I find out a not so happy behaviour on the FSSO Controller Agent that makes some troubleshooting harder.
For example: a user logs in at time 10:14 and is working on his workstation. When I check the FSSO Logon Users at 10:27 I can see that the user is logged in with status OK. If I check the status one minute later the user is not in the list. But the user is still on the FortiGate. A few seconds later the user is in the list again with the logon time 10:14 as at the begining. After some time the user is missing until the next logon.
Is this a correct behaviour?
I checked it in the lab with 3 users with the same results.
Also when the user disappears from the primary FSSO Collector Agent it is still in the list on the secondary Collector Agent. Some time later the same user is missing on the second Collecotr Agent also.
- I guess that list mean 'Show logon Users' on Collector
- turn log to debug level and Collector will tell you why is the user gone
'user disappears from the primary FSSO Collector Agent it is still in the list on the secondary Collector'
- this is actually normal situation, as there is no sync (or any sort of clustering) between collectors
- every single collector makes his own idea about logged on users and due to processing delays and timers it might happen that list and total amounts of logged on users slightly differs between the collectors even when they handle the very same DCs/Domain.
- that Collector does uses WMI MSFT API to check stuff and mentioned server cannot be questioned via WMI
- why? could be misconfigured WMI (or even missing WMI support but it should be supported since Win2000), also it could be that user under which Collector runs has not enough access rights to contact WMI.
- it might also appear that 192.168.221.100 is not a Windows machine, but some MacOS with domain conenctor, which generates 4624 logon event ID in DC and FSSO will process it (WinSec/WinSecWMI polling), and MacOS most probably wont respond on WMI.
- That's why general recommendation is to INSTALL and RUN Collector under Domain Admins group member account
'wksta_check: workstation has no valid IP address'
- that's workstation check done through Remote Registry Service (not WMI as in previous log)
- so it looks like your system is capable to do Remote Registry but not WMI
- check WMI and OS versions or disable WMI on Collector ..
-- if polling then use WinSec instead of WinSecWMI
-- in Advanced Settings / General / Workstation Check / uncheck option 'Use WMI to check user logoff'
I'm having the same difficulties using the CA (without dc agent).
The service account is member of the event log readers group.
The agent status is showing multiple logon events with correct timestamps.
But, no user logons are listed on the agent.
What can be the cause of this issue?
CA 5.0.0271 is installed on a non DC and polling the DC using regular event log polling method.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.