Why the user-id is missing for some traffic. This also causes issue with policies using user-id.
Below traffic log is for same user/zone/ip
@MickBall We have it for 15 hours and even if it was 45mins that would not explain why within matter of minutes there is username associated for some traffic while not for other.
Yes i can now see that in your original post. How many servers are you monitoring. Could it be that one of them is not reading the security logs correctly and overwriting the correct information.
@MickBall and @OtakarKlier Thanks for suggestions. But how would i check/determine if some server is not reading security logs correctly. We are using 3 of them. Also there is no exchange server, its O365 that we have.
I did install agent on 1 of them and it seems better, but i will monitor and update
To test this i would remove 2 servers from user id and see what happens, then add a second, monitor, then add the third.... it should not cause any issues as you seem not to be using id’s for policies.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!