Skip to main content
KarlH
KarlH
Explorer II
April 28, 2025
Question

Need SIEM 7.1.3 (Rule) method to detect when a Windows Log Agent stops reporting for more then 6 hrs

  • April 28, 2025
  • 1 reply
  • 794 views

Hello,

 
.Not sure how to set up the rule itself, is it even possible?  Our clients are not always aware when the agents stop reporting and then we wind having to tell them its been disconnected for 2 weeks we have 100+  agents between all our clients we cant possibly watch all of them so we need an alert.
how can I query to get a agent health log so I have the right event type and data source.
 
Thanks!
 
thanks, Karl

1 reply

Stephen_G
Moderator
Stephen_G
Moderator
May 2, 2025

Hello,

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

If anyone viewing this topic has any knowledge on this, I encourage you to reply.

 

Thanks,

Stephen_G - Fortinet Community Team
KarlH
KarlHAuthor
Explorer II
May 2, 2025

ok what about this consideration ?

 

The agents are old.

 

WindowLogAgents 4.1 or possibly some other 4.x

 

Please confirm if this needs to be dealt with first is this an impedance?

 

1)  do I upgrade first  to 7.1.11 to maintain version alignment with SIEM 7.1.3 I feel that may be an imperative.

 

2) are there ANY Configuration settings on the Endpoint log agent config files that could be impeding this?

 

3) on the collector?

 

do we make all our client upgrade to 7.1.11 is this imperative?

 

Protocol Mismatch

  • FortiSIEM 7.x uses updated agent communication protocols, event formats, and TLS handling that older agents (4.x) don’t support properly.

  1. Security Gaps

    • 4.1.5 is from ~2018, meaning:

      • Outdated TLS support

      • No modern cert pinning

      • Potential agent spoofing

      • Lacks bug fixes for event collection reliability

  2. Event Format Changes

    • FortiSIEM changed how it parses and packages Windows Event Logs starting in 6.x

    • Agents on 4.x may fail to send:

      • Security logs (Event ID 4625, 4672, 4768, etc.)

      • Task Scheduler/Service/Registry logs

      • Custom parser fields

  3. Agent Stability

    • Old agents often silently die, hang, or fail to reconnect after reboot

    • FortiSIEM doesn’t always report this well unless heartbeat monitoring is configured

Terms & ConditionsAccessibility statement