topic Re: Agentless User-ID not reading Security Log on AD in General Topics

Agentless User-ID not reading Security Log on AD

stuart.l — Tue, 19 Jul 2016 01:42:41 GMT

I'm pretty new to PA so there may be something obvious that I have missed.

The issue I am having is trying to get the Agentless User-ID connecting and reading Security Logs from AD. All the users are coming up as Unknown:

show user ip-user-mapping all

 

IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)
 --------------- ------ ------- -------------------------------- -------------- -------------
 10.10.10.43     vsys1  Unknown unknown                          1              4
 10.10.9.16      vsys1  Unknown unknown                          2              5
 10.10.12.40     vsys1  Unknown unknown                          1              4
 10.10.0.17      vsys1  Unknown unknown                          2              5
 10.10.4.181     vsys1  Unknown unknown                          1              4

The environment is PAN 3020 7.0.8, AD on Server 2808 R2. PAN is running as a very simple Virtual Wire.

I have created the WMI Authentication user with the correct rights to AD (Distributed, COM, Event Log Readers, Server Operators) also added CIMV2 Enable Account and Remote Enable.

show user server-monitor statistics

 

Directory Servers:
Name                           TYPE     Host            Vsys    Status
 -----------------------------------------------------------------------------
 ad1.domain.name               AD      192.168.1.1     vsys1    Connected
 ad1.domain.name               AD      192.168.1.2     vsys1    Connected


Syslog Servers:
 Name                      Connection Host            Vsys    Status
 -----------------------------------------------------------------------------

One of the things that concerns me is that the number of logs read is 0:

show user server-monitor state all

 

        UDP Syslog Listener Service is disabled
        SSL Syslog Listener Service is disabled

Server: ad1.domain.name(vsys: vsys1) (job 1449)
        Host: 192.168.1.1
        num of log query made       : 462
        num of log query failed     : 0
        num of log read             : 0
        last record timestamp       : 0
        last record time            :

Server: ad2.domain.name(vsys: vsys1)
        Host: 192.168.1.2
        num of log query made       : 389
        num of log query failed     : 0
        num of log read             : 0
        last record timestamp       : 0
        last record time            :


         num of log read            : 0
         last record timestamp      : 0
         last record time           :

show user group list and show user group name <group> both give expected results from AD. If I check 'Enable Session' from within the User ID Agent setup I see some users but not all. I have run as the WMI Authentication as a Domain Admin with the same results. I have checked the domain controllers and both have multiple 4624, 4768, 4769 events in the last hour but no 4770.

Can any one point me in another direction of things to test?

Re: Agentless User-ID not reading Security Log on AD

reaper — Tue, 19 Jul 2016 08:46:02 GMT

did you make sure succesful logon auditing is enabled on the Active Directory? by default this is turned off so there aren't any logs to read:

Re: Agentless User-ID not reading Security Log on AD

stuart.l — Tue, 19 Jul 2016 23:26:03 GMT

Thanks for the reply reaper. Yes I have both the 'Audit account logon events' and 'Audit logon events' logging success. I have verified these in the logs; 4624 is a 'logon event' and 4768 is an 'account logon'. I confirmed these events by running event viewer remotely using the account set for WMI Authentication.

I have also now updated the unit to 7.1.3 but still can't find the cause of the logs not being read.

Re: Agentless User-ID not reading Security Log on AD

stuart.l — Wed, 20 Jul 2016 00:35:06 GMT

Fixed....

The system date was incorrect.

I'll shut the door on the way out.

Re: Agentless User-ID not reading Security Log on AD

MohammedShanawazuddin — Tue, 24 May 2022 17:11:53 GMT

Hi,

I was also facing the same issue, it was using the public DNS and when I change to the internal DNS to AD.

Start working fine.

Re: Agentless User-ID not reading Security Log on AD

Yoekleng — Wed, 25 May 2022 06:21:22 GMT

Hi, we are facing same issue on AD:2019 and PAN OS 10.1.5h1, we check it already time sync all system but it still not get user-id mapping. We still get unknown. Could you pls explain more about your solutions?