User-id don't read security log

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

User-id don't read security log

L1 Bithead

I have several domain controller configurated on user identification configuration  in a Palo Alto with 5.0.8 version. Just one of them seems to function properly and if I use the command "show user server-monitor state all" I obtain this:

Server: CD02(vsys: vsys1)

        Host: xx.xx.xx.xx

        num of log query made                   : 2

        num of log query failed                 : 0

        num of log read                         : 1519

        last record timestamp                   : 1392899592

        last record time                        : 20140220123312.189137-000

But all other domain controllers say this

Server: CD03(vsys: vsys1) (job 26841981)

        Host: xx.xx.xx.xx

        num of log query made                   : 166

        num of log query failed                 : 0

        num of log read                         : 0

        last record timestamp                   : 0

        last record time                        :

The user to consults secutrity logs is the same for all domain controllers, and  have the same rights on all of them. The only difference is that the domain controller that works is windows 2008 and the others are windows 2008 R2.

Someone has an idea of what is the problem?

4 REPLIES 4

L6 Presenter

Hi JRanch,

Please verify following things.

1. Users have all of the following permission..- I know you have mentioned users have all the permission, but please double check.

     Distributed com user

     Event log reader

     Server operator

     Domain admin

     WMI permission set

2. Please do tcpdump on firewall for those DC, and check what information is being exchanged. This might provide info if anything is wrong at server end.

3. Also run "netstat -n" continously on DC to see connection requests made by Firewall.

Regards,

Hardik Shah

L7 Applicator

I would also confirm that the Server Windows firewall settings are the same between the working and non-working servers.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

L6 Presenter

can you install an agent and add that DC to see if agent can monitor the users or not ?

this will make you to be sure; if the problem is related to DC or agentless system.

L1 Bithead

Hi, finally the domain controllers (windows 2008 R2) was not logging the correct events, now all DC are working.

Thanks for the help

  • 2878 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!