Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
mshubham
Staff
Staff

Created on ‎09-08-2025 02:32 AM

Article Id 409962

Technical Tip: Multiple access methods shown in CMDB report for Windows Host discovered via Agent Only

Description This article describes why multiple access methods (for example, Windows Agent and Syslog) may appear in the CMDB report for a Windows device, even though it has only been configured and integrated using the Windows Agent.
Scope FortiSIEM.
Solution

The Device Event Collection Status CMDB report pulls data from multiple internal fields, specifically:


ph_device.access_ip

ph_device.name

ph_device_type.model

ph_device_ep_access.access_protocol

ph_device_ep_access.last_state

ph_device_ep_access.last_event_received_time

To investigate how many protocol entries exist for a particular device and what access methods are associated, run the following queries (replacing xx.xx.xx.xx with the actual device IP).

Check discovery methods:

 

select access_ip,discover_method,creation_method,proc_name,description,app_name,asset_category FROM ph_device where access_ip = '10.0.0.160' AND (discover_method = 'LOG' OR creation_method = 'LOG' OR proc_name = 'LOG');


Narrow down to Windows Devices:


SELECT access_ip, discover_method, creation_method, proc_name, description, app_name, asset_category FROM ph_device WHERE access_ip = '10.0.0.160' AND ( discover_method = 'LOG' OR creation_method = 'LOG' OR proc_name = 'LOG' ) AND ( os_edition ILIKE 'Windows%' OR win_machine_guid IS NOT NULL );


Check protocols associated with the Device:


SELECT * FROM ph_device_ep_access WHERE device_id = <xxxxxxx>;


| id | creation\_time | cust\_org\_id | last\_modified\_time | owner\_id | entity\_version | enabled | access\_method\_id | device\_id | collector\_id | target | status | status\_desc | last\_event\_received\_time | last\_state | reporter | access\_protocol | mode | bookmark |
| -------- | -------------- | ------------- | -------------------- | --------- | --------------- | ------- | ------------------ | ---------- | ------------- | ----------- | ------ | ------------ | --------------------------- | ------------ | ----------- | ----------------- | ---- | -------- |
| xxxxxxx1 | xxxxxxxxxxxxxx | 1 | xxxxxxxxxxxxxx | 0 | 0 | **t** | \[null] | xxxxxxx | xxxxx | xx.xx.xx.xx | 2 | | xxxxxxxxxxxxxx | **Normal** | xx.xx.xx.xx | **Windows Agent** | 1 | |
| xxxxxxx2 | xxxxxxxxxxxxxx | 1 | xxxxxxxxxxxxxx | 0 | 0 | **f** | \[null] | xxxxxxx | xxxxx | xx.xx.xx.xx | 2 | | xxxxxxxxxxxxxx | **Critical** | xx.xx.xx.xx | **Syslog** | 1 | |


Filter only Syslog entries:


SELECT * FROM ph_device_ep_access WHERE device_id = <xxxxxxx> AND access_protocol = 'Syslog';


It will show a stale or legacy Syslog entry in the database that:

  • Has an older timestamp.
  • Is disabled (enabled = f).
  • Has a last_state = 'Critical'.


This Syslog entry is stale and was never actively used disabled, older timestamp, and marked Critical and also it is marked as disabled. So run the below command from Super CLI:


psql -U postgres -d phoenixdb -c "DELETE FROM ph_device_ep_access WHERE device_id = <xxxxxxx> AND access_protocol = 'Syslog';"


Now, verify by the following command from the database:


psql -U postgres -d phoenixdb -c "SELECT * FROM ph_device_ep_access WHERE device_id = <xxxxxxx>;"
54
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.