Windows User-ID agent not collecting mapping

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Windows User-ID agent not collecting mapping

L1 Bithead

I'm working on getting a Windows User-ID agent set up for a customer and it's not collecting logs.  Checked all permisssions and service account user is in Event Log Readers and has permissions to both the install folder and registry entries.  Just as a test, I had the customer add the service account to the domain admins group and the user mapping started populating immediately.  Any permissions that I'm missing?  If not, what could be wrong on the AD side preventing Event Log Readers from viewing the logs? 


Cyber Elite
Cyber Elite


Check out this article. My guess is something might have been missed/overlooked?

Once thing we found that worked better for us were using the Exchange logs instead. Outlook is always hitting Exchange and authenticating, so if a user moves their laptop or goes wireless, its a faster transition on the firewall side of things.



Went over that document already.  Nothing missed as far as I can tell.


Is the service that is running the user-id agent set to run as the user/service account you setup to allow it grab logs from a DC?

Just grasping at straws, but it seems as an authentication/authorization issue.


You mean is the user configured in the user-id agent the same one in the "event log readers" group? Yes.  The user configured in the agent has been added to the group, is permitted to log on as a service, has rights to the PAN folder under Program Files (x86), and has rights to the PAN registry entries listed.  Like I said originally, all permissions and groups and things associated with the service account user were double and triple checked.    


EDIT: You are absolutely right though that this is an authorization issue because like I said adding the same user to Domain Admins makes it work.  I've done dozens of user-id installs before and this is the first time I've had it not work when all documented permissions where in place.


Sorry for not making myself clear, I meant the windows service:


If that doesnt work, I'd say open a support case since you already went through everything.


Oh, I'll double check that but I'm pretty sure that is the case as the agent stops and starts correctly.  

doesn't this account require access to the security logs and not the event logs?  or did i misread here...?

Misread I think.  I was talking about adding the user to the "event log readers" group as mentioned in documentation.

L7 Applicator

on the AD side have you matched this criteria..?


Must be a member of Event Log Readers, Server Operators, and Distributed COM.

Yes, the user is in those groups.  

Hmm odd,,, i will double check mine in the morning as we have 4 agents hammering away nicely on both windoze servers and local.

are your agents on servers or local....????

Agents installed on Windows Servers.  They connect to the firewall fine.  Services start and stop fine.  DCs are populated in the interface.  Just no user mappings.  I think I'll recommend this customer contact TAC.  

OK just FYI,,,  we had to add add user rights "Manage auditing and security log" to the service account for this to work but cant remember exactly why as it was a while ago...

You mean under "User Rights Assignment" in group policy?  I already thought of that and tried it.  It didn't appear to work.  Customer opened a case yesterday.  We'll see what support says.

  • 15 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!