Troubleshooting Tip: Configuration and troubleshoting of Windows Agent Template -> Forwarded Events

flunaibarra · ‎09-22-2025

Description

This article describes configuring and troubleshooting the Windows Agent Forwarded Events template.

Scope

FortiSIEM v6.3.3 and higher.
Windows Agent v4.x.x - v7.3.x.

Solution

Prerequisites:

The Windows Agent will be installed in the WEC or FWD server to collect the Forwarded Events.

The Event Viewer should show the Forwarded Events as shown in the screenshot below:

The Windows Agent template should be configured with the same Full Event Name in the Windows Template configuration -> Event tab as:

Troubleshooting:

The Agent and Events status in CMDB should be shown as Normal.
Ensure other Windows Events are being uploaded successfully. This will confirm that there are no connection issues.

If no events are being uploaded, then follow the following KB article to troubleshoot connection issues: Troubleshooting Tip: Windows Agent registered with Supervisor but not uploading events.

Note: Do not add any Reporting IP, as Forwarded Events do not contain any Reporting IP.

Also, only Security, Application, and Systems events can be collected with the Forwarded Events configuration.

You are leaving our website