Sometimes, FortiWeb reports System events with a user named 'daemon_admin', even though the FortiWeb configuration does not have any user created with that name. Examples of logs include the following:

v015xxxxdate=2025-02-14 time=12:07:00 log_id=09000001 msg_id=000239113516 device_id=FVVM08TM00000001 eventtime=1739588547163950716 vd="root" timezone="(GMT-5:00)Bogota,Lima,Quito" timezone_dayst="GMTa+5" type=event subtype="admin" pri=information trigger_policy="N/A" user=daemon_admin ui=system action=delete status=success msg="User daemon_admin deleted staged_signature_list 060050053 from sig_update"

v015xxxxdate=2025-02-14 time=12:07:00 log_id=09000001 msg_id=000239113517 device_id=FVVM08TM00000001 eventtime=1739588547163986747 vd="root" timezone="(GMT-5:00)Bogota,Lima,Quito" timezone_dayst="GMTa+5" type=event subtype="admin" pri=information trigger_policy="N/A" user=daemon_admin ui=system action=delete status=success msg=" Delete configuration for 'waf staged_signature_list' '060050053'"

This behavior is expected during normal FortiWeb operations. It does not indicate anything unusual or harmful like an attack or intrusion. The daemon_admin user is a special FortiWeb system user used by several internal features to make changes from the back end: these features may include Services Updates from FortiGuard (like signature updates), Automation, or Security Fabric.

Finally, daemon_admin is used by any FortiWeb models and platforms: FortiWeb hardware models, FortiWeb virtual models (VMWare, Hyper-V, etc.) and FortiWeb public clouds (AWS, Azure, GCP, OCI).