XG: STAS installed, configured, started but doesnt show live users

Hi all

i have an XG firewall (latest firmware), running 5 vlans, single domain controller.

i have installed the STAS application on my domain controller, followed the KB to the word

https://community.sophos.com/kb/en-us/123156

i even changed the user account for the stas app to the domain administrator, i have disabled the firewall on the DC...

but, no matter what i do, no live users are showing up in the advanced tab on STAS.

 

btw,

in the stas agent i have configured all our vlans, all 5 of them

in the stas collectors tab i have specified the xg ip address that is on the DC vlan (should i mention all its ip addresses on all vlans?)

in the advanced tab - test to sophos ip address is successful!

 

i dont understand what is wrong!

please help

 

maybe screenshots would help a little:

  • Never found the trick to run it reliably either.

    Paul Jr

  • In reply to Big_Buck:

    Lets get back to the topic. 

     

    First of all.

    Agents is reporting all Users to Collector.

    Collector is reporting to XG.

    XG is using Collector to look up the Users. 

    Collector is fetching all Users and "verify" them via WMI. 

    Suite installs both components. Do you have multiple Collectors / agents ? This could cause a issue, if not setup properly. 

     

    You need to know, which of the steps above causes your Issue.

     

    Do you see Users in the Collector (Live User Collector) but not XG? 

    Seems like something is broken between Collector and XG.

     

    Do you see no Live users in Collector?

    Seems like something is broken between Agent and Collector. 

     

     

    There is a Log on Collector and XG. You can actually use both to get a clue, what is going on. 

  • In reply to LuCar Toni:

    Hi

    so, i have a single instance of stas running on a single domain controller.

    meaning no multiple agents and no multiple collectors.

    i dont see live users not on stas and not in xg.

    i'm getting absolutely nothing

  • In reply to Avi Bar Ilan:

     Please make sure on DC you have done,

    - Go to Start > Administrative Tools > Local Security Policy to view Security Settings. Browse to Security Settings > Local Policies > Audit Policy and double click on Audit account logon events to view the Audit account logon events Properties window.

    Select both the Success and Failure options and click OK to close the window.

    - While still in the Local Security Policy, browse to Security Settings > Local Policies > User Rights Assignment and double click on Log on as a service to view the Log on as a service Properties.

    If the Administrative user being used to install and run STAS is not listed here, select Add User or Group and add the user. Select OK to close the window.

    Configure the Windows Firewall and/or 3rd party firewall software to allow communication over the following ports:

    • AD Server: Inbound UDP 6677, Outbound UDP 6060, Outbound TCP 135 & 445 (if using Workstation Polling Method WMI or Registry Read Access), Outbound ICMP (if using Logoff Detection Ping), Inbound/Outbound UDP 50001 (collector test), Inbound/Outbound TCP 27015 (config sync).
    • Workstation(s): Inbound TCP 135 & 445 (if using Workstation Polling Method WMI or Registry Read Access), Inbound ICMP (if using Logoff Detection Ping).

    Note: RPC, RPC locator, DCOM and WMI services should be enabled on workstations for WMI/Registry Read Access.

    if all above steps are done, check on your domain controller if the event id 4768 is getting logged. To check this in event viewer -> Windows -> security, filter for event id 4768. 

    If no events, try a restart of the DC and check again.

  • In reply to AWP:

    Hi

    i have already followed your suggested steps since they are all taken from the KB.

  • In reply to Avi Bar Ilan:

    BTW,

    all event id 4768 are indeed showing in the DC event viewer

    but still - no live users are showing up in SATS

  • In reply to Avi Bar Ilan:

    Just to confirm, problem is no users are shown in the live users on stas agent installed.

    Is the STAS installed on DC or member server.

  • In reply to AWP:

    Hi

    STAS is installed on a DC

  • In reply to Avi Bar Ilan:

    using latest STAS 2.5, maybe try 2.2

  • In reply to AWP:

    So you see all those Login Events in the Event Log of DC? 

    Can you actually see any entries in the Log of STAS? 

  • In reply to LuCar Toni:

    Hi

    i do see all those events in event viewer on the DC.

    nothing in stas.

     

    BTW,

    i changed the agent mode from eventlog to netapi...

    that seemed to work for a few hours but now its not working again.

     

    unstable is an understatement 

  • In reply to AWP:

    cant find the 2.2...

    do you have the 2.2 installer to share with me?

  • In reply to Avi Bar Ilan:

    This should not help, i mean the old version should not have any changes regarding picking up the Event Log. 

    My question is, do you have any extra software on the DC, something special which could prevent STAS to hook up the Events? 

    And do you see something in the Logs of STAS? 

  • In reply to LuCar Toni:

    Hi

    i have no other software installed on the DC.

    regarding logs,

    i have a lot of info on the logs, what exactly should look for?

  • In reply to Avi Bar Ilan:

    Can you export some of the STAS Logs and check those Logs, whether you can find a root cause of not be able to sign in those Users or other reasons for not working.