Virtual Apps and Desktops: Logon Duration in MonitorData.Session Table shows "Null"

Virtual Apps and Desktops: Logon Duration in MonitorData.Session Table shows "Null"

book

Article ID: CTX225857

calendar_today

Updated On:

Description

  • Logon Duration in MonitorData.Session Table in Monitoring Database shows "Null" value for all sessions and hence Director does not report Average logon Duration for Sessions.

Null

Director
  • Restarting the Monitoring Service on Delivery Controllers does not fix the issue.
  • We used the below scripts to ensure that OS WMI providers have the information about the user logons and we got the correct output:
        Windows 7 and Windows 2008 R2:
        https://gallery.technet.microsoft.com/scriptcenter/Find-user-logon- duration-667b8c48
    
       Windows 10 and Windows 2012 R2: 
        https://gallery.technet.microsoft.com/scriptcenter/Analyze-Session-Logon-63e02691
 
  • We ran the below Powershell cmdlet on few VDA's to check if Citrix Profile Manager is getting the information form the Citrix Profile Manager WMI provider or not and in this case we did get the results.

           get-wmiobject -namespace root\citrix\profiles\metrics -class logontimings


         We collected CDF Traces from VDA and DDC.
  • We saw the below exception in CDF Logs from the VDA and we did not see any Logon Duration information being sent from VDA to DDC. There was nothing in CDF trace from Delivery Controller when we search for "LogonTimings"
BrokerAgent,_#dotNet#_,0,,9,CDF_NET_ERROR,"BrokerAgent:1:9:PluginManager.DeliverNotificationsToPlugins EXCEPTION in plugin: System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)

 
 

Environment

Caution! Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

Resolution

SOLUTION 1
  • Verify the Security Descriptor on Application Event logs from a Lab Machine hosting the same OS which does not have CustomSD set for Application by running the below command:
          wevtutil gl application
  •  You will get an output like this:
         O:BAG:SYD:(D;; 0xf0007;;;AN)(D;; 0xf0007;;;BG)(A;; 0xf0007;;;SY)(A;; 0x5;;;BA)(A;; 0x7;;;SO)             (A;; 0x3;;;IU)(A;; 0x2;;;BA)(A;; 0x2;;;LS)(A;; 0x2;;;NS)
  • Then run the below command (with the Security Descriptor copied from LAB machine)to set the Security Descriptor on Application Logs to default on the effected VDA's.
          Example: 
          wevtutil sl Application /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)           (A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)


SOLUTION 2
  • Delete the below registry key from VDA after taking backup to delete the CustomerSD on Application Logs

         Key: HKLM/SYSTEM/CurrentControlSet/Services/EventLog/Application
         Value: CustomSD
  • Restart the VDA.

Problem Cause

Custom Security Descriptor was set for the Application Event logs on the VDA's.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application]
"customsd"="O:BAG:SYD:(D;; 0xf0007;;;AN)(D;; 0xf0007;;;BG)(A;; 0xf0007;;;SY)(A;; 0x5;;;BA)(A;; 0x7;;;SO)(A;; 0x3;;;IU)(A;; 0x2;;;BA)(A;; 0x2;;;LS)(A;; 0x2;;;NS)(A;;0x1;;;S-1-5-21-905980934-1232030010-646806464-20420)"

Due to CustomSD set on that Application Event Logs, UPMPlugin loaded in BrokerAgent (that runs under Network Service account) was denied permission to read the Application events . Hence, it couldn’t get the Desktop Ready event, and so no 'upmlogon' payload was sent to Citrix Monitor Service and so logon duration was not logged.

Issue/Introduction

Logon Duration in Monitor DB's moniordata.sessions table is Null

Additional Information

 

  • There are 3 EventLogs that UPM Vdaplugin reads to calculate the LogonDuration  - Application, GroupPolicy Logs and , User Profile Service.
  • It reads Group Policy event logs to get the events for Group Policy processing, User Profile Service log for profile load timings, and application log for 'Desktop Ready' event.
  • It is the Desktop Ready event created in Application Event Logs that marks the end of the Session launch, and that is when the upmlogon payload is sent to Monitor service via Monitor vdaplugin via BrokerAgent.

           

 

  • Ensure that events are being written to Application, Microsoft-Windows-GroupPolicy\Operational and  Microsoft-Windows-User Profile\Operational event logs.
  • Ensure that the log location is accessible and events are present for the time of user logon.



Reference:

https://blogs.technet.microsoft.com/askds/2011/08/29/the-security-log-haystack-event-forwarding-and-you/
https://support.microsoft.com/en-us/help/323076/how-to-set-event-log-security-locally-or-by-using-group-policy      

Powered by Wolken Software