User-ID Agent - [Error 115]: Cannot open security log for DC..

cancel
Showing results for 
Search instead for 
Did you mean: 

User-ID Agent - [Error 115]: Cannot open security log for DC..

L1 Bithead

These errors just don't make sense to me, I have followed everything as required.

 

I am currently doing this in my lab and I'm stuck with this error about permissions, I have given permisions for event log readers, server operators and distributed com users.

 

Any ideas on what's missing?

 

I have installed the agent on win7 and the AD is on win srv 2012.

 

09/30/18 23:59:40:445[ Info 2145]: ------------Service is being started------------

09/30/18 23:59:40:445[ Info 2152]: Os version is 6.1.1.

09/30/18 23:59:40:445[ Info 608]: Load debug log level Info.

09/30/18 23:59:40:445[ Info 557]: Service version is 8.0.10.7.

09/30/18 23:59:40:445[ Info 611]: Product version is 8.0.10.

09/30/18 23:59:40:460[ Info 1132]: Found 0 ACL config. 0 processed.

09/30/18 23:59:40:460[ Info 1160]: Found 0 VM info source config. 0 processed.

09/30/18 23:59:40:460[ Info 1168]: Found 0 Syslog Profile(s) config.

09/30/18 23:59:40:460[ Info 1230]: Found 1 server config.

09/30/18 23:59:40:460[ Info 1265]: Found 0 include-exclude networks. 0 processed.

09/30/18 23:59:40:460[ Info 1290]: Found 0 custom log format config.

09/30/18 23:59:40:460[ Info 1297]: No xml element servercert.

09/30/18 23:59:40:460[ Info 148]: Load 8 build-in formats and 0 custom formats for parsing security log.

09/30/18 23:59:40:460[ Info 345]: DC security log and session query threads for server dc.akmlab.com(index 0) are started.

09/30/18 23:59:40:460[ Info 707]: Active Directory gets started.

09/30/18 23:59:40:460[ Info 742]: User-ID VM monitor service started.

09/30/18 23:59:40:460[ Warn 923]: Unsupported file format for UserIpMap.txt. We support ANSI and UTF-8 format.

09/30/18 23:59:40:913[Error 115]: Cannot open security log for DC dc.akmlab.com - A required privilege is not held by the client.

 

09/30/18 23:59:41:084[ Info 1241]: New connection 127.0.0.1 : 57678.

09/30/18 23:59:41:084[ Info 1314]: Device thread 0 with 127.0.0.1 : 57678 is started.

09/30/18 23:59:41:178[ Info 3396]: Device thread 0 accept finished

20 REPLIES 20

L1 Bithead

I am now receiving these same errors in my logs. All of a sudden as of yesterday, my user ID agent stopped successfully connecting to my domain controllers with the following errors:

 

06/14/21 10:36:35:994[ Warn 1167]: Unsupported file format for MachineIpMap.txt. We support ANSI and UTF-8 format.
06/14/21 10:36:36:103[Error 115]: Cannot open security log for DC fqdn.of.dc - The requested operation is not supported.

L0 Member

We had the same problem last week.  It was due to our DCs getting the June 2021 patch and our Windows based User-ID agent not having the patch yet.  Once I applied the same patch to the User-ID agent server, they connected.

L1 Bithead

Thank you Bobby Hiers! Looks like the June 2021 windows patch was the culprit. I have to update my case with Palo - they should look into this with Microsoft.

Thanks for this note. We woke up to this same issue after our DCs were patched to the June 2021 update but server running User-Id agent was not. Installing the patch on the user-id server and rebooting fixed the issue. 

L2 Linker

having the same issue, is the patch on the support software updates section? I am seeing broke version 9.1.2.9

L1 Bithead

I don't think PA has a patch just yet, although they might. If they do, their client support rep didn't mention it to me, he only pointed me in the direction of the documentation where MS and PA recognize this issue. I am on version 10.0.0-30 of the UserID agent and the issue appeared after both member servers hosting the UID agent took the June 2021 Monthly Sec updates while the DCs that the agents communicated with did not.

I have a ticket in since this morning and it's still in queue. Can anyone confirm there is some sort of hot fix or know what the technical issue is that is causing this?

 

this is really a mess

Hi Pete,

 

We were able to fix this by upgrading the windows server with the 2021-06 (june) standalone update.  After patch was installed and a reboot, the agent was able to connect to all of the updated domain controllers that recently got the same patch over the weekend.

 

Hope this helps. 

L1 Bithead

wow, a random issue I faced during playing around in a lab is now exploding in the wild 2 yrs later! 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!