Technical Tip: Useful XML Filters to track FSSO user logon events in Windows Event Viewer

anderson_yee · ‎02-26-2024

Description

This article provides useful XML Filters to track FSSO user logon events in Windows Event Viewer.

Scope

Fortinet Single Sign-On (FSSO).

Solution

In the FSSO DC-Agent or Polling setup, sometimes users encounter missing logon events for specific users on the FSSO Collector Agent.

The first step is always to check whether the user logon event is processed on the Domain Controller.

Go to Event Viewer -> Windows Logs -> Security -> Filter Current Log -> XML:

Event Viewer XML filter by username (USER123):

<Select Path= file_path>*[EventData[Data[@Name="TargetUserName"]=" USER123"]]</Select>

</Query>

</QueryList>

Replace USER123 with the desired username to filter its logon event.

Event Viewer XML filter by IP address (x.x.x.x):

<Select Path=file_path>*[EventData[Data[@Name="IpAddress"]="x.x.x.x"]]</Select>

</Query>

</QueryList>

Replace x.x.x.x with the desired IP address to filter its logon event.

Event Viewer XML filter by Workstation Name (WORKSTATION):

<SelectPath=file_path>*[EventData[Data[@Name="WorkstationName"]="WORKSTATION"]]</Select>

</Query>

</QueryList>

Replace WORKSTATION with the desired workstation name to filter its logon event.

Related articles:

Troubleshooting Tip: How to read FSSO CA debug logon events

Technical Tip: How FSSO works and how to troubleshoot FSSO

Technical Tip: Useful XML Filters to track FSSO user logon events in Windows Event Viewer

You are leaving our website