Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
tcucinieri
Staff
Staff

Created on ‎05-22-2019 06:28 AM Edited on ‎06-02-2022 11:53 AM By Anonymous

Article Id 189746

Troubleshooting Tip: FortiSIEM Windows Agent 3.1 installation failed on cloned VM Windows Servers

Description
This article describes why the installation of FortiSIEM Windows Agent 3.1 on cloned VM Windows Servers may fail.

Solution
FortiSIEM Windows Agent 3.1 installation fails because it identifies both servers as one. This situation can happen if the VMs are cloned and are sharing the same GUID (hardware id).

To better understand the issue, look at the following log from both servers:
C:\ProgramData\AccelOps\Agent\Logs\ProxyTrace.log

Server 1:
Date :May 15 2019 [16:38:16] INFO : SuperManager : Request= <?xml version="1.0" encoding="utf-8"?><request><winAgent><orgName>Super</orgName><orgId>1</orgId><machineGUID>7C3AD575-24A1-4FB4-8A9C-31E6E1FD9D19</machineGUID><agentVersion>3.1.0</agentVersion><do main>winoffice.local</domain><hostname>SERVER1.winoffice.local</hostname><hostIP>192.168.1.101</hostIP><vendor>Microsoft</vendor><model>Microsoft Windows Server 2008 R2 Standard </model><version>6.1.7601</version></winAgent></request>

Server 2:
Date :May 15 2019 [16:42:51] INFO : SuperManager : Request= <?xml version="1.0" encoding="utf-8"?><request><winAgent><orgName>Super</orgName><orgId>1</orgId><machineGUID>7C3AD575-24A1-4FB4-8A9C-31E6E1FD9D19</machineGUID><agentVersion>3.1.0</agentVersion><do main>winoffice.local</domain><hostname>SERVER2.winoffice.local</hostname><hostIP>192.168.1.102</hostIP><vendor>Microsoft</vendor><model>Microsoft Windows Server 2008 R2 Standard </model><version>6.1.7601</version></winAgent></request>

As you can see the servers share the same machineGUID:
<machineGUID>7C3AD575-24A1-4FB4-8A9C-31E6E1FD9D19</machineGUID>
so the second installation overrides the registration of the agent updating the CMDB.

In the first log (SERVER1) you can also see the effect of this situation:

Date :May 15 2019 [16:43:21] ERROR : AoWebService : NotifyStatusV2 exception The remote server returned an error: (401) Unauthorized.

The first agent is not allowed to register anymore.

To fix this issue you need to change the machine GUID of one of the servers.

In Windows Server, there is a Powershell script to generate a random GUID.
PS C:\> New-Guid

Take note of the newly generated machineGUID and change the old one in the registry key below:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Now you will be able to install FortiSIEM Windows Agent also on the second server.


 

Labels:
3351
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.