Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
James_G
Contributor III

FSSO missing user logon events in DC agent mode - "Too much request in the queue"

Hi all - have FSSO in DC agent mode missing logon events and producing the following error in the dcagentlog (when logging enabled). I have a call open with support, but expect the forums could beat them to the fix the speed they are returning to my issues at the moment. Anyone with any ideas?

 

02/25/2021 17:31:51.428: processing Logon (level=1, logonid=0-0) WINCHNT\jgXXX (James XXX) from DESKTOP-WCCJB7E

Domain:WINCHNT DNS suffix added:XXX.uk.

Too much request in the queue, discard this logon event, domain:WINCHNT, workstation:DESKTOP-WCCJB7E, user:jgXXX, request in queue:100001

02/25/2021 17:31:51.428: finish processing.

6 REPLIES 6
Philippe_Gagne
Contributor

Hi,

 

How the configuration is done in your Fortigate? Poll Active Directory or Full Collector?

 

I already saw some installation where Polling was not fast enough to process all requests. 

 

The most stable configuration is:

DC Agent installed on all Active Directory Domain Controllers

Collector on one or two servers or AD, two is only for redundancy purpose

FSSO Agent on Windows AD configured in the Fortigate (External Connectors).

 

With this configuration, I saw more than 800 computers in less than 15 minutes loging on the domain.

 

I hope it helps! :)

 

Regards,

 

Philippe

James_G

I am running full DC agent and collector on each domain controller, but seems that cannot keep up.

Philippe_Gagne

User group source? Local or Collector Agent in the Fortigate.

 

In the collector: standard or advanced?

 

 

James_G

User group source? Local or Collector Agent in the Fortigate. --> tried both, still fails

In the collector: standard or advanced? --> tried both, still fails

Philippe_Gagne

Hi James,

 

Did you find a solution?

 

Is the collector runs as a Domain user that can read Security Event Log? And where the collector is installed?

 

Regards

 

James_G

Set "donot_resolve = 1" in the registry key of the FSSO DC agent

 

It can happen when the DC agent cannot resolve DNS names. Can I ask you please to follow this KB and disable DNS name lookup on DC Agent: https://kb.fortinet.com/k....do?externalID=FD37705

Labels
Top Kudoed Authors