This article discusses Windows event IDs used by FSSO in WinSec polling mode.
* Some Event IDs are not supported alone and they required another event to correlate the login information.
** By default the Collector Agent is using a subset of events. Which event IDs are monitored is configurable with 'Windows Security Event ID to poll' under Advanced settings:
2. FortiGate (FGT) has an integrated poller as well. Its local polling mode also uses the Windows Security Event logs, however, currently the supported event subset is smaller.
If FortiGate poller debug log shows 'no domain from <IP>' then 'default-domain' should be set in the 'config user fsso-polling' configuration to avoid this failure.
3. FortiAuthenticator supports the following event IDs:
* Support for these events is available by enabling under the Fortinet Single Sign-On (FSSO) section -> SSO -> General -> Enable Windows event log polling (e.g. domain controllers/Exchange servers) [Configure Events].
Note that if there is no Event in the Windows Security Event log, FSSO cannot pick the users/machines up either.
If the events IDs are not generated likely an auditing group policy is prohibiting this.