Issue Fetching .sqlaudit Logs Using Windows Agent User Log Template

Forum|Forum|2 months ago
March 17, 2026
2 replies
135 views

The customer stores .sqlaudit logs on the C:\ drive of a Windows machine where the Windows Agent is installed. Multiple log files are continuously updated, and once a file reaches its size threshold, a new .sqlaudit file is created.

The customer wants to collect logs from all generated files, including their contents. They attempted to use Windows Agent Template → User Log, but the logs are not being fetched.

Could someone please assist with this issue?

@Anthony_E @Secusaurus could you please help here ?

Fortisiem

Anthony_E

Staff

Hi Gaurav,

I am no longer working for the Community Team and I am not a FortiSIEM expert.

Unfortunately, tagging me will not help you.

Secusaurus will be more efficient on his own :P!

Thank you and good luck!

Regards,

Best Regards

iLuca90

Explorer

Hi, What worked for me was setting up a wildcard path to include all .sqlaudit files and enabling the “Read from start of file” option to catch new entries. After that, the agent was able to collect logs from all generated files consistently.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded