https://live.paloaltonetworks.com/t5/general-topics/intermittent-userid-syslog-parser/m-p/595449#M118501 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/185085">@NSutfin</a> ,</P> <P>Note that traffic logs are generated at the end of the session. Although the logs are generated few seconds apart, the actuall session for each log may have started minutes apart.</P> <P>&nbsp;</P> <P>Try the following:</P> <P>- Check the session start timestamp for two logs one with user-id and one without</P> <P>- Check the user-ID logs to see the timestamp when the user-to-ip mapping was created</P> <P>- Verify the mapping timeout has not expired for the two session start timestamps</P> <P>&nbsp;</P> Wed, 21 Aug 2024 09:12:07 GMT aleksandar.astardzhiev 2024-08-21T09:12:07Z https://live.paloaltonetworks.com/t5/general-topics/intermittent-userid-syslog-parser/m-p/595013#M118423 <P>Anyone see this behavior? we are using syslog parser string for userid, no logout action, timeout set to 45 minutes ( default). You can see here that a flow within the same second shows a userid and then blank with same source address. FW running 10.2.7 h-8 . Any ideas?&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="NSutfin_0-1723726668467.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/61539iD3004D0A83CE89BD/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="NSutfin_0-1723726668467.png" alt="NSutfin_0-1723726668467.png" /></span></P> <P>&nbsp;</P> Thu, 15 Aug 2024 13:05:35 GMT https://live.paloaltonetworks.com/t5/general-topics/intermittent-userid-syslog-parser/m-p/595013#M118423 NSutfin 2024-08-15T13:05:35Z https://live.paloaltonetworks.com/t5/general-topics/intermittent-userid-syslog-parser/m-p/595449#M118501 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/185085">@NSutfin</a> ,</P> <P>Note that traffic logs are generated at the end of the session. Although the logs are generated few seconds apart, the actuall session for each log may have started minutes apart.</P> <P>&nbsp;</P> <P>Try the following:</P> <P>- Check the session start timestamp for two logs one with user-id and one without</P> <P>- Check the user-ID logs to see the timestamp when the user-to-ip mapping was created</P> <P>- Verify the mapping timeout has not expired for the two session start timestamps</P> <P>&nbsp;</P> Wed, 21 Aug 2024 09:12:07 GMT https://live.paloaltonetworks.com/t5/general-topics/intermittent-userid-syslog-parser/m-p/595449#M118501 aleksandar.astardzhiev 2024-08-21T09:12:07Z https://live.paloaltonetworks.com/t5/general-topics/intermittent-userid-syslog-parser/m-p/598131#M118979 <P>What this actually was (cut out of screenshot), was that the loss of user-id was between different device-groups within a network. As a user was moving through the network encountering several different firewalls, not all firewalls had been set up for user-id. The search that was being used was against the whole group of firewalls using the user ip address.</P> Wed, 18 Sep 2024 15:31:18 GMT https://live.paloaltonetworks.com/t5/general-topics/intermittent-userid-syslog-parser/m-p/598131#M118979 NSutfin 2024-09-18T15:31:18Z