remote Management (WinRM), check WinRM troubleshooting guide: How to troubleshoot issues with domain controllers .

Sometimes, an exception can be configured when a domain controller cannot be accessed from a Cayosoft Guardian service.

To exclude domain controllers from the Event Collection job in Cayosoft Guardian:

  1. Open the Cayosoft Guardian web portal.
  2. Navigate to Configuration > Jobs.
  3. Select the Event Collection job and click Properties.
  4. Check Collect Active Directory Audit Logs, then click Properties.
  5. In the Exclude domain controllers section, enter the names of the domain controllers you want to exclude.
  6. Click OK to save the changes.

Security Event Log is not properly configured

If a Security event log size is too small, events might be overwritten before they are collected by Cayosoft Guardian. Ensure that security event log keeps events from last 24 hours at least. Security event log size and retention settings can be configured on each domain controller or propagated via a GPO to all target domain controllers.

Modifying Security event log on the domain controller locally

  1. Press Win + R to open the Run dialog.
  2. Type eventvwr.msc and press Enter to open Event Viewer.
  3. In the left pane, navigate to Event Viewer > Windows Logs > Security.
  4. Right-click Security, and select Properties.
  5. Under General, adjust the Maximum log size as needed.
  6. In the When maximum event log size is reached section, select Overwrite events as needed to manage log retention efficiently.
  7. Click OK to save the changes.

Modifying the Security event log on the domain controller via GPO

  1. Open the Group Policy Management Console (GPMC).
  2. Locate and open the Group Policy Object (GPO) applied to the Domain Controllers.
  3. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Event Log.
  4. Configure the Maximum security log size as needed.
  5. Set the Retention method for the security log to Overwrite events as needed.
  6. Apply and save the changes.

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.