Configure Windows Log Forwarding
To configure Windows Log Forwarding, you need administrative privileges for configuring group policies on Windows servers. Configure Windows Log Forwarding on all the Windows Event Collectors—the member servers that collect login events from domain controllers. The following is an overview of the tasks; consult your Windows Server documentation for the specific steps.
- On each Windows Event Collector, enable event
collection, add the domain controllers as event sources, and configure
the event collection query (subscription). The events you specify
in the subscription vary by domain controller platform:
To forward events as quickly as possible, Minimize Latency when configuring the subscription.User-ID agents monitor the Security log, not the default forwarded events location, on Windows Event Collectors. Therefore, perform the following steps on each Windows Event Collector to change the event logging path to the Security log.
- Windows Server 2003—The event IDs for the required events are 672 (Authentication Ticket Granted), 673 (Service Ticket Granted), and 674 (Ticket Granted Renewed).
- Windows Server 2008/2012 (including R2) and 2016, or MS Exchange—The event IDs for the required events are 4768 (Authentication Ticket Granted), 4769 (Service Ticket Granted), 4770 (Ticket Granted Renewed), and 4624 (Logon Success).
- Open the Event Viewer.
- Right-click the Security log and select Properties.
- Copy the Log path (default %SystemRoot%\System32\Winevt\Logs\security.evtx) and click OK.
- Right-click the Forwarded Events folder and select Properties.
- Replace the default Log path (%SystemRoot%\System32\Winevt\Logs\ForwardedEvents.evtx) by pasting the value from the Security log, and then click OK.
- Configure a group policy to enable Windows Remote Management (WinRM) on the domain controllers.
- Configure a group policy to enable Windows Event Forwarding on the domain controllers.
Windows Log Forwarding and Global Catalog Servers
Windows Log Forwarding and Global Catalog Servers Because each User-ID agent can monitor up to 100 servers, the firewall needs multiple User-ID agents to monitor ...
Server Monitoring With server monitoring a User-ID agent—either a Windows-based agent running on a domain server in your network, or the PAN-OS integrated User-ID agent ...
Install the Windows-Based User-ID Agent
Install the Windows-Based User-ID Agent The following procedure shows how to install the User-ID agent on a member server in the domain and set up ...
Plan a Large-Scale User-ID Deployment
Plan a Large-Scale User-ID Deployment When deciding whether to use Windows Log Forwarding and Global Catalog servers for your User-ID implementation, consult your system administrator ...
Deploy User-ID for Numerous Mapping Information Sources
Deploy User-ID for Numerous Mapping Information Sources You can use Windows Log Forwarding and Global Catalog servers to simplify user mapping and group mapping in ...
Create a Dedicated Service Account for the User-ID Agent
Create a Dedicated Service Account for the User-ID Agent To use the Windows-based User-ID agent or the PAN-OS integrated User-ID agent to map users as ...
Server Monitor Account Device User Identification User Mapping Palo Alto Networks User-ID Agent Setup Server Monitor Account To configure the PAN-OS integrated User-ID agent to ...
Server Monitoring Device User Identification User Mapping Palo Alto Networks User-ID Agent Setup Server Monitor To enable the User-ID agent to map IP addresses to ...
Configure User Mapping Using the Windows User-ID Agent
Configure User Mapping Using the Windows User-ID Agent In most cases, the majority of your network users will have logins to your monitored domain services. ...