Cisco Context Directory Agent - Windows logs - Forwarded events

Similar Messages

• What is the new Cisco Context Directory Agent?

  Hi Everyone.
  I noticed on the ASA software download page the new Content Directory Agent (~800MB).  I could not find any release notes nor other references from a Google search.
  http://www.cisco.com/cisco/software/release.html?mdfid=280582808&softwareid=280775065&release=8.4.4.ED&flowid=4822
  What is it?
  A

  Context Directory Agent is the successor product to AD agent. It provides similar functionality buit comes with Linux distribution and has a GUI based interface. You are right that at the link you gave there is no documentation posted. Will need to dig around
  The release notes for the AD Agent product are at: http://www.cisco.com/en/US/docs/security/ibf/release_notes/ibf10_rn.html

• Context Directory Agent Path not found

  I am trying to connect Cisco Context Directory Agent to my AD 2012r2 server,
  Went through the setup guide and changed all needed register keys, firewall rules, DOCOM and wmimgmt permissions,
  I got passed the access denied error, but now I am getting a "The system cannot find the path specified. [0x80070003]" error.
  Here is my log.
  wmi-property exception-stack org.jinterop.dcom.core.JIComServer.init(JIComServer.java:580)
  org.jinterop.dcom.core.JIComServer.initialise(JIComServer.java:481)
  org.jinterop.dcom.core.JIComServer.<init>(JIComServer.java:445)
  com.cisco.cda.rt.adobserver.adobserver.jinteropUtil.getWmiLocator(jinteropUtil.java:42)
  com.cisco.cda.rt.adobserver.adobserver.EventsThread.QueryWMIProperty(EventsThread.java:81)
  com.cisco.cda.rt.adobserver.adobserver.EventsThread.getNetBIOS(EventsThread.java:171)
  com.cisco.cda.rt.adobserver.adobserver.EventsThread.extractDCData(EventsThread.java:203)
  com.cisco.cda.rt.adobserver.adobserver.EventsThread.run(EventsThread.java:609)
  dc-hostname maddcr2.xxxxxxx.local/10.1.0.19
  dc-name xxxxx
  exception-cause org.jinterop.dcom.common.JIRuntimeException: The system cannot find the path specified. [0x80070003]
  wmi-class Win32_NTDomain
  exception-message The system cannot find the path specified. [0x80070003]
  wmi-property DomainName
  dc-username _zxxxxx
  Thank you,

  Are you're running CDA 1.1 with Patch 1:
  cda-patchbundle_1.0.0.011-1.i386.tar.gz
  Support for Windows 2012 server was added in patch 1. Enable
  this patch using the command:
  admin# patch install cda-patchbundle_1.0.0.011-1.i386.tar.gz myrepository
  (see step 2a below for setting up a repository)
  Refer :
  http://www.cisco.com/en/US/docs/security/ibf/cda_10/Install_Config_guide/cda_install.html#wp1061521  

• Need of Context Directory Agent

  Hi all
  I downloaded from CCO CDA (Cisco Directory Agent - filename is AD_Agent-v1.0.0.32.1-build-598.Installer.zip) and installed it. The goal is to authenticate users of WSA using Windows Server 2003 Active Directory.
  During deployement I discovered CDA supports until W2008R2 AD servers. Because customer plans to migrate soon AD to Windows Server 2012, I think CDA has to be replaced. 
  Is Cisco Context Directory Agent the right replacement? I read it  runs on a separate Virtual Machine, so I need to inform customer we need an additional VM?
  Thanks in advance

  What you downloaded was the old Active Directory Agent. You need to download CDA (Context Directory Agent) and the four patches and install them on a VM. Download link here: https://software.cisco.com/download/release.html?mdfid=282803423&flowid=4949&softwareid=284724387&release=CDA&relind=AVAILABLE&rellifecycle=&reltype=latest

• Context Directory Agent ipv4 and ipv6 mappings

  I have the context directory agent 1.0 patch 2 installed and running.  It works good mostly.  We have a duel stack running ipv6 and ipv4 on our workstations.  They connect to the AD with ipv6, so the mapping is for ipv6.  Is there a way to get the ipv4 mappings?
  We need to map both addresses for the Web Filtering on the CX.

  Same question.

• Context Directory Agent server 2012R2

  Hi,
  Win server 2012R2 is not offically on the supported list for Contex Directory Agent ( CDA  ) , anyone tested this setup ?
  I have been following the Installation guide for 2012 : http://www.cisco.com/en/US/docs/security/ibf/cda_10/Install_Config_guide/cda_install.html but I the server stays red in the CDA gui. No error messages in the log though. 
  CDA is patch1 and CDA user is within the Domain Admin group and necessary priv changes according to the installation document is in place ( registry key ownership etc,) , firewall on the server has been temporarily disabled.
  Just wanted to see if there is anyone who got the combination CDA/2012R2 running and/or when there will be an official patch to CDA to add 2012R2 support.

  I opened a case and they refer me to bug CSCun10631.
  (CDA doesn't support 2012R2).
  the good news is that a new patch (3) should be release this month (July) and will include support.

• Cisco NAC Web Agent + Windows 8

  Hello,
  I´m implementing a Cisco ISE 1.2 and I am having troubles with NAC Web Agent and Windows 8 compatibility.
  All time that I try install NAC Web Agent in Windows 8, I get the message "Agent User Operating System is Not Supported".
  Follow are some informations about my Environment:
  ISE 1.2 Patch 3
  OS: Windows 8 Enterprise
  IE: 10 (In Desktop Mode w and w/o Compatibility View)
  NAC Web Agent: 4.9.0.1007
  Could you help me ?
  Best Regards,
  Daniel Stefani

  Hi Charles,
  I can download all this files, but I can’t import it in ISE Resourses.
  NAC Agent MST files
  nacagentsetup-mst-4.9.3.9.zip
  NAC Agent MSI Installation file
  nacagentsetup-win-4.9.3.9.msi
  NAC Agent Installation Package
  nacagentsetup-win-4.9.3.9.tar.gz
  Mac Agent Installation Package for MacOSX
  CCAAgentMacOSX-4.9.3.803.tar.gz
  NAC Agent MST files
  nacagentsetup-mst-4.9.3.5.zip
  NAC Agent MSI Installation file
  nacagentsetup-win-4.9.3.5.msi
  NAC Agent Installation Package
  nacagentsetup-win-4.9.3.5.tar.gz
  In this link that you sent me doesn’t have options to Cisco NAC Web Agent.
  But in the follow yes…
  http://software.cisco.com/download/release.html?mdfid=283801620&flowid=26081&softwareid=283802505&release=1.2&relind=AVAILABLE&rellifecycle=&reltype=latest
  Best Regards,
  Daniel Stefani

• Windows Logs show Event ID 264 Warning

  Hi,
  Our customer report that there is one waring log in windows logs. Please check below message.
  The O.S. is windows 8.
  Log Name: System
  Source: Win32k
  Date: 6/13/2013 6:18:02 PM
  Event ID: 264
  Task Category: None
  Level: Warning
  Keywords: Classic
  User: N/A
  Computer: test
  Description:
  A multi-touch device reported inconsistent contact information.
  But
  (1) The multi-touch device has passed the WHCK. And,
  (2) we also double-check it the device hid descriptor. Device pass the descriptor check by Microsoft's tool "Digitizer Report DescriptorChecker".
  I know there are many laptop have the same problem. But no one has solution for this.
  Did MSFT has solution for this or any other test tool which can help to find the root cause? Since the log is created by System, and our device alreay check our all functions which declared in the hid descriptor. We have no idea why the waring showing up.
  Once MSFT reply the event id 264 issue by the following return information.
  MSFT : it may relate to firmware. For example, firmware claims it can support 2 contacts, but actually it reports 5 contacts information.
  But We can't find the wrong part of our device's hid report descriptor, and device alreay pass WHCK. Since many other laptop have same problem, I think it's not a easy guess root cause by checking our own firmware. Hope MSFT can check
  this issue and offer more information.
  From the event id 264 description:
  A multi-touch device reported inconsistent contact information.
  We would need more "precise" reason of the warning log.
  Best Regards,
  Sean

  Hi,
  Is there any answer for this.?
  because I have the same problem with my Lenovo u430 touch laptop
  after a period of time using the laptop, it will suddenly unable to use touch screen. and I get this exactly the same error message from event view log.

• Context Directory Agent maps the Active Directory Anti-Virus user

  Hi,
  Today I was able to join a couple of CDA's to our Active Directory domain (2008 R2 DC's) using a non-privileged account and the CDA maps (most) users to IP addresses.
  I would like to use the CDA solely for building up firewall policies based on AD details whenever possible
  as maintaining granular firewall policies on 8 different ASA's is too time consuming as we are not a large IT organization.
  But, after deploying the first "AD Group" based rule, it turned out, that the AD user-account mapped to the IP address of my PC was actually a domain user, running the local anti-virus engine, and not my own.
  It makes total sense that the the anti-virus user is logged on to the PC before any user, so it can do "its thing",
  but my own user-account is never mapped. 
  CDA was able to map certain users to an IP address, even though the anti-virus user is actually logged on to the PC before them.
  Has anyone deployed Identity Based Firewalling and experienced something which resembles this scenario and were you able to do any workarounds?
  I looked into filtering out the logon events (for the Sophos user-account) from the Windows Security logs,
  so the CDA will not be able to map these, but it seems a bit far fetched, and would probably violate a security policy or two :)
  Cheers, Søren Elleby Sørensen

  I opened a case and they refer me to bug CSCun10631.
  (CDA doesn't support 2012R2).
  the good news is that a new patch (3) should be release this month (July) and will include support.

• IronPort WSA S170 and Context directory agent

  Hello people and experts,
  I need your consultation regarding IronPort and CDA deployment.
  I couldn't find any information in internet...
  So my question is - if IronPort is AD domain member and Explicit forward proxy is planned to be used. Do I need CDA to be deployed? What will happen if I don't want to deploy CDA in my environment?
  As I understood CDA is useful when IronPort works as Transparent Proxy or if IronPort is not a member of the same domaiin as users.
  Please advise.

  The CDA eliminates the need for NTLM authentication.  Once a user logs onto their computer in the morning and authenticates to the domain, the CDA will have received a successful audit event/log that informs it that user X is signed on to IP address X.  When the WSA needs to find out who is on this IP address, instead of using NTLM to challenge the client machine, it will ask the CDA who signed on this particular IP address.  Once it gets the user name, the WSA will proceed as usual and query the AD to determine the group membership of that particular user.

• One Microsoft Server 2003 R2 (small business server) doesn't connect to Context Directory Agent

  I have 2 DC's and I'm trying to get the cda to connect to both dc's.  Both are 2003 R2 but the one I'm having trouble with is Small Business Server.  I've double checked security settings and firewalls, but I'm still receiving the error on one server only. 
  All help is appreciated.
  The error I'm getting is:
  Log attributes
  wmi-property
  exception-stack
  org.jinterop.dcom.core.JIComServer.init(JIComServer.java:576)
  org.jinterop.dcom.core.JIComServer.initialise(JIComServer.java:481)
  org.jinterop.dcom.core.JIComServer.<init>(JIComServer.java:445)
  com.cisco.cda.rt.adobserver.adobserver.jinteropUtil.getWmiLocator(jinteropUtil.java:42)
  com.cisco.cda.rt.adobserver.adobserver.EventsThread.QueryWMIProperty(EventsThread.java:81)
  com.cisco.cda.rt.adobserver.adobserver.EventsThread.getNetBIOS(EventsThread.java:169)
  com.cisco.cda.rt.adobserver.adobserver.EventsThread.extractDCData(EventsThread.java:201)
  com.cisco.cda.rt.adobserver.adobserver.EventsThread.run(EventsThread.java:605)
  dc-hostname
  email.houstonarmature.local/192.168.1.1
  dc-name
  Email
  exception-cause
  java.io.IOException: Socket Closed
  wmi-class
  Win32_NTDomain
  exception-message
  An internal error occurred. [0x8001FFFF]
  wmi-property
  DomainName
  dc-username
  hawadmin

  Hi Toby,
  Just an addition. Did you use an administrator account to logon the RWA and then connect to the remote computer?
  Did encounter the same issue?
  Meanwhile, please refer to following threads and check if can help you.
  RD
  Gateway - Unable to connect via IP (Netbios, FQDN work fine)
  If any update, please feel free to let me know.
  Hope this helps.
  Best regards,
  Justin Gu

• Context Directory Agent VM Requirements

  The CDA installation guide has a few undocumented issues around the vmware requirements. I have ran into issues that are documented on the forums such as the scsi controller and the nic settings.
  here is a thread of the lsi controller that must be selected for the CDA installation to run -
  https://supportforums.cisco.com/thread/2235247
  Also the nic adapter is not detected if I choose to use anything other than flexible. Is this a bug in CDA?
  Thanks,
  Tarik Admani
  *Please rate helpful posts*       

  Ken,
  Thanks for your help. My customer has other nics that they build their virtual machines and it was a little challenging in understanding if the flexbile adapter must be selected since the documentation only covers the OS used for the install.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Essential event viewer bugs with "Forwarded Events" log in Windows Server 2008 R2 and Windows 7

  To my general experience, Windows event viewer is one of the most problematic, faulty management tools in the case of extensive use of its more sophisticated capabilities. The sole description as well as reproduction of some entangled failures would require
  remarkable effort.
  With the "Forwarded Events" log however, the situation becomes particularly worse in that even simple functionality fails and workarounds are difficult to find. That’s what I’ll describe here in order to share my experience with interested users.
  For precision: I’ve extensively used event viewer on a German Windows Server 2008 R2 SP1 (Windows SBS 2011 Standard SP1). The bugs I found on that system, I could reproduce on a German Windows 7 Professional 64-Bit SP1, too.
  Problem 1: Failure of even simple event filtering
  To reproduce this problem, execute these steps on a test machine with any of the two OS mentioned above:
  (i) To prepare log contents, do either of the following:
  (a) populate some events to your local "Forwarded Events" log (most simply by subscribing events from other logs of the same machine; stop subscription if you have collected some events)
  Or
  (b) copy a non-empty log file "ForwardedEvents.evtx" from another machine (with any of the two OS mentioned above) to your test machine and open the file in event viewer.
  (ii) Navigate to your "Forwarded Events" test log and open the filtering dialog. In the "Includes/Excludes Event IDs" field, type: 1-9000. Click OK.
  (iii) Look at the results pane: Surprise, 0 Events! Do you really have no event IDs between 1 and 9000 in your test log?
  (iv) Another example, if you have forwarded security events in your test log: Clear filter, if any previous filter is in place. Open the filtering dialog. In "Keywords" sub-dialog, choose "Audit Success". Click OK.
  (v) Look at the results pane: Surprise, 0 Events! Do you really have no successful security monitoring events in your test log?
  I’ll finish here. If you have a rich variety of events in your test log available, let your imagination run wild to test around. Finally include some simple manually created or modified XPath filters on the XML tab of the filtering dialog. I promise, you’ll
  find a lot of additional strange results.
  Problem 2: Cannot save manually selected events to .evtx file
  Navigate to your "Forwarded Events" test log. In the results pane, select one or more events by highlighting them by mouse clicks. In context menu, choose "Save selected events". In the "save as" dialog, choose file type *.evtx
  and save your file. Open the newly created file in event viewer. Result: Surprise, no events inside the new file!
  Have more fun with forwarded events
  Helmut

  Did you mean that right click Forwarded Event and select "Filter Current Log..."? Since I can filter correct event vai the "Filter Current Log..." in my Lab environment.
  Hi Justin,
  yes, I mean "Filter Current Log ... " (in my German systems: "Aktuelles Protokoll filtern ... ").
  What do you mean with "my Lab environment" exactly?
  In the meantime, I performed additional tests. I copied the "ForwardedEvents.evtx" test file from Server 2008 R2 resp. Windows 7 to
  (i) German Windows 8 Pro 64-Bit RTM
  (ii) German Windows 8.1 Pro 64-Bit, up-to-date
  in order to view and filter the file there.
  Results: Same event viewer problem on Windows 8 RTM, but correct behavior on Windows 8.1!
  Best regards, Helmut

• I wonder to know what is the enterprise solution for windows and application event log management and analyzer

  Hi
  I wonder to know what is the enterprise solution for windows and application event log management and analyzer.
  I have recently research and find two application that seems to be profession ,1-manageengine eventlog analyzer, 2- Solarwinds LEM(Solarwind Log & Event Manager).
  I Want to know the point of view of Microsoft expert and give me their experience and solutions.
  thanks in advance.

  Consider MS System Center 2012.
  Rgds

• Directory Caching issue with Cisco Jabber client for Windows

  Hi ,
  I am facing cache issue with Cisco Jabber client for Windows. If I do any change related to modification or deletion of contacts in Active Directory/ Callmanager, it does not reflect in the Jabber. Because jabber takes the contacts from the locally stored cache file in the Windows system.
  Every time I have to remove the cache file to overcome this issue, practically it's not possible to do the same with all the Widows users. As, if any employee leaves the company and still I can see his contact appears in the "Cisco Jabber client". I have not seen this issue with Android/Apple iOS.
  Is there any automated way to remove the cache file? 
  Here is the detail of CUCM,Presence and Jabber.
  CUCM version: 9.1.x
  Presence          : 9.1.X
  Jabber              : 10.5 and 10.6

  Hello
  On our environment we had to install a dedicated Microsoft Certificate Authority "just for Cisco Jabber usage" to house the
  Network Device Enrollment Service.
  Our certificate for the CUPS were generated on this Certification Authority too.
  I discussed this certificate matter with my colleagues this afternoon and nobody seems to remember how these certificates were deployed into the
  Enterprise Trust store for the users.
  But I think they asked all 400 users to accept the 3 certificates by answering "yes" to the popup instead of using a script deployed by GPO...
  I wish you success with that deployment and really hope you have a technical partner that *Knows* this subject.
  Our partner left us alone with that unfortunately.
  Florent
  EDIT: If the "Certutil script method" works, please let me know. This could be useful in our own deployment.