FortiSiem Agent windows not sending logs to Collector or Super (Only PH_ logs are received SNMP)

gwaihir · ‎12-03-2023

Hi guys

I'm experiencing this kind of issue with FortiSIEM agent on Windows 2022 Server, the agent is not able to send logs related to Sysmon or any other kind of logs, even with different windows agent template associations.

When SNMP is configured to send info, the Supervisor is able to show this on performance and analytic real-time dashboards, but when the filter is like "Event type NOT CONTAIN PH", I can't see any logs, is supposed to be the event, system events, etc...

The CMDB show the server with agent status "Running active", the method "snmp, agent, ping", so no connectivity problem here.

How can I get some tips to solve this??

Thank you!

gwaihir · ‎01-30-2024

I updated the agent to 7.1.1 version and it solved everything.

Thank you!

View solution in original post

adem_netsys · ‎12-05-2023

Hi,

You created a Windows Agent template and added the relevant host into that template, right?

gwaihir · ‎12-05-2023

Hi @adem_netsys , thank you for your reply. Yes, I linked the host as the GUI suggest this step and then applied the settings at the end.

When no template is associated with the host, the CMDB agent status is "Registered". In this case, the state shows "Running active"

adem_netsys · ‎12-05-2023

Can you see the policy name on CMDB and if you are using tenant structure, you may need to search on the tenant you are on.

gwaihir · ‎12-05-2023

Yes, its shows the policy before the status "running active".

Analytics either from super view or direct tenant view only show PH logs from snmp.

Richie_C · ‎12-06-2023

Hi

Maybe a couple of things to check.

Are you running the SNMP discovery from the collector of from the super?
If you do a tcpdump from the CLI of the collector, can you see anything coming in from the server?
Is the correct auditing configured on server?

https://docs.fortinet.com/document/fortisiem/7.0.2/windows-agent-5-x-x-installation-guide/547950/for...

I hope that helps!

Take a backup before making any changes

gwaihir · ‎12-06-2023

Hello @Richie_C

1. From super, I guess. Because credentials were added there and snmp discovery was done from super. (server is allowed to send traps to collector & super)

2. tcpdump from collector shows snmp notifications from the windows server, from super tcpdump show other kind of trafic (https related)

3. I followed this topic about sysmon: https://community.fortinet.com/t5/FortiSIEM/Technical-Tip-Configure-Sysmon-with-Windows-Agent/ta-p/1...

You say this: Is the correct auditing configured on server?

Eventviewer.msc show a plenty of logs from Security, System, DNS, ... the template agent relate this events and were applied to the host. What am I missing on this step?

Thank you!

Richie_C · ‎12-07-2023

Hi

Could you share a screenshot of the agent template. This will help me to understand the event you are trying to collect.

Thanks

Richard

Take a backup before making any changes

Richie_C · ‎12-07-2023

In my example, I am trying to collect security logs.

Also, please make sure you hit the apply button in the template association. Save is not enough. this has caused a problem for me in the past :)

Take a backup before making any changes

Richie_C · ‎12-07-2023

And Finally, make sure the windows server has auditing configured. For my above example, I enabled auditing for logon events (both success and failure). This can be found in Programs > Administrative Tools > Local Security Policy.

Take a backup before making any changes

FortiSiem Agent windows not sending logs to Collector or Super (Only PH_ logs are received SNMP)

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website