Skip to main content
Toodelido
Toodelido
New Member
January 22, 2021
Question

Collector Agent and problem getting login-info

  • January 22, 2021
  • 1 reply
  • 5736 views

Hi.

 

I've been struggling hard for a couple of days getting the Collector Agent (CA) to work in our environment. We're new to Fortigate and will be using this firewall for internal users to access Internet.

We want to be able to see which user have accessed what pages so we need to integrate with our AD-environment.

 

I have the CA installed on a Domain Member Server (not the DC's) and set up to poll the "Security Event Logs" for logons.

In the CA, if I look at "Show Monitored DC's" I see our 4 DC's and I can see that the "Logon Events" are increasing so some information is coming to the CA.

When I look at "Show Logon Users" it is empty. No users are shown.

I can see that the Fortigate is connected to the CA as well so that communication is up.

 

We've created a service-account that is a member of Domain Users, Event Log Reader, and local admin for the server where CA is installed and that is used for starting the service.

This should be sufficient according to https://kb.fortinet.com/k....do?externalId=FD36039

 

Since this is a new install and we haven't used Fortinet or CA before we're a bit unsure how it should look when it's working.

Should we be able to see all the Logged on users in the AD in "Show Logon Users".

 

Do I need to do anything in the Fortigate to get the user-info from CA. We have a Web-filter policy applied with all categories set up to Monitor.

 

I've tried to look at the debug-logs in CA but can't find any real clues. 

The domain is fairly large (more than 10k employees, not sure how many users/groups in the AD) and I've also done some tests to setup a Group-Filter in CA to limit to only one OU but that made no difference. 

 

Would really appreciate some help. 

1 reply

Toodelido
ToodelidoAuthor
New Member
January 27, 2021

We have now solved it so that we can use polling of the event log and get result. Polling and use WMI is still not working.

It turned out that there were some registry-changes that had to be done on the DC (I don't have access to that so not sure what was done) and one important thing was that we needed to change what EventID's we looked for.

In the Advanced settings on the Collector Agent you can define what EventID's to poll. Default Set is "0" which didn't provide any results in our log.

"1" is the extended set and that gave no results either.

We then added some eventID's manually and then it started to work.

 

I also found this TechTip:

https://kb.fortinet.com/k....do?externalId=FD36424

 

Apparently there is an option "2" as well, and when we use that we get all the logs that we need. This option is not visible anywhere in the CollectorAgent. 

 

Might help someone else.

 

/T

posix86749
posix86749
New Member
April 6, 2021

I am very, very grateful to you !!!

I've spent two days, trying to make collector catch logon events. You post helped me at least!

Bilel
Bilel
New Member
August 22, 2021
@Toodelido, Really appreciate your contribution, I finally got what I missed So Grateful too.. Many thanks
Terms & ConditionsAccessibility statement