User Activity Report - Username not available for report

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User Activity Report - Username not available for report

Hi All,
 
This is my first time posting, so if I am doing it wrong, please let me know. I have attempted to find relevant documentation, but nothing I have found actually seems to describe my issue.
 
I had a request for an activity report for a user to be generated today - normally this process is quite easy and issue free; this time however, when I entered the domain account associated with the user in the User Activity Report 'Add' dialogue, it did not auto complete like it normally does.

I persisted with the report, and clicked 'Run Now' and sure enough, there was not data in the report.
 
I did a write a filter which mimicked my User Activity Report parameters in the URL Filtering dialogue and it returned results
    e.g. ( user.src eq 'username' ) and ( receive_time geq '2015/10/22 08:30:00' ) and ( receive_time leq '2015/10/22 10:30:00' )

Thanks in advance,
 
Brad

EDIT: Spelling

5 REPLIES 5

L4 Transporter

There could be a couple explanations

 

1-does this same report work for another user name

2-are you sure that this user is generating traffic during that time period?

...(sometimes make sure it is a large enough time period first)

3 - spelling counts - this is often my mistake

4 - it may be that however the user is accessing the LAN/WAN/Internet user-ID is not catching them

...(so is it a standard desktop etc that others use for same purpose-and User-ID grabs their traffic)

 

the document you may want to peruse is User-ID Best Practices

https://live.paloaltonetworks.com/t5/Configuration-Articles/User-ID-Best-Practices-PAN-OS

 

Cyber Elite
Cyber Elite

Instead of using afilter, how about using the predefined Source User or Destination user fileds?

 

Just a thought...

1-does this same report work for another user name

      Yes, it does.

 

2-are you sure that this user is generating traffic during that time period?

...(sometimes make sure it is a large enough time period first)

      As per my original post, I can write a URL Filtering filter for the same period and user and get results.

 

3 - spelling counts - this is often my mistake

      I have checked and double checked, and even copied the name from my URL Filtering filter which did return results for that user in the same time period.

 

4 - it may be that however the user is accessing the LAN/WAN/Internet user-ID is not catching them

...(so is it a standard desktop etc that others use for same purpose-and User-ID grabs their traffic)

      If that was the case, I would not have gotten any results in the URL Filtering, but I did.

Brad

Actually, I have just tried the exact same report this morning and it has worked now.

 

I didn't change its settings either.

 

Is there some sort of propogation time for the logs required activity reports?

Brad

well there is often a short lag

it is not real-time but usually not that bad

often referred to as Near-time

 

some of the ACC and reporting can be as much as 15 minutes behind

 

that being said I have heard some stories of issues with logs taking an hour up to several hours

but these were generally associated with reporting from FW to Panorama

and/or something to do with an older version of VMWare

 

glad it actually works now tho

  • 3361 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!