@reaper wrote: hi! 1. The userID agent reads the security logs every few seconds (configurable) at which time the agent sends the data to the firewalls connected to it 2. The agent does not listen for log off events as these are unreliable (a user could simply close the lid on their laptop or unplug) the mapping can either be set to a limited time to live(ttl) or probing can be enabled to periodically verify a user is still logged on 3. only 1 user can be mapped per IP address unless a terminal server client is installed. if the station is a regular workstation, the last user will be mapped, if the station is a terminal server with terminal server agent installed all users will be mapped 4. a single user can have multiple IP addresses mapped with their user, all IP address mappings will work
Are you sure that the agent does not check the logoffevents at all? I know that when the users for example closes the lid, there will be no logoff event and then the ttl will be used as kind of fallback method? Actually now I am asking myself how this effectively works, because we do not have any additional client probing configured but the user-to-ip mapping also works when the ttl expires after the first userloginevent.
... View more