Description
This article describes how to enable logging on the FSSO DC-Agent.
DC-Agent collects logon events on the domain controller on which it is installed and sends them to the FSSO Collector Agent by default over port UDP/8002 or UDP/8003 if SSL is enabled (5.0.297 or higher).
The following is the FSSO process when using DC-Agent:
1) User logon Security Event is noticed in the Windows Security Event Log in the domain controller
2) DC-Agent collects the user logon events, filters users and domains if set to do so, sends the logon events to the Collector Agent
3) Collector Agent filters the logon events and checks if user is still logged in and with the which IP address
4) FortiGate connects to FSSO Collector Agent and pulls logon information
When a Security Logon Event is located on the domain controller and not received by the Collector Agent, DC-Agent logging needs to be enabled in order to verify if the logon event was processed by it or if there was any error..
DC-Agent collects logon events on the domain controller on which it is installed and sends them to the FSSO Collector Agent by default over port UDP/8002 or UDP/8003 if SSL is enabled (5.0.297 or higher).
The following is the FSSO process when using DC-Agent:
1) User logon Security Event is noticed in the Windows Security Event Log in the domain controller
2) DC-Agent collects the user logon events, filters users and domains if set to do so, sends the logon events to the Collector Agent
3) Collector Agent filters the logon events and checks if user is still logged in and with the which IP address
4) FortiGate connects to FSSO Collector Agent and pulls logon information
When a Security Logon Event is located on the domain controller and not received by the Collector Agent, DC-Agent logging needs to be enabled in order to verify if the logon event was processed by it or if there was any error..
Solution
1) Open the Registry Editor (regedit) and go to HKEY_LOCAL_MACHINE ->SOFTWARE ->Fortinet ->FSAE ->DCAgent then right click on enable_log and modify.
2) Change the value data to 1 to enable DC-Agent logging.
3) The DC-Agent logs are saved by default in the root of the C:\ partition but it can be saved to a different location by changing the path in the log_file REG_SZ key.
The DC-Agent log should look like the following example:
reload configuration from registry
Failed to read donot_resolve
Failed to read no_keepalive
Failed to read domain_DNSsuffix
read collector agent:10.0.0.10 port:8002 return code:0 index:0
read collector agent:10.0.0.253 port:8002 return code:0 index:1
version:5.0.0278, donot_resolve flag:0 no_keepalive flag:0 log file:c:\dcagentlog.txt ignore list:MT-TEST\sdx_*;MT-TEST\Administrator; domain:MT-TEST (mt-test.local)
collector agent:10.0.0.10 port:8002
collector agent:10.0.0.253 port:8002
11/06/2019 14:22:15.773: finish processing.
Msv1_0SubAuthenticationFilter is called
11/06/2019 14:22:15.836: processing Logon (level=1, logonid=0-0) MT-TEST\MT-TEST_FAC$ () from (null)
Ignore logon event without workstation information.
11/06/2019 14:22:15.836: finish processing.
Msv1_0SubAuthenticationFilter is called
11/06/2019 14:22:18.908: processing Logon (level=1, logonid=0-0) MT-TEST\syntest (syn test) from PC-TEST
Domain:MT-TEST DNS suffix added:mt-test.local.
workstation IP:10.0.0.51
11/06/2019 14:22:18.908: finish processing.
Note: Log file size is hardcoded to 10MB and not configurable as it is on Collector Agent.
