09-30-2018 01:09 PM
These errors just don't make sense to me, I have followed everything as required.
I am currently doing this in my lab and I'm stuck with this error about permissions, I have given permisions for event log readers, server operators and distributed com users.
Any ideas on what's missing?
I have installed the agent on win7 and the AD is on win srv 2012.
09/30/18 23:59:40:445[ Info 2145]: ------------Service is being started------------
09/30/18 23:59:40:445[ Info 2152]: Os version is 6.1.1.
09/30/18 23:59:40:445[ Info 608]: Load debug log level Info.
09/30/18 23:59:40:445[ Info 557]: Service version is 8.0.10.7.
09/30/18 23:59:40:445[ Info 611]: Product version is 8.0.10.
09/30/18 23:59:40:460[ Info 1132]: Found 0 ACL config. 0 processed.
09/30/18 23:59:40:460[ Info 1160]: Found 0 VM info source config. 0 processed.
09/30/18 23:59:40:460[ Info 1168]: Found 0 Syslog Profile(s) config.
09/30/18 23:59:40:460[ Info 1230]: Found 1 server config.
09/30/18 23:59:40:460[ Info 1265]: Found 0 include-exclude networks. 0 processed.
09/30/18 23:59:40:460[ Info 1290]: Found 0 custom log format config.
09/30/18 23:59:40:460[ Info 1297]: No xml element servercert.
09/30/18 23:59:40:460[ Info 148]: Load 8 build-in formats and 0 custom formats for parsing security log.
09/30/18 23:59:40:460[ Info 345]: DC security log and session query threads for server dc.akmlab.com(index 0) are started.
09/30/18 23:59:40:460[ Info 707]: Active Directory gets started.
09/30/18 23:59:40:460[ Info 742]: User-ID VM monitor service started.
09/30/18 23:59:40:460[ Warn 923]: Unsupported file format for UserIpMap.txt. We support ANSI and UTF-8 format.
09/30/18 23:59:40:913[Error 115]: Cannot open security log for DC dc.akmlab.com - A required privilege is not held by the client.
09/30/18 23:59:41:084[ Info 1241]: New connection 127.0.0.1 : 57678.
09/30/18 23:59:41:084[ Info 1314]: Device thread 0 with 127.0.0.1 : 57678 is started.
09/30/18 23:59:41:178[ Info 3396]: Device thread 0 accept finished
06-14-2021 08:38 AM
I am now receiving these same errors in my logs. All of a sudden as of yesterday, my user ID agent stopped successfully connecting to my domain controllers with the following errors:
06/14/21 10:36:35:994[ Warn 1167]: Unsupported file format for MachineIpMap.txt. We support ANSI and UTF-8 format.
06/14/21 10:36:36:103[Error 115]: Cannot open security log for DC fqdn.of.dc - The requested operation is not supported.
06-14-2021 10:42 AM
We had the same problem last week. It was due to our DCs getting the June 2021 patch and our Windows based User-ID agent not having the patch yet. Once I applied the same patch to the User-ID agent server, they connected.
06-14-2021 12:05 PM
Thank you Bobby Hiers! Looks like the June 2021 windows patch was the culprit. I have to update my case with Palo - they should look into this with Microsoft.
06-14-2021 02:07 PM
Thanks for this note. We woke up to this same issue after our DCs were patched to the June 2021 update but server running User-Id agent was not. Installing the patch on the user-id server and rebooting fixed the issue.
06-15-2021 09:51 AM
having the same issue, is the patch on the support software updates section? I am seeing broke version 9.1.2.9
06-15-2021 12:26 PM
I don't think PA has a patch just yet, although they might. If they do, their client support rep didn't mention it to me, he only pointed me in the direction of the documentation where MS and PA recognize this issue. I am on version 10.0.0-30 of the UserID agent and the issue appeared after both member servers hosting the UID agent took the June 2021 Monthly Sec updates while the DCs that the agents communicated with did not.
06-15-2021 12:29 PM
I have a ticket in since this morning and it's still in queue. Can anyone confirm there is some sort of hot fix or know what the technical issue is that is causing this?
this is really a mess
06-15-2021 04:16 PM
Hi Pete,
We were able to fix this by upgrading the windows server with the 2021-06 (june) standalone update. After patch was installed and a reboot, the agent was able to connect to all of the updated domain controllers that recently got the same patch over the weekend.
Hope this helps.
06-15-2021 09:35 PM
wow, a random issue I faced during playing around in a lab is now exploding in the wild 2 yrs later!
06-16-2021 06:04 AM
thanks for the help guys.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001Vcg
06-16-2021 06:09 AM
Do you know which KB it was?
06-16-2021 06:16 AM
I think it is KB5003671 but might depend on your host OS.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001Vcg
I am running different OS's for my user agent servers and my DC's so I just made sure they both had the june 2012 security patches.
not sure if this whole thing was a bug or some communication I missed.
06-21-2021 03:08 PM
I am also having this issue. In my instance my User-ID agent server was patched with the June 2021 updates and the main data center DC's were patched which are working fine. However, our facility DC's have not been patched and I'm getting the below error.
Error: OpenEventLog failed for DC (the requested operations is not supported.
All of the DC's throwing this error are stuck in a "connecting" state.
06-21-2021 06:00 PM
the DC's and devices you have the user agent service on need to have that same patch loaded.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
