Why do Windows Event Collector events show the Security Identifier (SID) instead of username on the Symantec Security Information Manager (SSIM)

 

There can be a couple causes - The computer the collector is installed on is not a member of the Domain that has the Account information. The user logged into the collector computer does not have rights to the Domain that has the Account information.

The Windows Event Collector and Windows Vista/2008 collector does have the functionality to resolve the username from the SID in events.

The collectors however are reliant upon the access the computer, or user logged into the computer that the collector is installed on has to the Domain that has the pertinent Account information.

To test the collector computers access to the domain:
 

1. Export the event from the remote Windows computer being collected from and import it into the Event Viewer of the computer that has the Event Agent and collector installed on it.
2. Then, view the event in the collector computers Event Viewer.
   • When the event shows the SID in the Event Viewer, the computer and/or the user logged into the collector computer does not have the access required to resolve the SID to the username.
   • When the event shows the username in the Event Viewer, the computer and the user logged into the collector computer does have the access required to resolve the SID to the username.