Description
This article discusses Windows event IDs used by FSSO in WinSec polling mode.
Scope
FortiAuthenticator, FortiGate, FortiProxy.
Solution
- FSSO Collector Agent with Windows Security Event Log polling mode supports the following Windows Event IDs:
- Windows 2008/2012/2016/2019 Event IDs: 4768, 4769*, 4776, 4624, 4770 **.
- Windows 2003 Event IDs: 672, 673*, 680, 528, 540 **.
* Some Event IDs are not supported alone and they required another event to correlate the login information.
For example:
- Event 4769 requires 4768.
- Event 673 requires 672.
** By default the Collector Agent is using a subset of events. Which event IDs are monitored is configurable with 'Windows Security Event ID to poll' under Advanced settings:
- 0 - polls: 672, 680, 4768, 4776 - this is the default subset.
- 1 - polls: 672, 673, 680, 4768, 4769, 4776.
- 2 - polls: 672, 673, 680, 4768, 4769, 4776, 4624 (EventID 4624 was added to default polling in Windows 2016 for better support of MacOS and newer Windows server platforms).
- <EventID1;EventID2;...;EventIDn> - polls info from specific Event ID or IDs. e.g 4768;4769;4624.
2. FortiGate (FGT) has an integrated poller as well. Its local polling mode also uses the Windows Security Event logs, however, currently the supported event subset is smaller.
- Windows 2008/2012/2016/2019 Event IDs: 4768, 4769, 4776.
- Windows 2003 Event IDs: 672, 673.
Hint:
If the FortiGate poller debug log shows 'no domain from <IP>' then 'default-domain' should be set in the 'config user fsso-polling' configuration to avoid this failure.
3. FortiAuthenticator supports the following event IDs:
- Windows 2008/2012/2016/2019 Event IDs: 4768, 4769*, 4624*, 4770*, 4776.
- Windows 2003 Event IDs: 672, 673*, 674*, 680, 528*, 540*.
* Support for these events is available by enabling under the Fortinet Single Sign-On (FSSO) section -> SSO -> General -> Enable Windows event log polling (e.g. domain controllers/Exchange servers) [Configure Events].
Note that if there is no Event in the Windows Security Event log, FSSO cannot pick the users/machines up either.
If the events IDs are not generated likely an auditing group policy is prohibiting this.
Related articles:
Technical Tip: FSSO local poller (FSSOD) limitations compared to FSSO collector agent.
Technical Tip: FSSO choose between DC Agent mode or Polling mode
Technical Tip: How to see a full list of Windows event log polling
Technical Tip: Downloading FSSO agent software
Technical Tip: How to validate MD5 checksum hash for FSSO installer
Technical Tip: How to install FSSO Collector Agent
Technical Tip: Comparison between DC-Agent mode and polling mode
Troubleshooting Tip: FSSO Complete troubleshooting for TAC tickets