Server Monitoring Not Connected

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Server Monitoring Not Connected

L4 Transporter

Hello,

 

Microsoft AD under Server Monitoring is showing as 'not connected.'

We would like to use the PAN-OS Integrated User-ID Agent

Output from debug commands show UserID Debug Log is enabled but nothing is logging.

 

Anyone encountered similar issue?

 

1 accepted solution

Accepted Solutions

Yes...PA TAC assisted us in resolving the issue. Below is the case notes.

 

> less mp-log useridd.log

 

Looking at User-ID logs, there were repeated logs:
2019-04-23 12:36:36.704 +1000 Error: pan_user_id_win_log_query(pan_user_id_win.c:1364): log query for sydcwdc01.mainstreambpo.local failed: NTSTATUS: NT code 0x80041003 - NT code 0x80041003
2019-04-23 12:36:36.704 +1000 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1055): WMIC message from server sydcwdc01.mainstreambpo.local: NTSTATUS: NT code 0x80041003 - NT code 0x80041003

WMI error code 0x80041003 indicates the account does not have permission.
https://docs.microsoft.com/en-gb/windows/desktop/WmiSdk/wmi-error-constants

Please check that the service account (mainstreambpo\palocw) is member of Event Log Readers and Distributed COM Users

Some useful commands related to User-ID:
- Restart User-ID service: debug software restart process user-id
- View server monitor statistics: show user server-monitor statistics

 

Other than the group membership of service account, kindly also check the WMI permission in every DC server being used under Server Monitoring. This WMI permission is local configuration (not replicated).

Agentless User-ID 'Access Denied' Error In Server Monitor
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clk0CAC

 

We checked that we have given all the correct permissions on the WMI side for all our DCs. 
We asked for a trace to run to figure out what exactly its failing on when it accesses the AD side of things.

 

PA TAC provided us the following.

 

Provided that the WMI permissions are set, can you test to do WMI remote connection using wbemtest?
1. In any windows client (domain member), run wbemtest
2. Default namespace is 'root\cimv2', please change to '\\<dcservername>\root\cimv2'
3. Provide username and password (firewall service account), then click Connect
4. Observe if there is error message when wbemtest is trying to connect to DC server

Link: https://blogs.technet.microsoft.com/configmgrdogs/2014/08/20/test-your-collection-wql-queries-using-...

 

This fixed the issue!

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

did you follow this guide?:https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGGCA0

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Yes, but still no luck.

Hello, 

 

Did you find the solution for this issue?

 

 

Yes...PA TAC assisted us in resolving the issue. Below is the case notes.

 

> less mp-log useridd.log

 

Looking at User-ID logs, there were repeated logs:
2019-04-23 12:36:36.704 +1000 Error: pan_user_id_win_log_query(pan_user_id_win.c:1364): log query for sydcwdc01.mainstreambpo.local failed: NTSTATUS: NT code 0x80041003 - NT code 0x80041003
2019-04-23 12:36:36.704 +1000 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1055): WMIC message from server sydcwdc01.mainstreambpo.local: NTSTATUS: NT code 0x80041003 - NT code 0x80041003

WMI error code 0x80041003 indicates the account does not have permission.
https://docs.microsoft.com/en-gb/windows/desktop/WmiSdk/wmi-error-constants

Please check that the service account (mainstreambpo\palocw) is member of Event Log Readers and Distributed COM Users

Some useful commands related to User-ID:
- Restart User-ID service: debug software restart process user-id
- View server monitor statistics: show user server-monitor statistics

 

Other than the group membership of service account, kindly also check the WMI permission in every DC server being used under Server Monitoring. This WMI permission is local configuration (not replicated).

Agentless User-ID 'Access Denied' Error In Server Monitor
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clk0CAC

 

We checked that we have given all the correct permissions on the WMI side for all our DCs. 
We asked for a trace to run to figure out what exactly its failing on when it accesses the AD side of things.

 

PA TAC provided us the following.

 

Provided that the WMI permissions are set, can you test to do WMI remote connection using wbemtest?
1. In any windows client (domain member), run wbemtest
2. Default namespace is 'root\cimv2', please change to '\\<dcservername>\root\cimv2'
3. Provide username and password (firewall service account), then click Connect
4. Observe if there is error message when wbemtest is trying to connect to DC server

Link: https://blogs.technet.microsoft.com/configmgrdogs/2014/08/20/test-your-collection-wql-queries-using-...

 

This fixed the issue!

  • 1 accepted solution
  • 35920 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!