No User-to-IP Mappings Found by the User-ID Agent when Monitoring Domain Controller Security Logs

No User-to-IP Mappings Found by the User-ID Agent when Monitoring Domain Controller Security Logs

28505
Created On 09/25/18 17:58 PM - Last Modified 12/07/20 23:57 PM


Symptom
  • The User-ID Agent is not finding any user-to-IP mappings from reading the security logs of one or more Windows Domain Controllers.
  • The User-ID Agent debug logs contain reading security log messages, but with no other related logs:
[Debug 285]: Reading 1 security logs takes 32 ms for DC ...
[Debug 285]: Reading 1 security logs takes 32 ms for DC ...
[Debug 285]: Reading 4 security logs takes 953 ms for DC ...

 

  • If the User-ID Agent has no other means of identifying users, such as probing or server session reads, then no user-ip mappings will appear under the monitoring tab of the User-ID Agent.


Environment
  • Any PAN-OS
  • User ID Agent
  • Active Directory


Cause

The presence of the reading security log messages without any accompanying related logs indicates that the User-ID Agent is not finding any audit success logs with the Event-IDs that the agent monitors for in the security logs of the Domain Controllers.

 

Below are logs from a User-ID Agent when reading from a Windows 2008 Domain Controller that would typically be seen involving those Event-IDs:

[Debug  321]: LOGON_SUCCESS_W2008(4624) from domain controller 0: ....
[Debug  321]: SERVICE_TICKET_GRANTED_W2008(4769) from domain controller 0: ....
[Debug  321]: TICKET_GRANTED_RENEW_W2008(4770) from domain controller 0: ....
 

If logs like the above are not present, but the User-ID Agent is reading the security log, this means the Domain Controller is not configured to audit the necessary events.  Use the Event Viewer program on the Windows Domain Controller to search the security log and verify that the events are not seen.



Resolution
  1. Check the Local Security Policy for the Domain Controller or Domain Controllers to see if the proper auditing action is configured so that the necessary Event-IDs are written to the security log.
  2. Check in the following location of the Local Security Policy of the Domain Controller: Security Settings > Local Policies > Audit Policies.
  3. There are two policies to check for what auditing action is taken:
    • Audit account logon events
    • Audit logon events
  4. Make sure Success logging is turned on for each policy.
  5. If there are many Domain Controllers, these same settings can be pushed to all of the Domain Controllers in the domain through Group Policy Management by editing the Default Domain Controllers Policy in the Group Policy Objects for the domain.


Additional Information

Note: Be aware that the changes suggested in this document are for settings in the Windows Domain Controllers  not related to settings on the User-ID Agent. Review the suggested changes with Windows Domain Administrators.

Microsoft's procedure to enable Audit Logon and Audit Account Logon events:


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000ClLk&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Attachments
Choose Language