10-21-2015 07:18 PM - edited 10-21-2015 07:20 PM
Hi All,
This is my first time posting, so if I am doing it wrong, please let me know. I have attempted to find relevant documentation, but nothing I have found actually seems to describe my issue.
I had a request for an activity report for a user to be generated today - normally this process is quite easy and issue free; this time however, when I entered the domain account associated with the user in the User Activity Report 'Add' dialogue, it did not auto complete like it normally does.
I persisted with the report, and clicked 'Run Now' and sure enough, there was not data in the report.
I did a write a filter which mimicked my User Activity Report parameters in the URL Filtering dialogue and it returned results
e.g. ( user.src eq 'username' ) and ( receive_time geq '2015/10/22 08:30:00' ) and ( receive_time leq '2015/10/22 10:30:00' )
Thanks in advance,
Brad
EDIT: Spelling
10-22-2015 07:13 AM - edited 10-22-2015 12:32 PM
There could be a couple explanations
1-does this same report work for another user name
2-are you sure that this user is generating traffic during that time period?
...(sometimes make sure it is a large enough time period first)
3 - spelling counts - this is often my mistake
4 - it may be that however the user is accessing the LAN/WAN/Internet user-ID is not catching them
...(so is it a standard desktop etc that others use for same purpose-and User-ID grabs their traffic)
the document you may want to peruse is User-ID Best Practices
https://live.paloaltonetworks.com/t5/Configuration-Articles/User-ID-Best-Practices-PAN-OS
10-22-2015 11:47 AM
Instead of using afilter, how about using the predefined Source User or Destination user fileds?
Just a thought...
10-22-2015 03:08 PM
1-does this same report work for another user name
Yes, it does.
2-are you sure that this user is generating traffic during that time period?
...(sometimes make sure it is a large enough time period first)
As per my original post, I can write a URL Filtering filter for the same period and user and get results.
3 - spelling counts - this is often my mistake
I have checked and double checked, and even copied the name from my URL Filtering filter which did return results for that user in the same time period.
4 - it may be that however the user is accessing the LAN/WAN/Internet user-ID is not catching them
...(so is it a standard desktop etc that others use for same purpose-and User-ID grabs their traffic)
If that was the case, I would not have gotten any results in the URL Filtering, but I did.
Brad
10-22-2015 03:11 PM
Actually, I have just tried the exact same report this morning and it has worked now.
I didn't change its settings either.
Is there some sort of propogation time for the logs required activity reports?
Brad
10-22-2015 03:30 PM
well there is often a short lag
it is not real-time but usually not that bad
often referred to as Near-time
some of the ACC and reporting can be as much as 15 minutes behind
that being said I have heard some stories of issues with logs taking an hour up to several hours
but these were generally associated with reporting from FW to Panorama
and/or something to do with an older version of VMWare
glad it actually works now tho
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
