Troubleshooting Tip: How to read FSSO CA debug logon events

Description

This article describes how to collect and read debug logs output from FSSO-CA (Fortinet Single Sign-On Collector Agent).

Scope

FortiGate, FortiOS, Fortiauthenticathor, FSSO.

Solution

1. Select log level to debug. 
2. Increase log file size.
3. Create a separate file for logon events.
4. Select Apply.
5. Open a copy of most recent debug logs file, during troubleshooting close and open again as needed to load newest logon events.  

Captions: , 

[UPDATE_LOGON_LIST] action:add_new_entry <- into FSSO-CA Database

[UPDATE_LOGON_LIST] action:update_entry <- existing in FSSO-CA Database

[UPDATE_LOGON_LIST] action:remove_entry <- from FSSO-CA Database

[LOGON_ITEM] logon:1 ip:192.168.201.199 workstation:WINPC01 domain:FORTILABMX user:USER1 <- '1' register logon on FortiGate.
[LOGON_ITEM] logon:0 ip:192.168.201.199 workstation:WINPC01 domain:FORTILABMX user:USER1 <- '2' de-register on FortiGate.

[SEND_EVENT_TO_FGT] packet_len:169 FortiGate_SN:FG200ETKxxxxxx-root <- Event sent to every FortiGate connected.

New logon event received using the DC_Agent method:

[RECV_EVENT_FROM_DC] packet_len:37 dcagent_ip:10.20.30.1 time:1713732662 data_len:24 data:WINPC01/FORTILABMX/user1 ip:192.168.201.199 
[UPDATE_LOGON_LIST] action:add_new_entry workstation:WINPC01 ip:192.168.201.199:0.0.0.0 user:FORTILABMX\user1 
[LOGON_ITEM] logon:1 ip:192.168.201.199 workstation:WINPC01 domain:FORTILABMX user:user1

New Logon event obtained using polling mode.

[RECV_EVENT_FROM_DC] packet_len:49 dcagent_ip:10.20.30.1 time:1713748528 data_len:36 data:192.168.201.199/FORTILABMX.NET/user1 ip:0.0.0.0
[UPDATE_LOGON_LIST] action:update_entryworkstation:192.168.201.199 ip:192.168.201.199:0.0.0.0 user:FORTILABMX\user1 <-nslookup to resolve IPv4 and/or IPv6.
[UPDATE_LOGON_LIST] action:add_new_entry workstation:WINPC01 ip:192.168.201.199:0.0.0.0 user:FORTILABMX\user1
[LOGON_ITEM] logon:1 ip:192.168.201.199 workstation:WINPC01 domain:FORTILABMX user:user1

Logoff by WMI monitor option configuration.

[WORKSTATION_CHECK] user:FORTILABMX\USER1 is no longer logged on to WINPC01 (192.168.201.199)

More detail. Troubleshooting Tip: User status 'Not Verified' on the FSSO Collector Agent

Logoff when 'Dead entry timeout interval' timer is reached. 

[UPDATE_LOGON_LIST] action:remove_entry WINPC01:user1[192.168.201.199:0.0.0.0] removed. current time:1713730961 last update time:1713730776 age:185 timeout:180 <<< 3 minutes for testing purpouse, 480 default

[SEND_EVENT_TO_FGT] packet_len:169 FortiGate_SN:FG200ETK18918826-root
[LOGON_ITEM] logon:0 ip:192.168.201.199 workstation:WINPC01 domain:FORTILABMX user:user1

For more information, see Technical Tip: Explanation of FSSO timers.

Workstation IP Change and multiple Fortigates updated example:

[IP_CHANGE_CHECK] workstation:WINPC01 ip changedfrom 192.168.201.199:0.0.0.0 to 192.168.201.180:0.0.0.0 <- nslookup to resolve IPv4 and/or IPv6.

[SEND_EVENT_TO_FGT] packet_len:169 FortiGate_SN:FG200ETKxxxxxx-root
[LOGON_ITEM] logon:0 ip:192.168.201.199 workstation:WINPC01 domain:FORTILABMX user:user1
[SEND_EVENT_TO_FGT] packet_len:169 FortiGate_SN:FWF61xxxxxx-root
[LOGON_ITEM] logon:0 ip:192.168.201.199 workstation:WINPC01 domain:FORTILABMX user:user1

[SEND_EVENT_TO_FGT] packet_len:169 FortiGate_SN:FG200ETKxxxxxx-root
[LOGON_ITEM] logon:1 ip:192.168.201.180 workstation:WINPC01 domain:FORTILABMX user:user1
[SEND_EVENT_TO_FGT] packet_len:169 FortiGate_SN:FWF61xxxxxx-root
[LOGON_ITEM] logon:1 ip:192.168.201.180 workstation:WINPC01 domain:FORTILABMX user:user1

For more information, see Technical Tip: Explanation of FSSO timers and Troubleshooting Tip: FSSO Complete troubleshooting for TAC tickets (at point 7, DNS Issues).