This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

User-id don't read security log

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

User-id don't read security log

JRSanch
L1 Bithead

‎02-20-2014 04:50 AM

I have several domain controller configurated on user identification configuration  in a Palo Alto with 5.0.8 version. Just one of them seems to function properly and if I use the command "show user server-monitor state all" I obtain this:

Server: CD02(vsys: vsys1)

        Host: xx.xx.xx.xx

        num of log query made                   : 2

        num of log query failed                 : 0

        num of log read                         : 1519

        last record timestamp                   : 1392899592

        last record time                        : 20140220123312.189137-000

But all other domain controllers say this

Server: CD03(vsys: vsys1) (job 26841981)

        Host: xx.xx.xx.xx

        num of log query made                   : 166

        num of log query failed                 : 0

        num of log read                         : 0

        last record timestamp                   : 0

        last record time                        :

The user to consults secutrity logs is the same for all domain controllers, and  have the same rights on all of them. The only difference is that the domain controller that works is windows 2008 and the others are windows 2008 R2.

Someone has an idea of what is the problem?

Labels:
0 Likes Likes
4 REPLIES 4

hshah
L6 Presenter

‎02-21-2014 10:14 AM

Hi JRanch,

Please verify following things.

1. Users have all of the following permission..- I know you have mentioned users have all the permission, but please double check.

     Distributed com user

     Event log reader

     Server operator

     Domain admin

     WMI permission set

2. Please do tcpdump on firewall for those DC, and check what information is being exchanged. This might provide info if anything is wrong at server end.

3. Also run "netstat -n" continously on DC to see connection requests made by Firewall.

Regards,

Hardik Shah

0 Likes Likes

pulukas
L7 Applicator

‎02-22-2014 08:01 AM

I would also confirm that the Server Windows firewall settings are the same between the working and non-working servers.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
0 Likes Likes

panos
L6 Presenter

‎02-22-2014 10:36 AM

can you install an agent and add that DC to see if agent can monitor the users or not ?

this will make you to be sure; if the problem is related to DC or agentless system.

0 Likes Likes

JRSanch
L1 Bithead

‎03-24-2014 11:46 PM

Hi, finally the domain controllers (windows 2008 R2) was not logging the correct events, now all DC are working.

Thanks for the help

0 Likes Likes
  • 2817 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks