I am using Windows Event Forwarding to forward all Windows logs to a event collector machine. But, we are have a problem with SID translation. For example, for events like 4732 (A member was added to a security-enabled local group) the forwarded event contains just the SID and not showed account name.
1) Why is this happening?
2) How to fix it?