Best Way to use User-ID Agent.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Best Way to use User-ID Agent.

L3 Networker

Hey everyone,

I have been bashing my head onug how I can cleaninly use the USer-ID agent.. I wanted to stop WMI or event exclude internal vlans as I thoht it was used just for VPN. But its not its used to map source user info in the log files of the firewalls...

Thing is when I have it enabled it probes everything! Gateways, iPhones, S4's ipads, etc. If I exclude the internal VLANS or disable WMI probing it will stop the multiple DCOM errors from failed WMI probes.

My user agent version is 5.0.3-4

I was suggested from my support guy to try and change the internal VLAN range to just the DHCP pool range, but it still probes iPhones and S4 and other non windows devices and creates a DCOM 10009 on my member server.

This is driving me crazy, I still want User source info to work on the firewall logs but I want to stop the constant DCOM erros flooding my member server event log.

I don't want to manually specify each device and exclude it (way to much work) and then it won't work with mobile devices cause once the DHCP lease ends it will getis a new IP and this Idea falls apart anyway.

What can I possible do to keep Source User info in my firewall logs and not get insane amount of DCOM errors? Just to note In 4 months we got 160,000 DCOM errors in event log.

Any and all suggestions is appreciated.

8 REPLIES 8

Retired Member
Not applicable

Have you seen this doc yet?

User-ID Best Practices - PAN-OS 5.0, 6.0

This outlines several options for mapping users to IPs. In particular, if you have AD environment I would consider reading security logs method over WMI if you want to avoid the inherent chattiness of probing. There are other options as well such as using MS Exchange or if running 6.0.x, using syslog for ip-user mappings.

-Richard

Thank you so much for your response!

I have not seen that one specifically, I did catch a different one, but I'll review the link you provided. And will post my results, or my solution to help resolve the issue.

Also, I attempted to look for the latest User-ID agent, there was no update option on the agent itself, and wasn't able to find anything in the firewall web interface. Where does one grab the latest agent? and is there something required to be configured on the PaloAlto for the latest version to work?

Thanks again!

Hello Zewwy,

Please refer the below link to upgrade the User-id agent to latest version

How to Upgrade User-ID Agent?

Thanks,

Jahnavi

I was able to find where to get the latest agent, and how to update, which is nice...

But I can't for the life of me figure out how to get user to IP mappings done without WMI probing enabled.

I realized once I finished reading the Best Practices PDF that I have read that PDF before, but its all "Heres what it can do" but not "Heres how to setup each way"

I made a change to the service account that was suppose to be used to map IP to User by checking the Secuirty Log monitor and this account was missing the "Event Log Readers" membership.

I will once again disable WMI probing and will report back if mappings are still working without WMI probing (hope so) these DCOM errors are so annoying.

Thanks guy!

Do you have the agent running directly on an AD server?  If so, we normally recommend that the agent be running on a different server. Just a Second Windows server that you can install the agent on.

As far as WMI probing, this is just one of the many ways to find out the identity of the IP in question.

If you cannot get it going without WMI probing, then it sounds like the 2-3 tokens that it is looking for are not there. In other words, you may not be logging whenever a user logs into the network or unlocking their machine.  Those entries should be recorded and then the IP should be showing up associated with that username.  I thought that information was inside of those other guides listed here but apparently not.

Maybe we can get that going for you and then you can turn off WMI probing..

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

Yeah I did read up on that in there somewhere, and it is not running directly on a DC, but on a regular member server. Always good to double check when helping others. So that one is a check.

I noticed that the Security Log monitoring was checked off, but I had assumed (my bad),he would have placed the service account he created to be a member of "Event Log Readers" as stated in the PDF. Which the service account was not a member of, it was just part of administrators, I figured this would have been enough for it to read the security logs....

if its the case that we are not logging those event sin our environment then that will be something else I'll have to look into...

So my guess is that our system is not setup to log whenever a user logs in or unlocks their machine cause sure enough there is no user source in our logs on the Palo Altos again, even though Event log monitoring is enabled and the user agent is setup with all appropriate rights.

I'm looking into how to make the change on our DC's to log log in's and unlocks to help with this.

Could you explain what you mean by 2-3 tokens?

Thanks again for all the suggestions!

So I checked our DC's Security Log and I can see all the audits from lsass, thing is they are all appearing as Audit Failures, even network share usage shows up (when people access files on the file shares) but they also appear as Audit Failures.

I created a technet question about it to hopefully get some clarification on what's going on with these failures. Do you think this could be a reason why the event log mapping isn't working?

Heres the link to my technet question.

Yes, That would be why the WMI probing is working while the User-ID functions are not.  If the wrong tokens are showing up, then there is no way for the agent to register IP to Username.

Please let us know if this helps.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!
  • 5196 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!