Why do Windows Event Collector events show the Security Identifier (SID) instead of username on the Symantec Security Information Manager (SSIM)
There can be a couple causes - The computer the collector is installed on is not a member of the Domain that has the Account information. The user logged into the collector computer does not have rights to the Domain that has the Account information.
The Windows Event Collector and Windows Vista/2008 collector does have the functionality to resolve the username from the SID in events.
The collectors however are reliant upon the access the computer, or user logged into the computer that the collector is installed on has to the Domain that has the pertinent Account information.
To test the collector computers access to the domain: