Agentless User-ID Error failed to parse security log buf

Agentless User-ID Error failed to parse security log buf

77466
Created On 09/26/18 13:51 PM - Last Modified 06/03/23 04:01 AM


Symptom


Agentless User-ID utilizes WMI to connect directly from the Palo Alto Networks firewall to an AD server (or servers) and obtain user IP information.  On some older servers (for example, Windows 2003), the memory allocation for WMI may be constrained, which then prevents the system from parsing the server security logs. This situation also causes server monitor disconnects on the Palo Alto Networks devices and system alerts to be generated:

2014/10/02 10:20:32 high     userid         connect 0  User-ID server monitor ilija-dc1(vsys2)

2014/10/02 10:20:35 info     userid         connect 0  User-ID server monitor ilija-dc1(vsys2): connected to 192.168.121.23


The following error appears in the "useridd.log" file on the Palo Alto Networks device at the info level:

Warning: pan_user_id_win_log_parse(pan_user_id_win.c:1054): failed to parse security log buf.


On debug level, the "useridd.log" shows the windows error code 0x8004106C:

WBEM_E_QUOTA_VIOLATION

2147749996 (0x8004106C)

WMI is taking up too much memory. This can be caused by low memory availability or excessive memory consumption by WMI.

For more information, refer to: WMI Error Constants (Windows)

Resolution


One possible fix is to increase the memory allocation for the WMI process on the AD server by following these steps:
  1. Run “wbemtest” on cmd prompt.
    C:\Users\Administrator>wbemtest
User-added image
  1. Click Connect
  2. As shown in the example, change the namespace from "root\cimv2" to "root" and click Connect:
    User-added image
  3. Click Open Instance
    User-added image
  4. Specify the class name as "__ProviderHostQuotaConfiguration=@"
    User-added image
  5. Filter the output by selecting "Local Only" from Properties:
    User-added image
  6. Change the MemoryPerHost value to something greater (in this case 512 MB).
    User-added image
 
User-added image
  1. Save Property
  2. Save Object
  3. Exit

Note:Make sure the value is properly selected, and if possible, in consultation with the Windows domain administrator using best practices and guidelines from Microsoft.

Additional details from Microsoft about this issue can be found at: http://social.technet.microsoft.com/wiki/contents/articles/6563.configmgr-sccm-how-to-increase-wmi-default-memory-allocation.aspx

owner: djipp
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CltXCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail