Help
FortiSIEM Discussions
GidonT
New Contributor II

Created on ‎09-02-2024 01:46 AM

WEC into FortiSIEM - Can't see the forwarded logs

Hi community, 

I hope someone in the community might have a suggestion for the issue I'm facing - 

I have set up a WEF from two different windows machines into a Windows Server configured as the WEC. 
All event logs from the two WEF machines are received at the WEC and are fully visible in the EVENT Viewer under "Forwarded Events". 

I have installed a FortiSiem agent on the WEC and configured to pull ALL events. 
for some reason I still can't see any indications of logs from the two WEF machines and can see only logs from the WEC. 
 
I have followed all installation and configuration i could find on the matter but still can't identify the required logs. 

are there any special configurations i should set in the FortiSiem or any other machine which will make the Forwarded events from the two WEF be digested into the fortisiem ? 


any help will be appreciated. 

Labels:
290
0 Kudos
1 Solution
GidonT
New Contributor II
In response to premchanderr

Created on ‎09-25-2024 11:32 PM

Hi @premchanderr

Thanks for you reply, the issue was solved.
 
For anyone trying to use the WEF / WEC configuration in the future and will see this post, there are some key pointers to check - 
1. The agent version should have an exact match with the SIEM version. 
2. For FortiSIEM to identify and parse the logs correctly – A separate Windows Agent Template should be created for the WEF logs which includes the name of the EVENT LOGS from the WEC:

       - Right click on the “Forwarded Logs” (in the WEC Event Viewer) and copy the name into the Windows Agent Template in the following location -
Windows Agent Monitor Template ==> Event ==> Type : "Other" ==> EventName.

View solution in original post

158
0 Kudos
3 REPLIES 3
premchanderr
Staff
Staff

Created on ‎09-25-2024 11:00 PM

Hi @GidonT ,

There would be some error in this. Could you apply the template and after ten mins look into the Analytics > events  for any errors. 

Regards,
Prem Chander R
164
GidonT
New Contributor II
In response to premchanderr

Created on ‎09-25-2024 11:32 PM

Hi @premchanderr

Thanks for you reply, the issue was solved.
 
For anyone trying to use the WEF / WEC configuration in the future and will see this post, there are some key pointers to check - 
1. The agent version should have an exact match with the SIEM version. 
2. For FortiSIEM to identify and parse the logs correctly – A separate Windows Agent Template should be created for the WEF logs which includes the name of the EVENT LOGS from the WEC:

       - Right click on the “Forwarded Logs” (in the WEC Event Viewer) and copy the name into the Windows Agent Template in the following location -
Windows Agent Monitor Template ==> Event ==> Type : "Other" ==> EventName.

159
0 Kudos
premchanderr
Staff
Staff

Created on ‎09-26-2024 12:04 AM

Thank you @GidonT , glad to know that issue has been solved. 

Regards,
Prem Chander R
152
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.