This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

User-ID Agent installed on Domain Controller doesn't appear to be collecting event logs

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

User-ID Agent installed on Domain Controller doesn't appear to be collecting event logs

Go to solution
Wildman85
L1 Bithead

‎05-08-2018 02:11 AM

Hi guys,

 

I've installed the Palo User-ID agent on a single domain controller (8.0.906) using the Palo Networks guide below:

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/map-ip-addresses-to-users/co...

 

Our environment already has User-ID running and is working, but due to some server retirement we have had to change the placement of this application.

 

So I installed the application, gave the dedicated domain service account full control over the Palo User-ID application folder, full control over the registry keys in Wow6432Node (ensured child object permissions for both were replaced) and the service account is already a member of the required AD builtin groups.

 

I've then added the new server to firewall and confirmed it is connected (change commited).

 

However the logs under Monitoring does not show any activity for user ID collections, the old (existing) server is still pulling them out OK. The only entries I am seeing are:

 

need to alloc xxxx bytes for big body

I understand this one is normal and can be ignored (https://live.paloaltonetworks.com/t5/Management-Articles/quot-Warn-839-quot-message-seen-in-User-ID-...)

 

New connection 127.0.0.1 : 61332
Device thread 0 with 127.0.0.1 : 61332 is started.
Device thread 0 accept finish.

Which I assume is it connecting to itself (domain controller) OK.

 

can't get prefix from address()

I then see this event a lot, I've modified the include/exclude address ranges (192.168.0.0/16) on the Discovery option but I can't get this to work.

 

Any ideas?

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
Wildman85
L1 Bithead
In response to Wildman85

‎05-08-2018 04:09 AM

Installing 7.0.7-13 works. So I'll stick with that one I guess. Would be to know why the newer version(s) are causing that error.

View solution in original post

0 Likes Likes
2 REPLIES 2

Go to solution
Wildman85
L1 Bithead

‎05-08-2018 03:47 AM

Only difference I can see is that my working server is using 7.0.713 instead.

 

Installed 8.0.906 on a member server and that has the same issue.

 

can't get prefix from address()
0 Likes Likes

Go to solution
Wildman85
L1 Bithead
In response to Wildman85

‎05-08-2018 04:09 AM

Installing 7.0.7-13 works. So I'll stick with that one I guess. Would be to know why the newer version(s) are causing that error.

0 Likes Likes
  • 1 accepted solution
  • 4810 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks