Description
1) FSSO Collector Agent with Windows Security Event Log polling mode support the following Windows Event IDs:
• Windows 2008/2012/2016/2019 Event IDs: 4768, 4769*, 4776, 4624, 4770 **
• Windows 2003 Event IDs: 672, 673*, 680, 528, 540 **
*Some Event IDs are not supported alone and they required another event to correlate the login information.
For example:
• event 4769 requires 4768
• event 673 requires 672
** By default the Collector Agent is using a subset of events. Which event IDs are monitored is configurable with "Windows Security Event ID to poll" under Advanced settings:
• 0 - polls: 672, 680, 4768, 4776 - this is the default subset.
• 1 - polls: 672, 673, 680, 4768, 4769, 4776.
• 2 - polls: 672, 673, 680, 4768, 4769, 4776, 4624 (EventID 4624 was added to default polling in Windows 2016 for better support of MacOS and newer Windows server platforms)
• <EventID1;EventID2;...;EventIDn> - polls info from specific Event ID or IDs. e.g 4768;4769;4624
2) FortiGate (FGT) has an integrated poller as well. Its local polling mode also uses the Windows Security Event logs, however currently the supported event subset is smaller.
• Windows 2008/2012/2016/2019 Event IDs: 4768, 4769, 4776
• Windows 2003 Event IDs: 672, 673
Hint:
If FGT poller debug log shows "no domain from <IP>" then you should set "default-domain" in the 'config user fsso-polling' configuration to avoid this failure.
3) FortiAuthenticator supports the following event IDs:
• Windows 2008/2012/2016/2019 Event IDs: 4768, 4769, 4624*
• Windows 2003 Event IDs: 672, 680, 528*, 540*
* Support for these events is available by enabling "Enable polling additional events" under the Fortinet Single Sign-On (FSSO) section.
Note that if there is no Event in the Windows Security Event log, FSSO cannot pick the users/machines up either.
If the events IDs are not generated likely an auditing group policy is prohibiting this.
Related Articles
Technical Tip: FSSO local poller (fssod) limitations compared to FSSO collector agent
