No new events are appearing in Change Auditor, even after deliberate actions are taken that would normally trigger an event.
The following error may be seen in the ChangeAuditor.Service.exe.nptlog file:
"Too many events in receive buffer"
Confirm that the Change Auditor database hasn't reached the maximum size, or that the disk it resides on hasn't run out of space.
If any recent changes were made to enable new auditing functionality, or if a new server was added for auditing, it is possible that it is contributing far more events than were expected. Generally this happens with Change Auditor for Windows File Servers, Change Auditor for Netapp, Change Auditor for EMC, Change Auditor for Exchange, or Change Auditor for AD Queries.
If so, disable that new auditing, and allow the Coordinator to work through the backlog. Re-evaluate the auditing configuration, and turn off the more chatty events. After the Coordinator has worked through the backlog, the Agent Statistics page can be useful in identifying abnormal trends in the type of events that came through.