cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
234
Views
0
Helpful
6
Replies

How security event is shared between DC's - FMC User Agent

MSJ1
Beginner
Beginner

I have only one operational DC from where user Agent are getting userid/ip mapping info. Even though there are 1 other DC added at User agent but other 1 are part of Test Site.

 

  • How to confirm which dc actually providing user id and ip mapping to the user agent.

  • Refer to below doc and based on my current scenario, if technically user agent connecting to one dc which is not listed in user agent while knowing DC's do not share the security events ?

 

Cisco reference quote

 

**https://www.cisco.com/c/en/us/td/docs/security/firesight/user-agent/24/config-guide/Firepower-User-Agent-Configuration-Guide-v2-4/ConfigAgent.html#88746

 

If your Active Directory system has multiple domain controllers, enter the host name or IP address of the domain controller with which you want the user agent to communicate. (Active Directory domain controllers don’t share their security logs so you must have a separate user agent connection to each controller.) In a distributed or heavily trafficked system, you can optionally install more than one user agent as discussed in Deploy Multiple User Agents.**

6 Replies 6

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

First off, User Agent only captures user login information from WMI, not security events of any kind.  A given User Agent can collect information from multiple DCs. You can perform troubleshooting of the user agent using the troubleshooting tool in the installation directory. It will show, among other things, the individual login events and from which source they are received.

Hello @Marvin Rhoads 

thank you , thanks for the information.

 

Can you guide me a little bit more which tab it is from the tools item  ?

 

" It will show, among other things, the individual login events and from which source they are received."

specially I do not see which source they are received from and that is what I need to know.

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

I don't have one handy to look at since all of my customers have migrated to ISE or ISE-PIC.

I seem to recall it's under the logs setting in User Agent. Set the logging to include debug messages and then look at those messages.

I don't have one at handy neither, but I had written a post on my blog about the User Agent and one of the images shows the Logs tab, not sure if this would be helpful though:

https://bluenetsec.com/cisco-firepower-user-agent/

thank you but i did not get a clue to know from which AD it got the user id info.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers