It is to my understanding that the FSSO agent does not need to be installed on Domain Controllers, but can be installed on Member servers as well. We are moving our domain controllers to server core.
Now the old FSSO agents are installed on the domain controllers which still have the GUI installed. Within the FSSO agent we see that Poling mode is enabled. We can see the old DC's and the new DC's in the "Show Monitored DC's". We can select the newly installed server core's and join them in the monitored DC list. We can also see that the Collector agent is pulling events from these newly provisioned DC's.
Eventually the OLD DC's (with GUI) will need to be demoted, where we are forced to move the FSSO agent to other machines. Now I have installed the FSSO agent on two member servers, however we fail to get any logon events. I can select the DC's in the Monitored DC list, but no events are coming in. I have verified that the service is running under the service account and have verified that the service account is able to retrieve Security logs from the domain controllers. Besides this, the same service account has been used as in the old configuration. I have also verified the Ports in which the members server can communicate with the DC's on ports 445 and 3298(GC). Also verified that the member server where the new collector agent is installed is listening on Port 8000TCP and 8002 UDP. We also noticed that the CollectorAgent log file is not created on the new installations, but see following event appearing in the CAMonitor log file:
11/22/2023 12:20:46 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:20:56 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:21:06 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:21:16 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:21:26 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:21:37 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:21:47 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:21:57 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:22:07 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:22:17 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:22:27 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:22:37 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:22:48 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:22:58 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:23:08 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:23:18 [ 6868] unknown message received:86 len:268435456
Any advice would be greatly appreciated.
I am not sure if this is your exact problem, but one thing that people often forget is giving the service account rights to modify FSSO's install folder and its own registry keys. So I would recommend checking that first.
Relevant KB: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-a-Fortinet-Single-Sign-On-Agen...
- specifically the parts about registry and folder permissions
Thanks for bringing that up to our attention, yet currently this is not the issue as the service account is currently member of the administrators group. This is a task on my to do list to limit the privileges of the service account. So this tip is greatly appreciated, as it will help me when I clip the wings of the service account.
Which FSSO agent version, and which AD version?
Also check this doc if you forgot some prerequisite:
The FSSO client is DCAgent_Setup_5.0.0275_x64.
The members servers Windows Server 2019, and the old domain controllers are Windows Server 2016. The new server core's are Windows Server 2022.
Currently the account is still member of the administrators, thus has access to the eventlog on DC's. When i remove the account from the administrators group, i need to provide the account with event log reader privileges and dcom and WMI access, in order to allow it access to the event logs on DC's.
Agent 5 b 0275 is old and not compatible with Windows 2019/2022.
Update it first then try again.
For windows server 2022, you have to be running 5.0 build 0308 and later version of FSSO collector agent.
Finally got a hold on FSSO client 5.0.0310, and still the same issue. we can see the DC's, but no events are collected. I also found a good article which explains some of my questions : Technical Tip: FSSO choose between DC Agent mode o... - Fortinet Community.
As we are using polling mode, we do not need to install the DC agent on the DC's. The FSSO Collector should be sufficient.
Hey Killerbe,
you can refer to this article to test the service account:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Checking-Collector-Agent-service-account-p...
It should let you verify if the service account does in fact have the necessary permissions to query event logs.
If not already done so, I would suggest setting the 'Event IDs to poll' to the value 2 (https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Windows-event-IDs-used-by-FSSO-in...).
If you still have the issue, please set the log level in Collector Agent to Debug, increase the log file size to at least 50 MB (in debug level, a LOT of logs are generated), then wait a few minutes and then click on 'View Log File'. I would not recommend sharing it here, as a lot of sensitive data will be gathered, but you might find some errors buried somewhere in the log files. If unsure, you can also reach out to Fortinet Technical Support and share the log file for further assistance in figuring out why polling mode is failing.
I had already verified the permissions of the account, and verified it again. The account is able to retrieve the eventlogs from the DC. I changed the logging to "debug", however when i click view log, it fails to retrieve the log file. have verified the registry and logging is enabled in the registry, no logfile is created in the fortigate FSAE folder.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.