FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
Article Id 189910



This article discusses Windows event IDs used by FSSO in WinSec polling mode.








  1. FSSO Collector Agent with Windows Security Event Log polling mode supports the following Windows Event IDs:
  • Windows 2008/2012/2016/2019 Event IDs: 4768, 4769*, 4776, 4624, 4770 **.
  • Windows 2003 Event IDs: 672, 673*, 680, 528, 540 **.

* Some Event IDs are not supported alone and they required another event to correlate the login information.

For example:


  • Event 4769 requires 4768.
  • Event 673 requires 672.

** By default the Collector Agent is using a subset of events. Which event IDs are monitored is configurable with 'Windows Security Event ID to poll' under Advanced settings:


  • 0 - polls: 672, 680, 4768, 4776 - this is the default subset.
  • 1 - polls: 672, 673, 680, 4768, 4769, 4776.
  • 2 - polls: 672, 673, 680, 4768, 4769, 4776, 4624 (EventID 4624 was added to default polling in Windows 2016 for better support of MacOS and newer Windows server platforms).
  • <EventID1;EventID2;...;EventIDn> - polls info from specific Event ID or IDs. e.g 4768;4769;4624.






     2. FortiGate (FGT) has an integrated poller as well. Its local polling mode also uses the Windows Security Event logs, however, currently the supported event subset is smaller.


  • Windows 2008/2012/2016/2019 Event IDs: 4768, 4769, 4776.
  • Windows 2003 Event IDs: 672, 673.


If FortiGate poller debug log shows 'no domain from <IP>' then 'default-domain' should be set in the 'config user fsso-polling' configuration to avoid this failure.


     3. FortiAuthenticator supports the following event IDs:


  • Windows 2008/2012/2016/2019 Event IDs: 4768, 4769*, 4624*, 4770*, 4776.
  • Windows 2003 Event IDs: 672, 673*, 674*, 680, 528*, 540*.

* Support for these events is available by enabling under the Fortinet Single Sign-On (FSSO) section -> SSO -> General -> Enable Windows event log polling (e.g. domain controllers/Exchange servers) [Configure Events].


Note that if there is no Event in the Windows Security Event log, FSSO cannot pick the users/machines up either.
If the events IDs are not generated likely an auditing group policy is prohibiting this.

Related Articles:


Technical Tip: FSSO local poller (FSSOD) limitations compared to FSSO collector agent.

Technical Tip: FSSO choose between DC Agent mode or Polling mode

Technical Tip: Downloading FSSO agent software

Technical Tip: How to validate MD5 checksum hash for FSSO installer

Technical Tip: How to install FSSO Collector Agent

Technical Tip: Comparison between DC-Agent mode and polling mode

Troubleshooting Tip: FSSO Complete troubleshooting for TAC tickets