Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
flunaibarra
Staff
Staff

Created on ‎11-05-2024 04:13 AM

Article Id 354815

Technical Tip: How to configure Agent Template -> User Log

Description

This article describes how to configure the User Log in a Windows template configuration.
Scope FortiSIEM,
Windows Agent.
Solution

 

  1. From the Windows Server - Get the path and file name of the file that will be monitored.

    Example: C:\Temp\Folder\setupact.log. Note the correct file extension and the prefix to use.

 

 

File_Path.png

 

 

  1. Create the configuration in SIEM - Windows Agent template configuration -> User Log.

 

User_Log.png

 

 

  1. Create an association and press the Apply button for the changes to take effect.

 

association.png

 

 

  1. Run an Analytics Query with the following attributes:

 

 

Reporting IP             =              <Host_IP>

Raw Event Log    CONTAIN     WUA-UserFile

 

Analytic_Query.png

 

Note: If the monitoring file doesn't create new log lines while monitoring, no events will show up in Analytic. To test, open the file, copy some lines that contain the prefix and paste them at the end of the file -> Save. Run the Analytic Query again.

 

 

  1. If the path or file name is incorrectly entered in the template configuration, an event will be sent indicating:

    'The system cannot find the file specified.'

 

 

failed_file.png

 
58
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.