Staff

Technical Tip: How to enable logging on FSSO/FSAE DC Agent

Forum|Forum|16 years ago
February 18, 2010
0 replies
2901 views

Description

This article describes the process of enabling logging on the Fortinet Single Sign-On (FSSO, also previously known as Fortinet Server Authentication Extension or FSAE) Domain Controller Agent (DC Agent). This can be useful for troubleshooting in environments with multiple Active Directory Domain Controllers (DCs) where it can be difficult to identify which DC was used to process a particular user logon event.

Scope

DC Agent mode FSSO/FSAE, Windows Active Directory Domain Controllers

Solution

Use the following process to enable logging on the FSSO DC Agents:

1. Open the Windows Registry Editor (aka regedit) either on the local Windows Domain Controller or over the network, then navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\dcagent.

Regedit DCAgent.png

2. Modify the log_file parameter to set the directory and the filename where the log file should be stored.

Default log location: C:\Program Files\Fortinet\FSAE\

Default log filename: dcagentlog.txt

3. Modify the enable_log DWORD and change it from 0 (default/disabled) to 1 (enabled)

Once the enable_log parameter has been configured the DC Agent will create the log file at the location specified by log_file and start recording logon events that are processed by this particular domain controller. The maximum file size is 10MB, and when the limit is reached it will start overwriting old entries.

To disable DCAgent logging, simply modify the enable_log parameter and set it back to 0. There is no need to reboot the domain controller or the DC Agent service after the registry has been modified as changes will be automatically applied.

Note:

To see which domain controller had processed the latest logon for a given workstation, run the following command on the Windows client workstation:

echo %logonserver%

Examining the DC Agent log output

The DCAgent log will show the following information:

1. Type of event (Logon).

2. Domain and username of the logged-on user (CONTOSO\jdoe).
3. Name of the workstation being logged into (John-PC).
4. The resolved station's IP address (workstation IP: 192.168.1.121).

The following is an example of output that can be found in the DC Agent log file:

Msv1_0SubAuthenticationFilter is called

12/13/2024 16:24:50.689: processing Logon (level=1, logonid=0-0) CONTOSO\jdoe (John Doe) from John-PC

Domain:CONTOSO DNS suffix added:contoso.com.

process_logonevent 940, queue size:0

12/13/2024 16:24:50.705: finish processing.

ProcessLogonRequest_thread 496, queue size:1, pRec:0000026A794D62C0

ProcessRequest 621 Enter

workstation IP:192.168.1.121

ProcessRequest 821 Leave

[...]

Msv1_0SubAuthenticationFilter is called

12/13/2024 16:36:18.979: processing Logon (level=1, logonid=0-0) CONTOSO\jdoe (John Doe) from John-Laptop

Domain:CONSTOSO DNS suffix added:contoso.com.

process_logonevent 940, queue size:0

12/13/2024 16:36:18.979: finish processing.

ProcessLogonRequest_thread 496, queue size:1, pRec:0000026A79620A40

ProcessRequest 621 Enter

workstation IP:172.16.1.100

[...]

Description

Scope

Solution

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded