Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
flunaibarra
Staff
Staff

Created on ‎11-05-2024 05:55 AM

Article Id 340617

Troubleshooting Tip: Domain admin user OMI FortiSIEM integration

 

Description

This article describes the troubleshooting steps for OMI Windows Server domain admin user integration with FortiSIEM.

Before going through this article, review the document link below to verify Supported OS versions, What is Discovered and Monitored, Recommendations, Data Collection Comparison, and full configuration steps:

Microsoft Windows Server via OMI/SNMP/WMI
Scope FortiSIEM 6.3.3 and higher.
Windows Server 2012, 2012 R, 2016, 2019, 2022.
Solution

For OMI integration, FortiSIEM requests access to the Windows host using the user credentials.

If this fails, the issue can be relayed in the network configuration, user permissions, or credentials information.

 

  1. The following ports must be open for the OMI communication/connection from the Windows host to FortiSIEM: TCP/135, UDP/137, TCP/5985-5986.

  2. The credentials test may fail with the following errors:

failed (Win32_OperatingSystem results not found via OMI)
failed (no response to ping)

 

  • Confirm the connection from FortiSIEM to the host is successful using network tools such as ping, tcpdump, etc.
  • Make sure the user can log in to the host that will be monitored.
  • Make sure the /Domain Admins are part of the local Administrators' Group in (Domain Controller).
  • Or add the user to the local Administrators' Group (Client Host).

 

  1. Test with an omic command from the Supervisor or Collector (depending on where OMI discovery will be):

    /opt/phoenix/bin/omic -s /opt/phoenix/config/smb.conf -U DOMAIN/USER%PASSWORD //<HOST_IP> 'SELECT * FROM Win32_OperatingSystem'

    Omic successful reply:

    omic.png

  2. Review the OMI permission configured in the host along with the external configuration guide:
    Make sure Distributed COM and Performance Monitor Users groups are added to the COM security configuration.
    Make sure the user account privileges are enabled in WMI control.
    Make sure WMI and WinRM are enabled through the firewall.
    Make sure WinRM is running - Restart the WMI service.

  3. Review the credentials definition and make sure to enter the correct information:

Example:

 

credentials.PNG

 

  • Review and verify that the NetBIOS/Domain is correct.
  • Review and verify that the username is correct.
  • Review and verify that the password is correctly entered or change it (for testing purposes).
90
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.