User-ID two usernames being identified by User-ID servers

Reply
Highlighted
L2 Linker

Re: User-ID two usernames being identified by User-ID servers

@panwreaper  - Correct, it is set to NetBIOS. I have set the domain to 'domain' not 'domain.local'

 

Thanks,

Daniel Bostock | Senior IT Operations Engineer, EML Payments | Blog: https://danielbostock.com
Highlighted
L7 Applicator

Re: User-ID two usernames being identified by User-ID servers

The userid agent is supposed to simply pick up logs

Is it possible that it is either reading 2 different sources, or the eventlog is getting populated by 2 processes that write the username differently?

 

One workaround would be to set up thebignire_user_list.txt and exclude either domain\* or *@domain, but it would be better if you figure out why the userid agent is seeing both and suppress one source

reaper - PANgurus.com
I drink and I know things
Highlighted
L2 Linker

Re: User-ID two usernames being identified by User-ID servers

@reaper 


I think there is something to what you are saying, however I will look into it tomorrow with a colleague. I have deployed User-ID in other environments before and not had this issue, there is something peculiar with this AD setup I am thinking.

The ignore text file which you meantion here, I have not seen a guide mention it, apologies if I have missed this though. Is this a file that should exist on the User-ID agent servers?

 

Thanks,

Daniel Bostock | Senior IT Operations Engineer, EML Payments | Blog: https://danielbostock.com
Highlighted
L7 Applicator

Re: User-ID two usernames being identified by User-ID servers

The file doesn't exist, you need to create it

 

This is a bit of tribal knowledge but it's described here https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClklCAC

reaper - PANgurus.com
I drink and I know things
Highlighted
L2 Linker

Re: User-ID two usernames being identified by User-ID servers

@reaper 

 

Hey mate, looks like this has really started to filter out the @domain SAM log entries. I will let this run over night and for some of the day tomorrow then begin testing some rules to see how it goes now with this filter and then let you know if this has solved it.

 

Really appreciate the help!

 

Thanks,

Daniel Bostock | Senior IT Operations Engineer, EML Payments | Blog: https://danielbostock.com
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!