Definitely followed the document. My service-account is part of "event log readers" and "server operators." As said before, the User-ID agent works fine with domain controllers. Something is odd with the connection to Exchange servers.
I sat down and worked with my Exchange admin. He added my service account to the Exchange server's local "event log readers" group. Bam, user-ID agent is now connected. I haven't dug through the data yet but at least it resolves the error I was receiving. Hope this helps.
The documentation for the built-in PAN-OS user-ID agent appears to be incomplete. Here is what I had to do in order to get it to work for our Exchange 2010 CAS servers:
I did not have to add the service account to the domain "Server Operators" or "Domain Admins" groups or local "Power Users" or "Administrators" groups as I have seen suggested in some places.
The second step appears to be the sticky part as the documentation just says to add the user to the built-in groups. Many probably (and I did) assume that means the groups that are built into the Active Directory domain. While membership in those Active Directory groups is in fact required in order to have the built-in user-ID agent successfully monitor Active Directory domain controllers, membership in those groups does not grant that same membership in the local group equivalents on other domain member servers, including Exchange servers.
So, if you want the built-in user-ID agent to monitor both domain controllers and Exchange CAS servers, it has to be a member of both the domain "Event Log Readers" and "Distributed COM Users" groups and the same local group equivalents on the Exchange CAS servers themselves.
I hope this helps others.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!