Created on 02-13-2022 09:41 AM Edited on 12-31-2024 05:42 AM By Anthony_E
Description | This article describes how to troubleshoot missing log-on events in DC agent mode. |
Scope | FortiGate. |
Solution |
Before diving into the concept let us understand what is the flow of FSSO log-on event information in FortiGate.
Here is the actual process that will happen in FSSO DC agent mode:
If the user login is missing we should follow the below steps:
Note down the user name of the missing user, and check if that user name is present in active directory event logs (This is to confirm if the user name is present in the correct AD server). If the user name is present download the DC agent logs from the DC agent. It's possible to enable the DC agent logs using below: HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\DCAgent -> edit -> enable Log. Set the value to 1 from 0 The DC-Agent logs are saved by default in the root of the C:\ partition.
Note:
Once the FSSO authentication issue is resolved, disable the DC agent logging by changing the 'enable_log' option to 0
Search for the specific username in the DC agent logs it will be possible to understand the reason for the failure of the error:
A successful log-on event looks like below:
02/01/2022 14:31:43.491: processing Logon (level=1, logonid=0-0) Firewallgeeks\seshu.ganesh (seshu ganesh) from seshug Domain:Firewallgeeks DNS suffix added:firewall.geeks. 02/01/2022 14:31:43.491: finish processing. workstation IP:10.21.2.3
In the above event log-on event is done for the "seshu ganesh" user from 'seshug' machine name.
DNS suffix is added for specific domain 'firewallgeeks'. DNS resolution is successfully done for the machine name 'seshug' and its workstation IP is 10.21.2.3
The event will be forwarded to the collector agent and shown in login user list
Here are sample errors:
First:
02/01/2022 14:32:28.632: processing Logon (level=1, logonid=0-0) Firewallgeeks\seshu.ganesh from seshug user:seshu.ganesh in ignore list
This error meant to say this concerned user is present in ignore list. It is necessary to remove this user from the ignore list. It is possible to retry.
Second:
02/01/2022 14:33:25.850: processing Logon (level=1, logonid=0-0) Firewallgeeks\seshu.ganesh () from seshug machine account:seshug$ is ignored. 02/01/2022 14:33:25.850: finish processing.
The above log saying 'machine account is ignored' is a normal log, by default machine accounts will be ignored.
Third:
02/03/2022 10:20:10.081: processing Logon (level=1, logonid=0-0) Firewallgeeks\seshu.ganesh (seshu ganesh) from seshug Domain:Firewallgeeks DNS suffix added:firewall.geeks 02/03/2022 10:20:10.081: finish processing.
This error will mostly be related to the DNS issue. If the collector agent or DC agent is not able to resolve the workstation name to the IP address. Make sure DNS entries for this workstation is correct in the AD server.
In a similar way by going through DC and CA logs at the time of issue with the correct time stamp, it is possible to get more details. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.