In some cases, the FSSO user is not visible in the User Logon list in the Collector Agent; it is important to check if the event is visible in the Domain Controller.

If the user is visible in the Domain Controller, then the logs should be checked in the DCAgent.

Using the Registry Editor, check the FSAE Collector Agent settings and which collecting mode is enabled:

The value for supportLogonMonitorType on the screenshot, 0x00000001, means that the Collector Agent is set up to use DCAgent mode.

Check if the DCAgent is installed in the system.

In this case, the DCAgent is not installed and needs to be installed via CLI. Check this path:

HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\DCAgent\ca, if it is missing, do the following:

The following is an example DCAgent install command; version and paths may differ:

<path_to_installer>\DCAgent_Setup_5.0.0319_x64.msi /qn /norestart FSAEAPPDIR="c:\dcagent_install_folder\" COLLECTORAGENTLIST="1.2.3.4:8002;6.7.8.9:8002" /lv dcagauto.log

Explanation of the generic msiexec parameters:
/qn: quiet, no user interface.
/norestart: do not reboot after install (if this is omitted, the installation will reboot the DC).

Note: After installation, the DC must be rebooted before the DCAgent starts to function. The agent is a DLL only, hooked into LSASS.exe. The /norestart parameter can be used to delay the restart for later: /lv <path to log file> (optional), verbose log output of the installation.

DCAgent-specific parameters:
FSAEAPPDIR: install folder for the GUI configurator.
COLLECTORAGENTLIST: semicolon-separated list of Collector Agent IPs and ports. All Collectors must be entered here to ensure consistent user databases on the Collectors.

After installation, check the registry editor to verify the installation was successful: