topic Re: Windows User-ID agent not collecting mapping in General Topics

Windows User-ID agent not collecting mapping

LucasCroce — Wed, 02 Jun 2021 15:51:16 GMT

I'm working on getting a Windows User-ID agent set up for a customer and it's not collecting logs. Checked all permisssions and service account user is in Event Log Readers and has permissions to both the install folder and registry entries. Just as a test, I had the customer add the service account to the domain admins group and the user mapping started populating immediately. Any permissions that I'm missing? If not, what could be wrong on the AD side preventing Event Log Readers from viewing the logs?

Re: Windows User-ID agent not collecting mapping

OtakarKlier — Wed, 02 Jun 2021 15:54:32 GMT

Hello,

Check out this article. My guess is something might have been missed/overlooked?

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5bCAC

Once thing we found that worked better for us were using the Exchange logs instead. Outlook is always hitting Exchange and authenticating, so if a user moves their laptop or goes wireless, its a faster transition on the firewall side of things.

Regards,

Re: Windows User-ID agent not collecting mapping

LucasCroce — Wed, 02 Jun 2021 15:57:44 GMT

Went over that document already. Nothing missed as far as I can tell.

Re: Windows User-ID agent not collecting mapping

OtakarKlier — Wed, 02 Jun 2021 16:23:45 GMT

Hello,

Is the service that is running the user-id agent set to run as the user/service account you setup to allow it grab logs from a DC?

Just grasping at straws, but it seems as an authentication/authorization issue.

Regards,

Re: Windows User-ID agent not collecting mapping

LucasCroce — Wed, 02 Jun 2021 16:31:36 GMT

You mean is the user configured in the user-id agent the same one in the "event log readers" group? Yes. The user configured in the agent has been added to the group, is permitted to log on as a service, has rights to the PAN folder under Program Files (x86), and has rights to the PAN registry entries listed. Like I said originally, all permissions and groups and things associated with the service account user were double and triple checked.

EDIT: You are absolutely right though that this is an authorization issue because like I said adding the same user to Domain Admins makes it work. I've done dozens of user-id installs before and this is the first time I've had it not work when all documented permissions where in place.

Re: Windows User-ID agent not collecting mapping

OtakarKlier — Wed, 02 Jun 2021 16:35:38 GMT

Hello,

Sorry for not making myself clear, I meant the windows service:

If that doesnt work, I'd say open a support case since you already went through everything.

Regards,

Re: Windows User-ID agent not collecting mapping

LucasCroce — Wed, 02 Jun 2021 16:39:20 GMT

Oh, I'll double check that but I'm pretty sure that is the case as the agent stops and starts correctly.

Re: Windows User-ID agent not collecting mapping

Mick_Ball — Wed, 02 Jun 2021 16:41:04 GMT

doesn't this account require access to the security logs and not the event logs? or did i misread here...?

Re: Windows User-ID agent not collecting mapping

LucasCroce — Wed, 02 Jun 2021 16:46:37 GMT

Misread I think. I was talking about adding the user to the "event log readers" group as mentioned in documentation.

Re: Windows User-ID agent not collecting mapping

Mick_Ball — Wed, 02 Jun 2021 17:04:17 GMT

on the AD side have you matched this criteria..?

Must be a member of Event Log Readers, Server Operators, and Distributed COM.

Re: Windows User-ID agent not collecting mapping

LucasCroce — Wed, 02 Jun 2021 17:12:47 GMT

Yes, the user is in those groups.

Re: Windows User-ID agent not collecting mapping

Mick_Ball — Wed, 02 Jun 2021 17:16:27 GMT

Hmm odd,,, i will double check mine in the morning as we have 4 agents hammering away nicely on both windoze servers and local.

are your agents on servers or local....????

Re: Windows User-ID agent not collecting mapping

LucasCroce — Wed, 02 Jun 2021 17:18:42 GMT

Agents installed on Windows Servers. They connect to the firewall fine. Services start and stop fine. DCs are populated in the interface. Just no user mappings. I think I'll recommend this customer contact TAC.

Re: Windows User-ID agent not collecting mapping

Mick_Ball — Thu, 03 Jun 2021 09:37:23 GMT

OK just FYI,,, we had to add add user rights "Manage auditing and security log" to the service account for this to work but cant remember exactly why as it was a while ago...

Re: Windows User-ID agent not collecting mapping

LucasCroce — Thu, 03 Jun 2021 12:15:29 GMT

You mean under "User Rights Assignment" in group policy? I already thought of that and tried it. It didn't appear to work. Customer opened a case yesterday. We'll see what support says.

Re: Windows User-ID agent not collecting mapping

RyanAugustine — Tue, 23 Jan 2024 16:44:14 GMT

Adding to an old thread due to Google search results. My solution was someone had enabled an advanced audit policy in the default domain controllers GPO, which in turn disables the basic audit policies. I followed https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations to enable the recommended audit settings, ran gpupdate on all DCs, and the User-ID agent started pulling logs from the DCs again.