Help
FortiSIEM Discussions
malexand
New Contributor

Created on ‎06-11-2025 08:21 AM

Alert when windows agent user log not received in specific time frame

As part of CMMC we need to be able to alert when logging has failed on a system.  some of these logs are application log files that we use the windows agent user log and custom parsers.  I know there is the generic 'no logs' from system event, but that doesn't seem to work with the user defined logs, I need to generate an alert if the application logs are not being received.  Is there a way to create a clone of the 'no logs from device' event to customize?  or is there another way?  I would prefer not to run a daily report to be examined, though I know that is an option as shown in this similar question: How do i get devices not sending logs in last 24 h... - Fortinet Community

 

Labels:
463
0 Kudos
5 REPLIES 5
cdurkin_FTNT
Staff
Staff

Created on ‎06-12-2025 12:47 PM

Can you clarify

 

1) You are using the FortiSIEM Windows Agent and the User Log collection feature where you are collecting a custom log file, and you would like to alert when no 'AO-WUA-UserFile-XXXX' events are received in a particular time period?

 

2) Are you using ClickHouse as the FortiSIEM Event Database?

429
0 Kudos
malexand
New Contributor
In response to cdurkin_FTNT

Created on ‎06-13-2025 07:01 AM

1)  Yes.  as well as the Linux agent user log collection.

2)  Using the default FortiSIEM Event database.  Not sure if it that is ClickHouse at the moment.

 

would also like that option for any specific received log item, not just the Agent user logs.  For example we might still be receiving configuration change log entries from a firewall, but for some reason traffic logs have stopped, we want to alert that the traffic logs aren't being received.

402
0 Kudos
cdurkin_FTNT
Staff
Staff

Created on ‎06-18-2025 12:16 PM

You can check via Admin > Setup > Storage > Online.

321
0 Kudos
malexand
New Contributor
In response to cdurkin_FTNT

Created on ‎06-18-2025 12:29 PM

Not ClickHouse

EventDB Local Disk

315
0 Kudos
cdurkin_FTNT
Staff
Staff

Created on ‎06-18-2025 01:03 PM

Ok thanks for confirming.


It would be possible if using the ClickHouse database and an Advanced SQL query with the latest 7.4 release, but for EventDB I cannot think of an easy way to achieve this.

 

Thinking out the box, I think your options would be:

 

1) Use a "Nested Query" to Report on Devices missing the events you are interested in.  

 

This would not trigger a rule, but could be scheduled to email results.

 

2) Automated ..  complex and probably requiring PS .. but you could create a script to use the FortiSIEM API to query for the events you are interested in, (schedule with cron) and feed the results via syslog into your FortiSIEM, with a custom parser to interpret the results.

A rule could then be used to trigger based on the custom events produced.


3) Automate no (2) with FortiSOAR, I think it would be possible.

 

 

303
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.