Agentless User-ID Error failed to parse security log buf
Symptom
Agentless User-ID utilizes WMI to connect directly from the Palo Alto Networks firewall to an AD server (or servers) and obtain user IP information. On some older servers (for example, Windows 2003), the memory allocation for WMI may be constrained, which then prevents the system from parsing the server security logs. This situation also causes server monitor disconnects on the Palo Alto Networks devices and system alerts to be generated:
2014/10/02 10:20:32 high userid connect 0 User-ID server monitor ilija-dc1(vsys2)
2014/10/02 10:20:35 info userid connect 0 User-ID server monitor ilija-dc1(vsys2): connected to 192.168.121.23
The following error appears in the "useridd.log" file on the Palo Alto Networks device at the info level:
Warning: pan_user_id_win_log_parse(pan_user_id_win.c:1054): failed to parse security log buf.
On debug level, the "useridd.log" shows the windows error code 0x8004106C:
WBEM_E_QUOTA_VIOLATION
2147749996 (0x8004106C)
WMI is taking up too much memory. This can be caused by low memory availability or excessive memory consumption by WMI.
For more information, refer to: WMI Error Constants (Windows)
Resolution
One possible fix is to increase the memory allocation for the WMI process on the AD server by following these steps:
- Run “wbemtest” on cmd prompt.
C:\Users\Administrator>wbemtest
- Click Connect
- As shown in the example, change the namespace from "root\cimv2" to "root" and click Connect:
- Click Open Instance
- Specify the class name as "__ProviderHostQuotaConfiguration=@"
- Filter the output by selecting "Local Only" from Properties:
- Change the MemoryPerHost value to something greater (in this case 512 MB).
- Save Property
- Save Object
- Exit
Note:Make sure the value is properly selected, and if possible, in consultation with the Windows domain administrator using best practices and guidelines from Microsoft.
Additional details from Microsoft about this issue can be found at: http://social.technet.microsoft.com/wiki/contents/articles/6563.configmgr-sccm-how-to-increase-wmi-default-memory-allocation.aspx
owner: djipp