FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
Article Id 193013


This article will help troubleshoot windows agent registration problems.  Before going through this documentation, please review the doc link below to verify if you have the correct windows agent package for the version of FortiSIEM you are registering against.
Windows Agent Installation Guide:
FortiSIEM Compatibility Matrix:

Windows Agent 3.x

If Windows Agent registration fails, the few tips below can help narrow down the failure:

Installation fails because the executable cannot find the installsettings.xml
  • The two files must be accessible by the user performing the installation.  The windows agent binary and xml must be in the same directory.
  • Create a new folder in C:\ or on the desktop.  Then copy the installsettings.xml and windows agent binary, then execute the installation
  • Verify file permissions that allows for full control over the installsettings.xml and windows agent binary
Windows agent registration fails against the supervisor generic message
  • SSH into the supervisor check: /var/log/httpd/ssl_access_log
  • Registration URI: /phoenix/rest/register/windowsAgent
  • Verify what response http return code is received from ssl_access_log from the uri above
    • 401 - Authentication Failure
    • 403 - Forbidden (agent account failure possibility or configuration for windows agent on the supervisor side has not been completed)
    • 502 - Server unavailable (possible problem with the FortiSIEM Application Server - contact support)
    • 20x - Success in access - registration would be expected to be successful

Manual URL Check
  • Windows agent URI: /phoenix/rest/register/winAgent
  • https://<ip of super>/phoenix/rest/register/winAgent
  • username and password prompt is expected
  • do not enter any credentials here as it would not pass - this is only a check to verify availability of URI
Verify if there are no hidden characters
  • copy the installsettings.xml into a linux console
  • To check:# cat -v installsettitngs.xml
    • most times you may get characters like ^M in the file, this may cause some interference in windows agent configuration
  • To Convert:# dos2unix installsettings.xml
Modify the installsettings.xml to use standardized characters for its password
Debug Windows Agent Installation
  • Open Command Prompt as the Windows Administrator
  • C:\msiexec.exe /i <location_of_agent_install_file> /l*v C:\debug_install.log
  • Once the installation fails, review the C:\debug_install.log for clues
  • C:\Programdata\Accelops\Agent\logs\ProxyTrace.log can also be reviewed for clues
Modify %temp% folder
  • CTRL+R > %temp%
  • edit the temp folder properties
  • Add everybody for this temp folder
  • Allow for full control over this temp folder
  • this will allow for read write permissions to be setup as this folder is used to write temporary data during the installation process
Create a new windows agent user account
  • Log into the supervisor as a full admin for the organization
    • Enterprise deployments will not have an organization option - this is expected
  • create a new windows agent user
  • ensure that the Agent Admin option is ticked when configuring the password for the administrator
  • modify the installsettings.xml with the new agent admin