https://live.paloaltonetworks.com/t5/general-topics/user-id-don-t-read-security-log/m-p/17662#M12863 <HTML><HEAD></HEAD><BODY><P>I have several domain controller configurated on user identification configuration&nbsp; in a Palo Alto with 5.0.8 version. Just one of them seems to function properly and if I use the command "show user server-monitor state all" I obtain this:</P><P></P><P>Server: CD02(vsys: vsys1)</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Host: xx.xx.xx.xx</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; num of log query made&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; num of log query failed&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; num of log read&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 1519</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; last record timestamp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 1392899592</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; last record time&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 20140220123312.189137-000</P><P></P><P>But all other domain controllers say this</P><P>Server: CD03(vsys: vsys1) (job 26841981)</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Host: xx.xx.xx.xx</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; num of log query made&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 166</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; num of log query failed&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; num of log read&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; last record timestamp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; last record time&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; :</P><P></P><P>The user to consults secutrity logs is the same for all domain controllers, and&nbsp; have the same rights on all of them. The only difference is that the domain controller that works is windows 2008 and the others are windows 2008 R2.</P><P></P><P>Someone has an idea of what is the problem?</P></BODY></HTML> Thu, 20 Feb 2014 12:50:27 GMT JRSanch 2014-02-20T12:50:27Z https://live.paloaltonetworks.com/t5/general-topics/user-id-don-t-read-security-log/m-p/17662#M12863 <HTML><HEAD></HEAD><BODY><P>I have several domain controller configurated on user identification configuration&nbsp; in a Palo Alto with 5.0.8 version. Just one of them seems to function properly and if I use the command "show user server-monitor state all" I obtain this:</P><P></P><P>Server: CD02(vsys: vsys1)</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Host: xx.xx.xx.xx</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; num of log query made&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; num of log query failed&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; num of log read&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 1519</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; last record timestamp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 1392899592</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; last record time&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 20140220123312.189137-000</P><P></P><P>But all other domain controllers say this</P><P>Server: CD03(vsys: vsys1) (job 26841981)</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Host: xx.xx.xx.xx</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; num of log query made&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 166</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; num of log query failed&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; num of log read&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; last record timestamp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; last record time&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; :</P><P></P><P>The user to consults secutrity logs is the same for all domain controllers, and&nbsp; have the same rights on all of them. The only difference is that the domain controller that works is windows 2008 and the others are windows 2008 R2.</P><P></P><P>Someone has an idea of what is the problem?</P></BODY></HTML> Thu, 20 Feb 2014 12:50:27 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-don-t-read-security-log/m-p/17662#M12863 JRSanch 2014-02-20T12:50:27Z https://live.paloaltonetworks.com/t5/general-topics/user-id-don-t-read-security-log/m-p/17663#M12864 <HTML><HEAD></HEAD><BODY><P>Hi JRanch,</P><P></P><P>Please verify following things.</P><P>1. Users have all of the following permission..- I know you have mentioned users have all the permission, but please double check.</P><P style="margin-bottom: .0001pt;">&nbsp;&nbsp;&nbsp;&nbsp; Distributed com user</P><P style="margin-bottom: .0001pt;">&nbsp;&nbsp;&nbsp;&nbsp; Event log reader</P><P style="margin-bottom: .0001pt;">&nbsp;&nbsp;&nbsp;&nbsp; Server operator</P><P style="margin-bottom: .0001pt;">&nbsp;&nbsp;&nbsp;&nbsp; Domain admin</P><P style="margin-bottom: .0001pt;">&nbsp;&nbsp;&nbsp;&nbsp; WMI permission set</P><P style="margin-bottom: .0001pt;">2. Please do tcpdump on firewall for those DC, and check what information is being exchanged. This might provide info if anything is wrong at server end.</P><P style="margin-bottom: .0001pt;">3. Also run "netstat -n" continously on DC to see connection requests made by Firewall.</P><P style="margin-bottom: .0001pt;"></P><P style="margin-bottom: .0001pt;">Regards,</P><P style="margin-bottom: .0001pt;">Hardik Shah</P></BODY></HTML> Fri, 21 Feb 2014 18:14:42 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-don-t-read-security-log/m-p/17663#M12864 hshah 2014-02-21T18:14:42Z https://live.paloaltonetworks.com/t5/general-topics/user-id-don-t-read-security-log/m-p/17664#M12865 <HTML><HEAD></HEAD><BODY><P>I would also confirm that the Server Windows firewall settings are the same between the working and non-working servers.</P></BODY></HTML> Sat, 22 Feb 2014 16:01:00 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-don-t-read-security-log/m-p/17664#M12865 pulukas 2014-02-22T16:01:00Z https://live.paloaltonetworks.com/t5/general-topics/user-id-don-t-read-security-log/m-p/17665#M12866 <HTML><HEAD></HEAD><BODY><P>can you install an agent and add that DC to see if agent can monitor the users or not ?</P><P>this will make you to be sure; if the problem is related to DC or agentless system.</P></BODY></HTML> Sat, 22 Feb 2014 18:36:39 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-don-t-read-security-log/m-p/17665#M12866 Retired Member 2014-02-22T18:36:39Z https://live.paloaltonetworks.com/t5/general-topics/user-id-don-t-read-security-log/m-p/17666#M12867 <HTML><HEAD></HEAD><BODY><P>Hi, finally the domain controllers (windows 2008 R2) was not logging the correct events, now all DC are working.</P><P></P><P>Thanks for the help</P></BODY></HTML> Tue, 25 Mar 2014 06:46:19 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-don-t-read-security-log/m-p/17666#M12867 JRSanch 2014-03-25T06:46:19Z