FSSO Collector Agent - Missing Logins

Question

Hello,I find out a not so happy behaviour on the FSSO Controller Agent that makes some troubleshooting harder.For example: a user logs in at time 10:14 and is working on his workstation. When I check the FSSO Logon Users at 10:27 I can see that the user is logged in with status OK. If I check the status one minute later the user is not in the list. But the user is still on the FortiGate. A few seconds later the user is in the list again with the logon time 10:14 as at the begining. After some time the user is missing until the next logon.Is this a correct behaviour? I checked it in the lab with 3 users with the same results.Also when the user disappears from the primary FSSO Collector Agent it is still in the list on the secondary Collector Agent. Some time later the same user is missing on the second Collecotr Agent also. On the FSSO logs I can see logs like:check_ip_wmi: ConnectServer() failed, server:\192.168.221.100\ROOT\CIMV2 error code:0x800706bawksta_check: workstation has no valid IP address: CL01W10.LAB.DOMAIN.COMCL01W10.LAB.DOMAIN.COM:TOMH[0.0.0.0:0.0.0.0] removed. Why the worksation check failed? DNS registration, port 445 and Remote Registry is enabled - otherwise the status after a short time would be Not Verified. The log 2 minutes before shows:wksta_check: workstation has no valid IP address: CL01W10.LAB.DOMAIN.COMDNS_lookup: workstation:CL01W10.LAB.DOMAIN.COM ip changed from 0.0.0.0:0.0.0.0 to 192.168.221.100:0.0.0.0 I do not understand what is happening.Another question: Would the user log entry be removed when the user leaves the workstation and locks his screen? Collector Agent and DC Agent version is: 5.0.0254

xsilver_FTNT · Answer

Hi AtiT, User missing from the list.- I guess that list mean 'Show logon Users' on Collector- turn log to debug level and Collector will  tell you why is the user gone 'user disappears from the primary FSSO Collector Agent it is still in the list on the secondary Collector'- this is actually normal situation, as there is no sync (or any sort of clustering) between collectors- every single collector makes his own idea about logged on users and due to processing delays and timers it might happen that list and total amounts of logged on users slightly differs between the collectors even when they handle the very same DCs/Domain. 'check_ip_wmi: ConnectServer() failed, server:\192.168.221.100'- that Collector does uses WMI MSFT API to check stuff and mentioned server cannot be questioned via WMI- why? could be misconfigured WMI (or even missing WMI support but it should be supported since Win2000), also it could be that user under which Collector runs has not enough access rights to contact WMI.- it might also appear that 192.168.221.100 is not a Windows machine, but some MacOS with domain conenctor, which generates 4624 logon event ID in DC and FSSO will process it (WinSec/WinSecWMI polling), and MacOS most probably wont respond on WMI.- That's why general recommendation is to INSTALL and RUN  Collector under Domain Admins group member account 'wksta_check: workstation has no valid IP address'- that's workstation check done through Remote Registry Service (not WMI as in previous log)- so it looks like your system is capable to do Remote Registry but not WMI- check WMI and OS versions or disable WMI on Collector ..-- if polling then use WinSec instead of WinSecWMI-- in Advanced Settings / General / Workstation Check / uncheck option 'Use WMI to check user logoff' kind regards,tomas

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded