Description | This article describes how to filter out a logon event for the Username that is missing somehow on FSSO CollectorAgent or on FortiGate. This filter will help to compare user Logon events on Windows domain controller to get user Logon details. That information will further help to compare on the FSSO CA or FortiGate side. |
Scope | Windows Server 2012-2022 and PowerShell CLI. |
Solution |
1) Using Windows Event Viewer: Open Event Viewer by searching in the Search bar of Windows server. The following XML Query will help to filter out the username in the Windows event viewer.
In the Query, replace 'user1' with the affected username.
Let's Create a Custom XML Query for user1:
Refresh the filter to get the latest Logon Events:
2) Using PowerShell CLI: The following PowerShell command list down the Logon Event IDs (4624,4634) for a particular Username 'samaccountname' and lists only the last 10 Logon Events. Logon IDs and Max Entries can be adjusted according to the need.
Example:
It is possible to use these Logon Events details like TimeCreated for the Logon Event ID for the affected Username and compare it in the FSSO collector agent under 'show Logon Users' to check if the CA got the information or not.
Related article: Technical Tip: Windows event IDs used by FSSO in W... - Fortinet Community |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.