Description
This document will describe some troubleshooting steps to follow when installing the Windows Agent and it fails due to some pitfalls.
Scope
FortiSIEM v5.2.1+
FortiSIEM Windows Agent 3.1.0+
Windows Server 2008 R2+
Solution
Verify Basic Windows Agent Requirements:
1 - Ensure that the Windows Agent Installation and installsettings.xml are within the same directory
2 - Ensure that Configuration for the Windows Agent has been setup with the correct Credentials
Verify System Configuration:
1 - Verify Windows Version Windows Server 2008 R2+ is the OS
2 - Verify you are an Administrative User
3 - Log onto FortiSIEM version 5.2.1+ > Admin > License and verify that there is available seats in the license for Windows Agent
4 - Verify TLS 1.2 connection protocol has been forced on (Attachment Contains the registry keys to disable and enable the proper protocols). If TLS 1.2 protocol is not being used, please run the batch file to enable TLS 1.2.
NOTE: Before running the batch file, please review it and verify that there will be no other protocols that are required. The batch file will disable: TLS 1.0-> 1.1, SSL 2.0, SSL 3.0, PCT 1.0 for both server and client directions.
5 - Verify Connectivity with the FortiSIEM Supervisor and Collector on port 443 from the Windows Server.
6 - Verify Configuration for the Windows Agent and Ensure that the Windows Agent Template has been applied in the FortiSIEM Supervisor
Location: Admin > Setup > Windows Agent
7 - Once Steps 1-5 has been confirmed, please install the Windows Agent once more.
If step 7 fails and installation still fails, please gather the necessary data and attach it onto an open Technical Ticket with FortiSIEM Support:
Provide Debug Installation Logs:
1 - Connect to the Windows Server
2 - Open a command prompt: Start > RUN > cmd
3 - Run: msiexec.exe /i "C:\<WINDOWS AGENT PATH>\FSM_WindowAgent_64bit_3.1.0_buildxxx.msi” /l*v C:\<WINDOWS AGENT PATH>\install_failure.log
Example: msiexec.exe /i "C:\test\FSM_WindowAgent_64bit_3.1.0_buildxxx.msi” /l*v C:\test\install_failure.log
4 - Collect the file C:\<WINDOWS AGENT PATH>\install_failure.log
5 - Collect the file C:\programdata\AccelOps\Agent\Logs\proxytrace.log
Provide PCAP for Windows Agent Installation:
This portion can be performed in parallel with the "Provide Debug Installation Log" if you decide to.
1 - SSH into the supervisor as root
2 - Run: tcpdump -w /tmp/windows_installation_failure.pcap -s 0 port 443 and host <IP of the Windows Server>
Example: tcpdump -w /tmp/windows_installation_failure.pcap -s 0 port 443 and host 172.40.50.1
3 - Run Steps 1 -> 3 under the section "Provide Debug Installation Logs"
4 - Once Step 3 has finished failing: CTRL+C on the prompt
5 - Collect and download /tmp/windows_installation_failure.pcap utilizing a file transfer client (eg. WinScp or Filezilla)
Provide Supervisor Logs:
1 - SSH into the supervisor as root
2 - Run: phziplogs /tmp 2
3 - Collector and download /tmp/AOLogs.tar utilizing a file transfer client (eg. WinScp or Filezilla)
Open a ticket with Support:
1 - Log onto https://support.fortinet.com and open a support ticket providing the following logs:
install_failure.log
proxytrace.log
windows_installation_failure.pcap
AOLogs.tar
