Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

FortiAuthenticator: Windows Event Log sources

At my customer the event logs are forwarded using WEF to an event log collector(over windows machine). I would like to read from this server and not from the DC's directly.  Is this possible?

I guess it searches by default the security log.  Can you specify a custom event log?




it is possible.

However, as that target WEF host is most probably ordinary server class Windows OS, then it is NOT a DC.

Therefore FSSO Collector agent is not going to see it in the list of monitor-able domain controllers. And you are not able to select it directly from this part of Collector config.


Configure your FSSO Collector this way:


1. in Advanced Settings, tab Forwarded Event Server, set your FEW details (domain + server FQDN/IP) there.


2. after you set this, you should have a registry record called "fs_list" in folowing location: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Fortinet\FSAE\collectoragent\


3. select Domains to Monitor in GUI, make sure you have selected the domain(s) you want to monitor,

after you've done this, you should find those in registry entry called "domain_list".


4. Set Event IDs to poll in Advanced Setting to 2. That's wildcard for a group of Windows EventIDs used in nowadays Windows OS which carries suitable user info for FSSO purposes.

More on those events and wildcards on 


Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff


Hi Tom,


Tnx for you reply but I will not be using a collector agent I will be using FortiAuthenticator VMWare appliance.

No agent required for DC polling mode here.

Or am I misunderstanding something here.  


Ups, my bad .. I misunderstood the point of FAC being used as collector. I've never seen FAC vs WEF being used. And have no such environment ready for quick test. Never built one.


However as in FAC you are defining sources manually, I'd give it a try to simply set up one against that Event log collector.

Then, Monitor (direct link https://FAC-IP/admin/fssomonitor/connecteddomaincontroller/ ), should show you more details, especially Last Event, Connection status and hopefully increasing Event Counter.



"No agent required for DC polling mode here."

Not sure I understand that point as well.

Standalone Collector Agent, as well as FortiAuthenticator (FAC in short) are both 'collectors'.

And as such can do polling, as well as process other SSO sources, like updates from DC Agents, TS Agents. As well as process RADIUS Accounting and various other sources to make them into FSSO records passed to FortiGate (FGT) units.

They are mainly same, equivalent.

But there ARE differences between standalone Collector Agent and FAC as collector agent.

FAC has slightly more features included (SSOMA support, Syslog as source, SAML sources, portal services, more fine grained filtering instead of just Group Filter, more variable DNS lookups, more precise control on Group Cache .. main diffs). FAC is a little bit more scalable via Tiered architecture.

But FAC is paid solution with licensed users model while standalone Collector is free of charge component distributed under FortiOS on  portal. I do like both solutions. Each has it's advantages and so use cases.


Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Top Kudoed Authors