Hello if you can help me with a clarification, I am setting up a small lab with an ad win server 2008, and seeing the logon and logoff events log I see that when entering the user credentials in a pc they register several 4624 logon events and then several of 4634 of logoff, reading a bit I find that these events can be of various types, I see events type 3 that are network and events type 2 Interactive and others have no type, for the case of the installation of collector and dc agent what kinds of events and type it takes to send the collector and collector to fortigate. According to documentation http://kb.fortinet.com/kb....do?externalID=FD36424 I do not see a relation of the 4634 events that correspond to logoff Thank you
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
AFAIK Collector, if set, process all 4624, but due to misleading info in type 3 (Network) those are going to be excluded from 4624 processing. I'm also unaware of 4634 processing. Collector used to use Remote Registry Service and now they use WMI API to check user presence without relying on 4634.
Best regards,
Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hi Tomas,
we have more or less the same problem, the CA missing several logon, all logon have Event ID 4624 type 3, I don't know how to troubleshooting this problem, because the situation is very randomicaly.
Have you Suggestions ?
Thanks
Hi,
4624 type 3 are Network logons. Logons like to shared printer or folder. Most probably you do not want those logons in your FSSO at all, as their Data contain misleading IP so the users overwrite each other in FSSO user list. Similar issue as with RDP.
We can use re_4624 entry to get rid of 4624 type 3.
Launch regedit.exe, go to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fortinet\FSAE\collectoragent, create an entry called "re_4624", the type for this entry is REG_SZ, enter value 'LogonType:(?!3).', it could filter out EventID 4624 Network logon (type 3).
Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Iit's strange because on MS Event I see only Event IP 4624 type 3 on logon event, if I filtered out this type of events probably the CA stop to collect logon user, isn't it ? It's very strange, the MS DC are W2008R2, so as describe in Fortinet KB I aspect me that the Event ID generated are : 4768, 4769*, 4776, 4624, 4770.
Gionata
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.