With server monitoring a User-ID agent—either a Windows-based
agent running on a domain server in your network, or the integrated
PAN-OS User-ID agent running on the firewall—monitors the security
event logs for specified Microsoft Exchange Servers, Domain Controllers,
or Novell eDirectory servers for login events. For example, in an
AD environment, you can configure the User-ID agent to monitor the
security logs for Kerberos ticket grants or renewals, Exchange server
access (if configured), and file and print service connections.
For these events to be recorded in the security log, the AD domain
must be configured to log successful account login events. In addition,
because users can log in to any of the servers in the domain, you
must set up server monitoring for all servers to capture all user
login events. See Configure User Mapping Using the Windows User-ID Agent or Configure User Mapping Using the PAN-OS Integrated User-ID Agent for details.