Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
bmeta
Staff & Editor
Staff & Editor

Created on ‎04-01-2015 10:16 AM Edited on ‎09-10-2025 08:24 AM By Moderator

Article Id 189910

Technical Tip: Windows event IDs used by FSSO in WinSec polling mode

Description

 

This article discusses Windows event IDs used by FSSO in WinSec polling mode.

The logs that are polled are visible with the event viewer (execute on the domain controller 'eventvwr.msc') in the section 'Windows  Logs' and there 'Security'.

 

Scope

 

FortiAuthenticator, FortiGate, FortiProxy.

 

Solution

 

Note: If there is no Event in the Windows Security Event log, an FSSO implementation like the one described here will not work properly, depending on events.

 

This affects:

  • WinSec polling from standalone Collector Agent or FortiAuthenticator.
  • WMI polling - either from the standalone Collector Agent, or from FortiGate, or from FortiAuthenticator.

 

Without a user logon audit, there are no records to pick from a Windows Security Event Log or via WMI.
If the event IDs are not generated, an auditing group policy is likely prohibiting this.

A missing logon events audit on an Active Directory has no effect on an FSSO-based setup running 'DC Agent mode', or on agents reporting to either the standalone Collector Agent or to FortiAuthenticator (FortiGate is unable to receive data from DC Agents).
This is because that agent is part of inner LSASS (Local Security Authority Subsystem Service on Windows) processing and gathers info from logon processing before any Event ID is generated at the end of LSASS processing. As a result, none of the Event IDs described below apply to this mode.

 

Standalone Collector Agent in Windows Security Event Log polling mode.

 

This section relates to a standalone Collector Agent, which is typically installed on any Server class domain member, but quite often installed directly on the Domain Controller.
In this example, 'Select Domains To Monitor' / 'Select DC to Monitor' / 'Select Domain Controllers for Monitoring User Logon Event' is set to 'Polling Mode' and one of two 'Check Windows Security Event Log' modes (as shown below):

 

Screenshot 2025-06-23 170339.png


This collector agent supports following Windows Event IDs (by Windows versions):

  • Windows 2003 Event IDs: 672, 673*, 680, 528, 540 **.
  • Windows 2008/2012/2016/2019/2022 Event IDs: 4768, 4769*, 4776, 4624, 4770 **.

 

* Some Event IDs are not supported alone, and they require another event to correlate the login information.
For example:

  • Event 4769 requires 4768.
  • Event 673 requires 672.

 

** By default, the Collector Agent is using a subset of events.
While it is possible to set individual Event IDs in the standalone collector, it may be more convenient to use predefined sets as demonstrated below.
Configure which event IDs are monitored with 'Windows Security Event ID to poll' under Advanced settings.

 

Predefined sets and their content:

  • 0 - polls: 672, 680, 4768, 4776
  • 1 - polls: 672, 673, 680, 4768, 4769, 4776
  • 2 - polls: 672, 673, 680, 4768, 4769, 4776, 4624 (EventID 4624 was added to default polling in Windows 2016 for better support of MacOS and newer Windows server platforms - making this set most complete for todays Windows Server versions)

To define a custom list of Windows Event IDs to use, use this format:

  • <EventID1;EventID2;...;EventIDn> - polls info from specific Event ID or IDs.
    e.g. 4768;4769;4624. It is a good choice to use this format to limit the event IDs to only those that are needed in specific environment. This cannot be generalized to a recommended set, because it depends on the environment monitored by FSSO.

 

Collector Agent.png

 

event ID setting.png

 

FortiGate as FSSO poller:

 

FortiGate has an integrated poller as well.
Its local polling mode uses only the Windows Security Event logs; however, currently the supported event subset is smaller:

  • Windows 2008/2012/2016/2019 Event IDs: 4768, 4769, 4776.
  • Windows 2003 Event IDs: 672, 673.

 

Hint
If the FortiGate poller debug log shows 'no domain from <IP>', then 'default-domain' should be set in the 'config user fsso-polling'

configuration to avoid this failure.

 

FortiAuthenticator as poller:

 

FortiAuthenticator has built in Collector Agent. And as most versatile Collector it also supports Windows Event Log and WMI polling.

 

FortiAuthenticator supports the following event IDs:

  • Windows 2008/2012/2016/2019/2022/2025 Event IDs: 4768, 4769*, 4624*, 4770*, 4776, 4625.
  • Windows 2003 Event IDs: 672, 673*, 674*, 680, 528*, 540*.

* Support for these events is available by enabling under the Fortinet Single Sign-On (FSSO) section -> SSO -> General -> Enable Windows event log polling (e.g., domain controllers/Exchange servers) [Configure Events].

FortiAuthenticator v6.6.x moved the setting to Fortinet SSO -> Settings -> Methods -> Enable Windows event log polling (e.g. domain controllers/Exchange servers) [Configure Events].

 
 
 
 
 
 
 
 

Screenshot 2025-06-23 163200.png


Note that the 'Configure Events' setup shown below is set via 'Use Default+'.

Screenshot 2025-06-23 163348.png

 

Related articles:

80739
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.