Hi.
I've been struggling hard for a couple of days getting the Collector Agent (CA) to work in our environment. We're new to Fortigate and will be using this firewall for internal users to access Internet.
We want to be able to see which user have accessed what pages so we need to integrate with our AD-environment.
I have the CA installed on a Domain Member Server (not the DC's) and set up to poll the "Security Event Logs" for logons.
In the CA, if I look at "Show Monitored DC's" I see our 4 DC's and I can see that the "Logon Events" are increasing so some information is coming to the CA.
When I look at "Show Logon Users" it is empty. No users are shown.
I can see that the Fortigate is connected to the CA as well so that communication is up.
We've created a service-account that is a member of Domain Users, Event Log Reader, and local admin for the server where CA is installed and that is used for starting the service.
This should be sufficient according to https://kb.fortinet.com/k....do?externalId=FD36039
Since this is a new install and we haven't used Fortinet or CA before we're a bit unsure how it should look when it's working.
Should we be able to see all the Logged on users in the AD in "Show Logon Users".
Do I need to do anything in the Fortigate to get the user-info from CA. We have a Web-filter policy applied with all categories set up to Monitor.
I've tried to look at the debug-logs in CA but can't find any real clues.
The domain is fairly large (more than 10k employees, not sure how many users/groups in the AD) and I've also done some tests to setup a Group-Filter in CA to limit to only one OU but that made no difference.
Would really appreciate some help.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
We have now solved it so that we can use polling of the event log and get result. Polling and use WMI is still not working.
It turned out that there were some registry-changes that had to be done on the DC (I don't have access to that so not sure what was done) and one important thing was that we needed to change what EventID's we looked for.
In the Advanced settings on the Collector Agent you can define what EventID's to poll. Default Set is "0" which didn't provide any results in our log.
"1" is the extended set and that gave no results either.
We then added some eventID's manually and then it started to work.
I also found this TechTip:
https://kb.fortinet.com/k....do?externalId=FD36424
Apparently there is an option "2" as well, and when we use that we get all the logs that we need. This option is not visible anywhere in the CollectorAgent.
Might help someone else.
/T
I am very, very grateful to you !!!
I've spent two days, trying to make collector catch logon events. You post helped me at least!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.