Explorer II

Solved

FortiSiem Agent windows not sending logs to Collector or Super (Only PH_ logs are received SNMP)

Forum|Forum|2 years ago
December 3, 2023
3 replies
12712 views

Hi guys

I'm experiencing this kind of issue with FortiSIEM agent on Windows 2022 Server, the agent is not able to send logs related to Sysmon or any other kind of logs, even with different windows agent template associations.

When SNMP is configured to send info, the Supervisor is able to show this on performance and analytic real-time dashboards, but when the filter is like "Event type NOT CONTAIN PH", I can't see any logs, is supposed to be the event, system events, etc...

The CMDB show the server with agent status "Running active", the method "snmp, agent, ping", so no connectivity problem here.

How can I get some tips to solve this??

Thank you!

Fortisiem

Best answer by gwaihir

I updated the agent to 7.1.1 version and it solved everything.

Thank you!

adem_netsys

Explorer III

Hi,

You created a Windows Agent template and added the relevant host into that template, right?

gwaihirAuthor

Explorer II

Hi @adem_netsys , thank you for your reply. Yes, I linked the host as the GUI suggest this step and then applied the settings at the end.

When no template is associated with the host, the CMDB agent status is "Registered". In this case, the state shows "Running active"

adem_netsys

Explorer III

Can you see the policy name on CMDB and if you are using tenant structure, you may need to search on the tenant you are on.

Richie_C

Staff

Hi

Maybe a couple of things to check.

Are you running the SNMP discovery from the collector of from the super?
If you do a tcpdump from the CLI of the collector, can you see anything coming in from the server?
Is the correct auditing configured on server?

https://docs.fortinet.com/document/fortisiem/7.0.2/windows-agent-5-x-x-installation-guide/547950/fortisiem-windows-agent-5-x-x#Configuring_Auditing_Policies

I hope that helps!

gwaihirAuthor

Explorer II

Hello @Richie_C

1. From super, I guess. Because credentials were added there and snmp discovery was done from super. (server is allowed to send traps to collector & super)

2. tcpdump from collector shows snmp notifications from the windows server, from super tcpdump show other kind of trafic (https related)

3. I followed this topic about sysmon: https://community.fortinet.com/t5/FortiSIEM/Technical-Tip-Configure-Sysmon-with-Windows-Agent/ta-p/192285

You say this: Is the correct auditing configured on server?

Eventviewer.msc show a plenty of logs from Security, System, DNS, ... the template agent relate this events and were applied to the host. What am I missing on this step?

Thank you!

Richie_C

Staff

Hi

Could you share a screenshot of the agent template. This will help me to understand the event you are trying to collect.

Thanks

Richard

dmontgomery

Explorer

In your credential settings what protocol are you using - WMI or OMI? I had to change mine to OMI.

gwaihirAuthor

Explorer II

SNMP v3 for pam monitoring. For logs I'm trying to use the agent.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded