User-ID Agent installed on Domain Controller doesn't appear to be collecting event logs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User-ID Agent installed on Domain Controller doesn't appear to be collecting event logs

L1 Bithead

Hi guys,

 

I've installed the Palo User-ID agent on a single domain controller (8.0.906) using the Palo Networks guide below:

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/map-ip-addresses-to-users/co...

 

Our environment already has User-ID running and is working, but due to some server retirement we have had to change the placement of this application.

 

So I installed the application, gave the dedicated domain service account full control over the Palo User-ID application folder, full control over the registry keys in Wow6432Node (ensured child object permissions for both were replaced) and the service account is already a member of the required AD builtin groups.

 

I've then added the new server to firewall and confirmed it is connected (change commited).

 

However the logs under Monitoring does not show any activity for user ID collections, the old (existing) server is still pulling them out OK. The only entries I am seeing are:

 

need to alloc xxxx bytes for big body

I understand this one is normal and can be ignored (https://live.paloaltonetworks.com/t5/Management-Articles/quot-Warn-839-quot-message-seen-in-User-ID-...)

 

New connection 127.0.0.1 : 61332
Device thread 0 with 127.0.0.1 : 61332 is started.
Device thread 0 accept finish.

Which I assume is it connecting to itself (domain controller) OK.

 

can't get prefix from address()

I then see this event a lot, I've modified the include/exclude address ranges (192.168.0.0/16) on the Discovery option but I can't get this to work.

 

Any ideas?

 

1 accepted solution

Accepted Solutions

Installing 7.0.7-13 works. So I'll stick with that one I guess. Would be to know why the newer version(s) are causing that error.

View solution in original post

2 REPLIES 2

L1 Bithead

Only difference I can see is that my working server is using 7.0.713 instead.

 

Installed 8.0.906 on a member server and that has the same issue.

 

can't get prefix from address()

Installing 7.0.7-13 works. So I'll stick with that one I guess. Would be to know why the newer version(s) are causing that error.

  • 1 accepted solution
  • 4386 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!