Change Auditor not sending AD security events


I have a forest with 2 DCs and both DCs have the agent installed. The agents are active and i can see in the overview some events from subsystem Change Auditor, service and active directory but when i am disabling/enabling an account for example the event is not picked up by the agent. If i search in event viewer i can see the events.

I checked the logs folder and the logs for the AD Plug In but i dont see any strange error there.

What is preventing the agent to pick-up the events from the DCs security logs?  


Parents Reply Children
  • Hi,

    Yes, i am not seeing any strange error in the logs and the agent is able to send logs to the coordinator but not the security logs from event viewer. I already disabled the rule in attack surface for Windows Defender.

    It is a new domain/forest and we are connecting the DCs to the current coordinator that it is receiving logs from other domains/forests without issue.