Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4851
Views
5
Helpful
7
Replies

User agent won't work: Error Unable to write to log event appears on Event Log

Departamento TI
Level 1
Level 1

‎04-13-2015 02:56 PM - edited ‎03-12-2019 05:39 AM

I've installed User Agent version 2.2 in an Windows 2008 Server to pooling our 2 AD server.

Everything appears to be OK. The 2 servers appears as "available" in Polling Status column, and Sourcefire DC connection appears as "available" in Status column.

But no user appears on Firesight Analysis->Users->Users.

In Logs Tab, an error appears: "[0226] - Unable to write to log events: [INSERT INTO event_records ...". Screenshot attached.

 

Any ideas? I already tried 2.1.1 and 2.0 versions.

2 people had this problem
Labels:
Preview file
49 KB
0 Helpful
7 Replies 7

jaykay0079
Level 1
Level 1

‎04-14-2015 09:57 PM

Make sure that you have enabled log on log off events recorded in AD.

0 Helpful

Departamento TI
Level 1
Level 1
In response to jaykay0079

‎04-15-2015 08:22 AM

Not appears to be the case.

These error events in log, shows usernames. I understand that User Agent are receiving  Logone/Logoff events.

I don't know if error is at the local database or remote (Firelight).

 

 

0 Helpful

mparvanov
Level 1
Level 1
In response to Departamento TI

‎05-21-2015 08:49 AM

Hi,

i experience the same issue. Did you get it fixed?

Thanks in advance!

Denny

 

0 Helpful

mparvanov
Level 1
Level 1
In response to Departamento TI

‎05-21-2015 10:01 AM

That's what i found.... looks like a nice little bug ;)

 

https://tools.cisco.com/quickview/bug/CSCze90399

Sergey Kovalchuk
Level 1
Level 1
In response to mparvanov

‎05-28-2015 03:00 AM

No :( we really need information about users.

0 Helpful

mparvanov
Level 1
Level 1
In response to Departamento TI

‎05-28-2015 06:32 AM

Solution:

 

If you are running SF User Agent on the Active Directory server directly, you must ensure the locales are enforced for all users (including system user) or it will not pick up the local settings. User Agent runs as a System service and in Windows, locales and date format may differ for each User and for the whole system (system accounts)
 
If you are running SF User Agent on a different machine, please also change the date format on the box you are running UserAgent on. In this scenario also you must ensure that user and whole system accounts has this settings enforced. In windows 7, you must click a button to enforce locale settings to system as well for it to take effect.
 
On Windows 7, once you change the format date, navigate to "Administrative" tab, click "Copy settings", and ensure both checkbox are included:
"Welcome screen and system accounts" <= very important, system accounts must all have the date settings copied
"New user accounts" <= just in case
 
 
Once this is done, restart the sourcefire user agent service and it should start reporting the date in the correct format.
 
0 Helpful

insystem01
Level 1
Level 1

‎06-18-2015 02:39 AM

Any solution for this?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card