08-28-2012 08:52 AM
A question about using palo alto with the user-id agent v.4.1.4.3
I get complain from the administrators of Window env. They see that the user-id agent doing many logs on all PC. They are store in the Events>Security logs on each PC.
Since the installation of the agent, all PC logs many stuff in the computer event> security tab. All of those log are audit events.
I see Events like :
- open session
- close session
- open special session
Those log use credential of the user i choose that run the Palo Alto User-ID agent. And i see many many log of that type in the events viewer.
They are keeping those logs for like 6 month, for debug purpose. But since installation of the user-id agent, they can keep only 1 month.
Why see those behevior on all PC? Can we change something so we see less logs in Events viewer? without reducing functionality of user-id agent?
Thanks
08-29-2012 02:33 PM
I dont know if you will see fewer logrows in each client but worth a try.
Netbios is considered insecure and should be disabled at client by default. I guess its in the pan-agent for backward compatibility reasons (like if you have clients who doesnt do WMI but they does Netbios instead). WMI is the preferred choice.
Other than that Netbios and WMI are equal when it comes to probe clients.
According to docs for PAN-EDU-301 the process of pan-agent is:
1) Map ip by looking at security log of primary domain controller (or rather any domain controller in the network because the security logs is not synced between DC's).
2) If above fails then monitor open server sessions such as file, print or exchange.
3) If all fails then probe clients with WMI (preferred) or Netbios.
The above is for pan-agent. If you use citrix then you would use ts-agent instead. Also using captive portal might be an option in some cases (however captive portal relies on user/pass so its lacking strong auth - also in order for captive portal to be successful you should have secured the client access-network so clients cannot steal each other ips or macaddresses and such because then the wrong user would be logged).
08-28-2012 08:41 PM
When setting up a pan-agent for use of user-id feature in PA the pan-agent will need to tail the security log of all your DC's (Domain Controller).
You will instruct it which ip addresses your DC's have (along with which iprange(s) you want to monitor).
The eventids which are being monitored are:
Windows 2003 DC:
- 672 (Authentication Ticket Granted, which occurs on the logon moment)
- 673 (Service Ticket Granted)
- 674 (Ticket Granted Renewed which may happen several times during the logon session)
Windows 2008 DC:
- 4768 (Authentication Ticket Granted)
- 4769 (Service Ticket Granted)
- 4770 (Ticket Granted Renewed)
In addition to the above you can also monitor activity to any file, print or exchange server (which will give info of username <> ipaddress relations).
In your case I think someone has setup netbios/wmi probing of clients to improve the userid function. Usually netbios is not recommended while wmi is the recommended way to do this in case you need it.
The netbios/wmi probing of clients is an active way of the pan-agent to verify that each ip address still have the logged user logged in on the device (because the above DC security log tailing and file,print,exchange server activity are all "passive" methods of detecting who is behind each ip address).
Check out this doc for more information:
08-29-2012 05:06 AM
Exaclty i have choose to use the option of netbios/wmi probing.
Thanks for the DOC i will read it closely.
If i understand, by uncheck Netbios, but keeping WMI probing :
- this will reduce logs i see in events viewer, on PCs?
- i will not loose functionality of probing?
I want to keep the active (probing) verification of logged users. Specialy admins that use "RUN AS". We block Admins to go on internet. So when they use "RUN AS" with admins credential, PCs are blocked. But with probing, they are block just for a few minutes.
08-29-2012 02:33 PM
I dont know if you will see fewer logrows in each client but worth a try.
Netbios is considered insecure and should be disabled at client by default. I guess its in the pan-agent for backward compatibility reasons (like if you have clients who doesnt do WMI but they does Netbios instead). WMI is the preferred choice.
Other than that Netbios and WMI are equal when it comes to probe clients.
According to docs for PAN-EDU-301 the process of pan-agent is:
1) Map ip by looking at security log of primary domain controller (or rather any domain controller in the network because the security logs is not synced between DC's).
2) If above fails then monitor open server sessions such as file, print or exchange.
3) If all fails then probe clients with WMI (preferred) or Netbios.
The above is for pan-agent. If you use citrix then you would use ts-agent instead. Also using captive portal might be an option in some cases (however captive portal relies on user/pass so its lacking strong auth - also in order for captive portal to be successful you should have secured the client access-network so clients cannot steal each other ips or macaddresses and such because then the wrong user would be logged).
08-30-2012 11:20 AM
ok i have set WMI probing only.
Nothing change in the functionality.
I still see many logs in security of Event Viewer. But thats okay with me.
Thanks for the help
08-30-2012 03:10 PM
Perhaps one of the solutions explained in How can I remove specific events from the event log in Windows Server 2008? - Server Fault might help?
"
If you want to find actual problems and you have specific event ID's that you don't care to weed through, create a custom view with the following steps ...
Now when you wish to look at your event log, use your custom view and only the information you are truly concerned with will be displayed.
"
"
What might solve your problem is to change the audit policies in group policy. Without knowing what specifically you want to not show up, I'm not sure if there's a setting for it, but here's an example.
In GPMC, drill down through Computer Configuration - Windows Settings - Security Settings - Local Policies - Audit Policy. There's not a TON of granularity here, but maybe you can get rid of what's filling up your logs. (My DCs aren't 2008, so this is what I've got from a 2003 AD perspective, hopefully it's not completely different)
"
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
