Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Killerbe
New Contributor

FSSO agent

It is to my understanding that the FSSO agent does not need to be installed on Domain Controllers, but can be installed on Member servers as well. We are moving our domain controllers to server core.

Now the old FSSO agents are installed on the domain controllers which still have the GUI installed. Within the FSSO agent we see that Poling mode is enabled. We can see the old DC's and the new DC's in the "Show Monitored DC's". We can select the newly installed server core's and join them in the monitored DC list. We can also see that the Collector agent is pulling events from these newly provisioned DC's.

Eventually the OLD DC's (with GUI) will need to be demoted, where we are forced to move the FSSO agent to other machines. Now I have installed the FSSO agent on two member servers, however we fail to get any logon events. I can select the DC's in the Monitored DC list, but no events are coming in. I have verified that the service is running under the service account and have verified that the service account is able to retrieve Security logs from the domain controllers. Besides this, the same service account has been used as in the old configuration. I have also verified the Ports in which the members server can communicate with the DC's on ports 445 and 3298(GC). Also verified that the member server where the new collector agent is installed is listening on Port 8000TCP and 8002 UDP. We also noticed that the CollectorAgent log file is not created on the new installations, but see following event appearing in the CAMonitor log file:

11/22/2023 12:20:46 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:20:56 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:21:06 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:21:16 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:21:26 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:21:37 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:21:47 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:21:57 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:22:07 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:22:17 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:22:27 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:22:37 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:22:48 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:22:58 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:23:08 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:23:18 [ 6868] unknown message received:86 len:268435456

Any advice would be greatly appreciated.

14 REPLIES 14
Debbie_FTNT

Usually, no logfile is created if the service account has no permissions to the registry. If you refer back to the KB above with service account permissions, you should see in it details on what registry permissions the account needs; if those are not in place a lot of features will not work because the service account cannot access relevant registry keys.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Killerbe

Ok, now i am completely stumped. The fortigate service account under which the service is running is member of the administrators group, and has therefore full controll over the registry \HKLM\Software\WOW6432Node\Fortinet\FSAE\collectoragent

i have add the account explicitly and now i can receive logs, however no log file is created

 

Debbie_FTNT

I'm honestly also stumped - I would want to do a remote session to see it live and dig into it in greater detail, but that's not something we can do over a forum thread, so if the lack of log file is of concern (and I would consider it concerning, as troubleshooting is nearly impossible without it), I would suggest opening a support ticket.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
AEK

Ensure that fortigate service account has RW permission on the agent folder in order to write logs in there.

On the other hand I'd suggest to try upgrade your agent to a new version to avoid possible old bugs.

AEK
AEK
pminarik

Windows permissions can be a mess.

 

Whenever in doubt (such as right now), remember that you can go to Security/Permissions > Advanced > Effective Access > pick the exact service account, and check what permissions it actually has. This is applicable both to the folder and to the registry key.

[ corrections always welcome ]
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors