04-23-2017 03:03 AM - edited 03-12-2019 06:22 AM
Dears,
we have sourcefire AD agent installed on windows server 2016. all users are shown in the access logs except for user logged in from MACos devices.
is there any fix for such issue?
Thanks,
Maher
Solved! Go to Solution.
04-23-2017 07:12 AM
I suspect they may not be generating logon/logoff events in the Windows Security Event log.
On the Active Directory server, select Start > All Programs > Administrative Tools > Event Viewer. Then select Windows Logs > Security.
If you don't see the Mac OS logon event there, the User Agent won't either because that's where it reads to send them off to FirePOWER Management Center. In that case, you would need an alternative identity source like ISE. If you do see the events, it may be a bug and I would open a TAC case for that.
04-23-2017 03:15 AM
Are the MacOS users authenticating to your domain? They need to be doing that and their login must create an audit event. That's what the agent retrieves from the server using WMI.
04-23-2017 03:33 AM
Hi Marvin,
yes, they are all authenticating from the domain.
any advise,
Thanks,
04-23-2017 07:12 AM
I suspect they may not be generating logon/logoff events in the Windows Security Event log.
On the Active Directory server, select Start > All Programs > Administrative Tools > Event Viewer. Then select Windows Logs > Security.
If you don't see the Mac OS logon event there, the User Agent won't either because that's where it reads to send them off to FirePOWER Management Center. In that case, you would need an alternative identity source like ISE. If you do see the events, it may be a bug and I would open a TAC case for that.
04-23-2017 07:13 AM
Hi Marvin,
I found out that the logon and logoff requests on AD comes with the computer name, not the username.
thanks for helping.
Cheers,
04-23-2017 07:27 AM
You're welcome.
That's good info - thanks for sharing your findings.
I wasn't aware of that behavior for Mac OS clients. I wonder if that can be changed?
Are you at least getting the computer name show up in your FMC for those Macs?
05-22-2017 02:02 AM
Hi Marvin,
Actually, I found the user accounts events found on SFR user activity.
I don't know what is going on with Mac users exactly?
any advise?
Thanks,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide