Some User Mappings not Performed by the User-ID Agent
20577
Created On 09/26/18 13:53 PM - Last Modified 02/23/23 01:17 AM
Symptom
- Some user mappings are not performed by the User-ID Agent.
- uadebug.log (Lon the user id Agent) displays errors similar to that shown below.
[ Info 278]: Read security log event first returns false 5 for DC <Domain controller Name>
[Error 1173]: Read security log returns error 2 on server <DC NAME>.
Environment
- Palo Alto Firewall
- Supported PAN-OS
- User ID Agent
Resolution
Enable the option "Enable Server Session Read" on the User-ID Agent.
- Go to Setup and click "Edit"
- Set the "Enable Server Session Read to YES.
- Commit on the agent.
- Restart the service.
Additional Information
Note:
- Restarting service on UIA will not affect the mappings existing on the Firewall.
- However, if newer mappings are learned, they may get affected as they will not register with the agent in time and need to get them again after the service starts running
- So it is suggested to do restart during the maintainence window.