Fortinet white logo
Fortinet white logo

Windows Agent 5.x.x Installation Guide

FortiSIEM Windows Agent 5.x.x

FortiSIEM Windows Agent

FortiSIEM Windows Agents provide a scalable way to collect logs and other audit violations from a large number of Windows servers.

This section describes how to install, setup, maintain, and troubleshoot FortiSIEM Windows Agent 5.x.x.
Note: Starting with Windows Agent 4.2.0, the Windows Agent Installation offers an enhanced GUI interface.

Prerequisites

Ensure that the following prerequisites are met before installing FortiSIEM Windows Agent:

Supported Operating Systems

FortiSIEM Windows Agent 5.x.x runs on the following Operating Systems:

  • Windows 7 Enterprise/Professional
  • Windows 8
  • Windows 10
  • Windows 11
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2016 Core
  • Windows Server 2019
  • Windows Server 2019 Core
  • Windows Server 2022

Supported Languages

All languages in which the Windows Operating System is available are supported.

Hardware Requirements

Component Requirement
CPU x86 or x64 (or compatible) at 2 GHz or higher
Hard Disk Free space 10 GB (minimum)
Server Operating System - Windows Server 2008 R2 and above (strongly recommended)
- Desktop Operating System: Windows 7, 8,10 and above
RAM - For 32 bit OS: 2 GB for Windows 7, 8, 10 minimum
- For 64 bit OS: 4 GB for Windows 7, 8, 10, Windows Server 2008 / 2012 minimum

Software Requirements

Windows Agent Version

Component Requirement Notes

4.2

Installed Software

.NET Framework 4.5

.NET Framework 4.5 can be downloaded from http://www.microsoft.com/en-us/download/details.aspx?id=30653, and is already available on Windows 8 and Windows Server 2012.

4.3.0+

Installed Software

.NET Framework 4.6 or later

.NET Framework 4.6 can be downloaded from https://www.microsoft.com/en-us/download/details.aspx?id=48137.

Communication Ports

FortiSIEM Windows Agent 5.x.x communicates outbound via HTTPS with Supervisor and Collectors.

  1. The Agent registers to the Supervisor and periodically receives monitoring template updates if any, via HTTP(S).
  2. The Agent then forwards the events to the Collectors via HTTP(S).

Ensure that Firewalls, if any, between the Agents and Supervisor/Collector permit HTTP(S) traffic on port 443. If you decide to upgrade Windows Agent 4.2.0 or later from the Supervisor (see Upgrade from Supervisor), then make sure the Supervisor can communicate with FortiGuard Service (update.fortiguard.net) on port 443 to validate the upgrade images.

Other Installation Considerations

Certificate Validation

The FortiInsight UEBA module uses WinVeifyTrust APIs to validate that its executable hasn't been tampered with. This process requires the root certificate chain to be present on the endpoint device in question. FortiSIEM Windows Agent is signed using a DigiCert Authenticode Certificate, which requires the DigiCert Trusted Root G4 Certificate to be present in the Certificate Store.

Normally these certificates will be updated along with Windows Updates, however if the endpoint device does not allow for Certificate Authorities to be updated via this mechanism, you must install it manually for the FortiInsight UEBA module to work correctly.


These certificates can be found here:

https://www.digicert.com/kb/digicert-root-certificates.htm


Search for G4 root certificate, serial number: 05:9B:1B:57:9E:8E:21:32:E2:39:07:BD:A7:77:75:5C.

Or direct link to DER/CRT: https://cacerts.digicert.com/DigiCertTrustedRootG4.crt


Once the certificate has been downloaded, simply right click the certificate from the download and select "install certificate".

Follow the certificate wizard and import will complete.

Prerequisites Beginning with Windows Agent 5.0.0 and later

If antivirus software interferes with the FortiSIEM Windows Agent, you can consider whitelisting the following files on the endpoint. This is useful if the antivirus software uses application sandboxing heuristics that wrap around any new applications. This can result in high CPU and memory usage and can significantly slow down the machine.

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\certs.pem

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\cn.bat

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\fins.xml

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\FortiSIEM.Common.dll

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\FortiSIEM.Security.dll

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\FortiSIEM.Utilities.dll

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\FortiSIEM.Utilities.manifest

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\FortiSIEM.WebProxy.dll

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\FortiSIEM.WebProxy.manifest

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\FortiSIEM.WinRTWrapper.dll

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\FSMLogAgent.exe

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\FSMLogAgent.exe.config

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\License_3rd_party.txt

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\log4net.config

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\log4net.dll

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\monitorStatus.xml

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\osquery.exe

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\data\*

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\logs\*

  • <Windows drive>:\ProgramData\FortiSIEM\Database\*

  • <Windows drive>:\ProgramData\FortiSIEM\Logs\*

  • <Windows drive>:\Windows\System32\drivers\FortiInsight.sys

Prerequisites Beginning with Windows Agent 3.0

Beginning with Windows Agent release 3.0:

  • Agents must upload event data to a Collector. Therefore, minimum architecture is one Super appliance and one Collector appliance.
  • The Collector must be installed as IPv4 only. Dual stack IPv4/IPv6 or IPv6 Collectors are not supported with Agents.
  • Enable TLS 1.2 for Windows Agent to communicate with FortiSIEM Super/Worker/Collector nodes. Without TLS 1.2 enabled, Windows Agent installation will fail. By default, SSL3 / TLS 1.0 is enabled in Windows 7, 8 and 2008-R2. Before proceeding with the Windows Agent installation, please enable TLS 1.2 (if not already enabled) as follows:
    1. Start elevated Command Prompt (i.e., with administrative privilege)
    2. Run the following commands sequentially as shown.

      REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v DisabledByDefault /t

      REG_DWORD /d 00000000

  • Switch off Disk Fair Share. If it is on, then the real user in UEBA may not be captured. You can switch it off by running the following commands in powershell:

    $temp = (gwmi win32_terminalservicesetting -N "root\cimv2\terminalservices")

    $temp.enableDiskFSS = 0

    $temp.put()

    For more information on Disk Fair Share, see https://support.microsoft.com/en-gb/help/4494631/fair-share-technologies-enabled-by-default-in-remote-desktop-services.

Installing Windows Agent

caution icon

Before installing FortiSIEM Agent on FortSIEM Nodes, you must do detailed performance testing since FortSIEM nodes consume significant CPU to process a high volume of events in real-time.

During installation, the Windows Agent will register with FortiSIEM Supervisor.

The required parameters are:

  • SUPER_IP: IP Address or Host name/FQDN of Supervisor node
  • ORG_ID: FortiSIEM Organization Id to which this Agent belongs
  • ORG_NAME: FortiSIEM Organization Name
  • AGENT_USER: Agent user name (for registration only)
  • AGENT_PASSWORD: Agent password (for registration only)
  • HOST_NAME: This name will be displayed in FortiSIEM CMDB. FortiSIEM recommends using a Fully Qualified Domain Name (FQDN), especially if SNMP or WMI is also going to be used against this device. FQDN allows for standardized naming convention.
caution icon

For Service Provider installations, the Agent user name and password is defined in the Organization. See here for details.

For Enterprise installations, Agent user name and password is defined in CMDB > User page. You must create a user and check Agent Admin. See here for details.

Follow the instructions for the Windows Agent version you plan to install.

Notes: Starting with release 4.4.0, Agent Setup GUI allows you to select your License Type as Enterprise or Service Provider from a drop-down list.

Starting with release 4.2.0, Agent Setup GUI allows you to enter the Agent Configuration parameters (See Installing Windows Agent 4.2.x and Later via GUI). Also, version 4.2.3 provides a way for the user to install the agent so that service can be stopped (See Installing Windows Agent 4.2.x and Later via Command Line).

Installing Windows Agent in VDI Environment

Starting with release 4.4.0, the Windows Agent supports Virtual Desktop Infrastructure (VDI) as a deployment mechanism. VDI deployment also supports ReadOnly VDI images. In this scenario, device names will be added to CMDB > Device list as the active session user, separating domain and username with two underscores ‘__’ (I.e. domain__username).

To install onto a VDI, the ReadOnly images installation process is similar to a regular installation, but must follow these initial steps.

  1. Install the Windows Agent onto the Golden image of your VDI image. When prompted for settings, ensure that you check the VDI deployment checkbox.


  2. Allow the Golden Image to register and send data to your FortiSIEM Deployment.

  3. Once verified, create a snapshot of your Golden Image.

  4. Start your ReadOnly VDI image.

  5. Verify the new VDI session (with domain__user) has been able to register, and is in Running Active State.

  6. Shutdown the VDI session.

When the user logs on to the VDI environment and downloads a VM from the VDI Server, the VM contains a VDI transient image (containing the Windows Agent). The agent automatically registers to the FortiSIEM Supervisor node, with host name set to <DOMAIN>__<USERNAME> in CMDB.

When the user logs off from the VDI environment, the agent automatically unregisters to the FortiSIEM Supervisor node. The agent's status is decommissioned, so that it does not consume an agent license.

Installing Windows Agent 4.2.x and Later via GUI

To install Windows Agent 4.2.x and later via GUI, take the following steps.

  1. Log in to the Windows machine as Administrator.
  2. Copy Windows Agent 4.2.x binary FSMLogAgent-v4.2.x.exe, Windows Agent 4.3.x binary FSMLogAgent-v4.3.x.exe, or Windows Agent 4.4.x binary FSMLogAgent-v4.4.x.exe to the same folder.
  3. Ensure that the FSMLogAgent-v4.2.x.exe, FSMLogAgent-v4.3.x.exe, or Windows Agent 4.4.x binary FSMLogAgent-v4.4.x.exe in step 2 is in the same folder (example: copy to c:\Temp\).
  4. Double-click the FSMLogAgent-v4.2.x.exe, FSMLogAgent-v4.3.x.exe, or Windows Agent 4.4.x binary FSMLogAgent-v4.4.x.exe package and the installation process will start.
  5. In the Choose License Type dialog box, select Enterprise or Service Provider, and click Next.
    Note: With Windows Agent 4.4.0 and later, the dialog box is replaced with a License Type drop-down list.


  6. In the Supervisor IP/Name field, enter the Supervisor IP address or hostname.
  7. In the Supervisor Port field, enter the Supervisor port number. The default value is 443.
  8. If applicable, in the Organization Name field, enter the organization name.
    Note: The field will be greyed out if it is not applicable.
  9. If applicable, in the Organization ID field, enter the organization ID.
    Note: The field will be greyed out if it is not applicable.
  10. In the Agent HostName field, enter the agent hostname.
  11. In the Agent Username field, enter the agent username to access the Windows Agent.
    Note: The agent username cannot contain special characters: !#%&/\\:;<>=?[]{}^`|~
  12. In the Agent Password field, enter the password associated with the agent username entered earlier.
    Note: The password must be between 8-64 characters, with at least 1 letter, 1 number and 1 special character (e.g. $*&%).
  13. Check the Verify Host TLS/SSL certificate checkbox if you wish to confirm the Host TLS/SSL certificate.
  14. Click Next to proceed with installation.

    If any settings errors are detected, a dialog box will instruct you on the field that needs to be re-entered. When all fields are valid, the installation will start. After a successful installation, the Agent will register to the Supervisor and start running.
    Note: If the installation returns a pop-up to restart your computer, click Close.

Installing Windows Agent 4.2.x and Later via Command Line

To install Windows Agent 4.2.x and Later via Command Line (CLI), take the following steps.

  1. Log in to the Windows machine where Windows Agent will be installed as Administrator.
  2. Copy Windows Agent 4.2.x binary FSMLogAgent-v4.2.x.exe, Windows Agent 4.3.x binary FSMLogAgent-v4.3.x.exe, or Windows Agent 4.4.x binary FSMLogAgent-v4.4.x.exe to the same folder.
  3. Ensure that the FSMLogAgent-v4.2.x.exe, FSMLogAgent-v4.3.x.exe, or FSMLogAgent-v4.4.x.exe in step 2 is in the same folder (example: copy to c:\Temp\).
  4. Launch Command Prompt, go to the Installation packages saved location, and run
    FSMLogAgent.exe SUPERNAME="<Supervisor IP Address or Hostname>" SUPERPORT="<Supervisor port #>" ORGNAME="<Organization name>" ORGID="<Organization ID>" AGENTUSER="<Agent username>" AGENTPASSWORD="<Agent password>" HOSTNAME="<Hostname of the Agent, Leave blank to use the default name>" SSLCERT="<Use '1' to Verify Host TLS/SSL certificate, don't use this parameter if you don’t need verify Host TLS/SSL certificate>"

    Example:
    C:\Temp\FSMLogAgent.exe SUPERNAME="192.0.20.0" SUPERPORT="443" ORGNAME="org2" ORGID="2001" AGENTUSER="agent" AGENTPASSWORD="agentpass*1" HOSTNAME="examplehost"

    To run in silent mode, add “ /quiet” to the end of the installation command.
    Example:
    C:\Temp\FSMLogAgent.exe SUPERNAME="192.0.2.0" SUPERPORT="443" ORGNAME="org2" ORGID="2001" AGENTUSER="agent" AGENTPASSWORD="agentpass*1" HOSTNAME="examplehost" SSLCERT="1" /quiet

  5. The installation process will start. If any settings errors are detected, the install process will fail, otherwise it will succeed. The Agent will register to the Supervisor and start running.
Using Special Characters in Password when Registering via CLI

Choose characters from the set published here: https://owasp.org/www-community/password-special-characters

The password needs to be enclosed in double quote. If the password contains double quote("), then use double quote(") to escape - e.g. "Password""11"

Installing with the Ability to Stop Agent Service

Normal installations do not allow you to stop the Windows Agent from Windows Service Control Manager. Starting with release 4.2.3, you can do this by adding the UNPROTECT=1 option to the command line, e.g.
./FSMLogAgent.exe SUPERNAME="192.0.20.0" SUPERPORT="443" ORGNAME="org2" ORGID="2001" AGENTUSER="agent" AGENTPASSWORD="agentpass*1" HOSTNAME="examplehost" UNPROTECT=1

If you do not add the UNPROTECT=1 flag, then the process cannot be stopped from Windows Service Control Manager. This is the default behavior.

If you add the UNPROTECT=1 flag , then the Administrator can stop the process from Windows Service Control Manager.

Installing Windows Agent 4.2.x and Later via GPO

Once you have created a MSI transforms file, you then use this to pre-load all properties into the install during GPO. For information on creating a MSI transform file, see Creating a MSI Transforms File.

To install, take the following steps.

  1. Navigate to the download location of the FortiSIEM Windows Agent.

  2. 2. Run the following command:

    msiexec /i FSMLogAgent_x64.msi /qn TRANSFORMS=<transforms_file>

    Example:

    msiexec /i FSMLogAgent_x64.msi /qn TRANSFORMS=fsmlogagent.mst

    Once complete the transforms file will be used to provide the required properties when installing the FortiSIEM Windows Agent.

    To check for successful registration, take the following steps.
  1. Log in to FortiSIEM in Super Global mode as Admin user.
  2. Go to CMDB and search for the Agent Host name.
  3. Check the Status column.

Make sure the Templates and Host to Template association policies are defined for this Host by taking the following steps:

  1. Log in to FortiSIEM in Super Global mode.
  2. Go to ADMIN > Setup > Windows Agent and make sure the templates and host to template associations are defined.
    One of the host-to-template association policies must match this agent. The first matched policy will be selected.

Creating a MSI Transforms File

When deploying the FortiSIEM Windows Agent via Active Directory Group Policy Object, you are advised to create a MSI transforms file to pre-populate the MSI properties.

Outlined below is a way to create a transforms file using ORCA, a third party application provided by Microsoft. Although other third party tools are available, this process was verified and tested on ORCA version 5.0.10011.0.

After installing ORCA, load the FortiSIEM Windows Agent MSI by taking the following steps.

  1. Select File > Open.

  2. Navigate to the FortiSIEM Windows Agent download location.

  3. Select the MSI file you want to create a transforms file for (FSMLogAgent_x64.msi is used in this example).

Once the chosen MSI is loaded into ORCA, you can create a new transforms file ready for use by taking the following steps.

  1. In ORCA, select Transform > New Transform.

  2. Select Property from the left Tables side panel.

  3. Add the following properties from the following table , with your specific values, either by:

    1. Clicking on a new row to add property.

    2. Right clicking on empty space, and select Add Row.

    3. Using key combination of CTRL+R.

      Property

      Example

      Description

      SUPERNAME

      192.0.20.1

      Super IP or Hostname

      AGENTUSER

      agent

      Agent user name with permission to register new agent

      AGENTPASSWORD

      Agentpass*1

      Agent user password with permission to register new agent

      ORGID

      2000

      The organization ID to register agent to

      ORGNAME

      ORG01

      The organization name to register agent to

      Adding Properties Screenshot Example:

      Required Properties Screenshot Example:

  4. Once all required properties are added, select Transform > Generate Transform.

  5. Save the newly generated transforms file to your required location.

  6. Once generated, close the MSI you are editing by clicking File > Close.

  7. Repeat the process for both x64 and x86 MSI files.

    The generated transforms file can then be used to create a software package, using Active Directory GPO, see Installing Windows Agent 4.2.x and Later via GPO.

Installing Windows Agent 4.0.0 to 4.1.x

In these versions, the Agent configuration parameters have to be entered into an InstallSettings.xml file. The Agent Setup GUI is only available from 4.2.0 onwards. Also, the FortiSIEM LogAgent Service cannot be stopped.

Follow the steps below to install Windows Agent:

  1. Log in to the Windows machine where Windows Agent will be installed.
  2. Copy Windows Agent 4.0.x or 4.1.x binaries: FSMLogAgent-v4.0.x.exe or FSMLogAgent-v4.1.x.exe and InstallSettings.xml to the same folder.
  3. Obtain the Organization ID, Organization Name and Agent registration credentials.
    1. When using the multi-tennant version of FortiSIEM, follow these substeps to find these items:
      1. Log in to FortiSIEM in Super Global mode as Admin user.
      2. Go to ADMIN > Setup > Organizations and locate the Organization (ID, Name) to which this Agent belongs. If not present, create an Organization.
      3. Locate the Agent Registration User and Password for the Organization. If not present, define them.
    2. When using the Enterprise version of FortiSIEM, use “1” for the Organization ID and “super” for the Organization Name.
  4. Download the InstallSettings.xml file, and edit the fields for your environment.
    1. Use your favorite text editor to create an XML file named InstallSettings.xml in the same folder where you copied the Windows Agent binaries. Use the following code as a template.
    2. Provide the values for the Organization name (ORG_NAME), the Agent Registration User name (AGENT_USER), and Password (AGENT_PASSWORD) from step 3. Make sure that AGENT_PASSWORD is enclosed within a CDATA block as in the sample InstallSettings.xml file. This enables the AGENT_PASSWORD to contain non-ASCII characters like "&", "<", ">", "!", "#", etc... Make sure that there are no leading and trailing white spaces between CDATA[ and ]].
      For example, <Password><![CDATA[ myPassword ]]></Password> is not acceptable.
      It would need to be changed to <Password><![CDATA[myPassword]]></Password>.
      Note: When viewing the InstallSettings.xml file through a web browser, extraneous space characters may appear. Fortinet recommends saving the InstallSettings.xml file, then viewing it through a proper XML editor.
    3. It is recommended that you specify the Agent Host name in the <HostName>AGENT_HOST_NAME</HostName> tag. This will be the device name in the FortiSIEM CMDB. If this attribute is not specified, then the agent will pick up the NetBios Name, which will also be the device name in CMDB.
  5. Install the Agent:
    Choose one of options listed to install your Windows Agent.
    1. Option 1: Install via Windows File Explorer
      1. Log in to the Windows machine as Administrator.
      2. Ensure that the FSMLogAgent-v4.0.x.exe or FSMLogAgent-v4.1.x.exe in step 2 and InstallSettings.xml in step 4 are in the same folder (example: copy to c:\Temp\).
      3. Double-click the FSMLogAgent-v4.0.x.exe or FSMLogAgent-v4.1.x.exe package and the installation process will start. If any settings errors are detected, the install process will fail, otherwise it will succeed. The Agent will register to the Supervisor and start running.
        Note: If the installation returns a pop-up to restart your computer, click Close.

    2. Option 2: Install via Command Line
      1. Log in to the Windows machine as Administrator.
      2. Ensure that the FSMLogAgent-v4.0.x.exe or FSMLogAgent-v4.1.x.exe in step 2 and InstallSettings.xml in step 4 are in the same folder (example: copy to c:\Temp\).
      3. Launch Command Prompt, go to the Installation packages saved location, and run FSMLogAgent-v4.x.x-mmddyyyy.exe with the /norestart option.
        For example, C:\Temp\FSMLogAgent-v4.1.0-03052021.exe /norestart

        The installation process will start. If any settings errors are detected, the install process will fail, otherwise it will succeed. The Agent will register to the Supervisor and start running.
  6. Check CMDB for successful registration:
    1. Log in to FortiSIEM in Super Global mode as Admin user.
    2. Go to CMDB and search for the Agent Host name.
    3. Check the Status column.
  7. Make sure the Templates and Host to Template association policies are defined for this Host:
    1. Log in to FortiSIEM in Super Global mode.
    2. Go to ADMIN > Setup > Windows Agent and make sure the templates and host to template associations are defined.
      One of the host-to-template association policies must match this agent. The first matched policy will be selected.

Installing Windows Agent Without Supervisor Communication

In typical installations, FortiSIEM Agents register to the Supervisor node, but send the events by using the Collector. In many MSSP situations, customers do not want Agents to directly communicate with the Supervisor node. This requirement can be satisfied by setting up the Collector as an HTTPS proxy between the Agent and the Supervisor. This section describes the required configurations.

Step 1: Setup the Collector as an HTTPS Proxy

Follow these steps to setup the Collector as an HTTPS proxy:

  1. Log in to the Collector.

  2. Go to /etc/httpd/conf.d.

  3. Create the configuration file agent-proxy.conf with the content here.

    agent-proxy.conf Content

    ProxyPass /phoenix/rest/register/windowsAgent https://<Supervisor IP Address>/phoenix/rest/register/windowsAgent

    ProxyPassReverse /phoenix/rest/register/windowsAgent https://<Supervisor IP Address>/phoenix/rest/register/windowsAgent

    ProxyPass /phoenix/rest/windowsAgent/update https://<Supervisor IP Address>/phoenix/rest/windowsAgent/update

    ProxyPassReverse /phoenix/rest/windowsAgent/update https://<Supervisor IP Address>/phoenix/rest/windowsAgent/update

    SSLProxyEngine on

    SSLProxyVerify none

    SSLProxyCheckPeerCN off

    SSLProxyCheckPeerExpire off

  4. In order to upgrade Windows Agent on 6.4.0+ while utilizing the Collector as a proxy, the following Windows Agent Upgrade Proxy Configuration is required to allow the Windows Agent to download the necessary files for the upgrade.

    Add this to agent-proxy.conf.

    Windows Agent Upgrade Proxy Configuration

    ProxyPass /WinAgentUpgrade/FSMLogAgent.exe https://<Supervisor IP Address>/WinAgentUpgrade/FSMLogAgent.exe
    ProxyPassReverse /WinAgentUpgrade/FSMLogAgent.exe https://<Supervisor IP Address>/WinAgentUpgrade/FSMLogAgent.exe
    
    ProxyPass /WinAgentUpgrade/AutoUpdate.exe https://<Supervisor IP Address>/WinAgentUpgrade/AutoUpdate.exe
    ProxyPassReverse /WinAgentUpgrade/AutoUpdate.exe https://<Supervisor IP Address>/WinAgentUpgrade/AutoUpdate.exe
  5. If running Windows 5.0.0 or later, add the following route to agent-proxy.conf.

    ProxyPass /phoenix/rest/device/update https://<Supervisor IP Address>/phoenix/rest/device/update
    ProxyPassReverse /phoenix/rest/device/update https://<Supervisor IP Address>/phoenix/rest/device/update
  6. Restart httpd, for example: service httpd restart.

Step 2: Install Agents to Work with the Collector

Follow these steps to install the Windows Agents to work with the Collector.

  1. If you already have agents registered with the Supervisor, then uninstall them.
  2. Re-install the Windows Agents, following the instructions here. During installation, set the Supervisor IP to the IP address of the Collector node.

Upgrading Windows Agent

Upgrading from Windows Agent Version 4.2.x and Later

If you are running Agent 4.2.0 or later, then you can upgrade in one of the following 3 ways.

Upgrade in one of three ways.

The first method needs you to upgrade Agents remotely via Supervisor. Unlike the last two methods, no local access to Windows Server is required. However, the Supervisor method needs Supervisor access to FortiGuard Data Services (update.fortinet.net) on port 443.

Upgrade from Supervisor

Navigate to ADMIN > Settings > System > Image Server and follow the instructions in Upgrading Windows Agent from the Online Help.

Note: Upgrade from FortiSIEM Supervisor Install requires FortiSIEM 6.4.0 or later, and FortiSIEM Windows Agent 4.2.0 or later.

Upgrade via Agent Setup GUI

With this option, you will be re-installing the new version on top of the older version using the Agent Setup GUI.

To upgrade through the graphical user interface (GUI), take the following steps.

  1. Log in to your Windows machine as an Administrator.

  2. Ensure that the FSMLogAgent-v4.2.x.exe, FSMLogAgent-v4.3.x.exe, or FSMLogAgent-v4.4.x.exe file is in the same folder.

  3. Double-click the FSMLogAgent-v4.2.x.exe, FSMLogAgent-v4.3.x.exe, or FSMLogAgent-v4.4.x.exe package and the installation process will start.

  4. In the Choose License Type dialog box, select Enterprise or Service Provider, and click Next.
    Note: With Windows Agent 4.4.0 and later, the dialog box is replaced with a License Type drop-down list.

  5. In the Supervisor IP/Name field, enter the Supervisor IP address or hostname.
  6. In the Supervisor Port field, enter the Supervisor port number. The default value is 443.
  7. If applicable, in the Organization Name field, enter the organization name.
    Note: The field will be greyed out if it is not applicable.
  8. If applicable, in the Organization ID field, enter the organization ID.
    Note: The field will be greyed out if it is not applicable.
  9. In the Agent HostName field, enter the agent hostname.
  10. In the Agent Username field, enter the agent username to access the Windows Agent.
    Note: The agent username cannot contain special characters: !#%&/\\:;<>=?[]{}^`|~
  11. In the Agent Password field, enter the password associated with the agent username entered earlier.
    Note: The password must be between 8-64 characters, with at least 1 letter, 1 number and 1 special character (e.g. $*&%).
  12. Check the Verify Host TLS/SSL certificate checkbox if you wish to confirm the Host TLS/SSL certificate.
  13. Click Next to proceed with installation.

    If any settings errors are detected, a dialog box will instruct you on the field that needs to be re-entered. When all fields are valid, the installation will start. After a successful installation, the Agent will register to the Supervisor and start running.
    Note: If the installation returns a pop-up to restart your computer, click Close.

  14. Proceed to Verify Agent Version and Template Associations.

Upgrade via Command Line

With this option, you will be re-installing the new version on top of the older version using command line. The agent configuration parameters are provided in command line arguments.

To upgrade through the command line interface (CLI), take the following steps.

  1. Log in to the Windows machine as an Administrator.

  2. Ensure that the FSMLogAgent-v4.2.x.exe, FSMLogAgent-v4.3.x.exe, or FSMLogAgent-v4.4.x.exe file is in the same folder.

  3. Launch Command Prompt.

  4. Go to the directory where the Installation packages were saved.

  5. Run
    FSMLogAgent.exe SUPERNAME="<Supervisor IP Address or Hostname>" SUPERPORT="<Supervisor port #>" ORGNAME="<Organization name>" ORGID="<Organization ID>" AGENTUSER="<Agent username>" AGENTPASSWORD="<Agent password>" HOSTNAME="<Hostname of the Agent, Leave blank to use the default name>" SSLCERT="<Use '1' to Verify Host TLS/SSL certificate, don't use this parameter if you don’t need verify Host TLS/SSL certificate>"

    Example:
    C:\Temp\FSMLogAgent.exe SUPERNAME="192.0.20.0" SUPERPORT="443" ORGNAME="org2" ORGID="2001" AGENTUSER="agent" AGENTPASSWORD="agentpass*1" HOSTNAME="examplehost"

    To run in silent mode, add “ /quiet” to the end of the installation command.
    Example:
    C:\Temp\FSMLogAgent.exe SUPERNAME="192.0.2.0" SUPERPORT="443" ORGNAME="org2" ORGID="2001" AGENTUSER="agent" AGENTPASSWORD="agentpass*1" HOSTNAME="examplehost" SSLCERT="1" /quiet

    The installation process will start. If any settings errors are detected, the install process will fail, otherwise it will succeed. The Agent will register to the Supervisor and start running.

    For more information on special characters, see Using Special Characters in Password when Registering via CLI.

    For more information on how to install with the ability to stop service, see Installing with the Ability to Stop Agent Service.
    Note: This requires Agent 4.2.3 or later.

  6. Proceed to Verify Agent Version and Template Associations.

Upgrading from Windows Agent 4.0.0 to 4.1.x

Upgrade can be done in one of two ways.

These methods both require you to login to the Windows Server. Once you are on Version 4.2.0 or later, you can upgrade remotely via the Supervisor.

Upgrade via Windows File Explorer

With this option, you will be re-installing the new version on top of the older version using Windows File Explorer.

To upgrade through the graphical user interface (GUI), take the following steps.

  1. Log in to your Windows machine as an administrator.

  2. Ensure that the FSMLogAgent-v4.0.x.exe or FSMLogAgent-v4.1.x.exe and InstallSettings.xml files are in the same folder.

  3. Double-click the FSMLogAgent-v4.0.x.exe or FSMLogAgent-v4.1.x.exe package and the installation process will start. If any settings errors are detected, the install process will fail, otherwise it will succeed. The Agent will register to the Supervisor and start running.

    Note: If the installation returns a pop-up to restart your computer, click Close.

  4. Proceed to Verify Agent Version and Template Associations.

Upgrade via Command Line

With this option, you will be re-installing the new version on top of the older version using command line. The agent configuration parameters are provided in command line arguments.

To upgrade through the command line interface (CLI), take the following steps.

  1. Log in to the Windows machine as an administrator.

  2. Ensure that the FSMLogAgent-v4.0.x.exe or FSMLogAgent-v4.1.x.exe and InstallSettings.xml files are in the same folder.

  3. Launch Command Prompt.

  4. Go to the directory where the Installation packages were saved.

  5. Run FSMLogAgent-v4.0.x-mmddyyyy.exe or FSMLogAgent-v4.1.x-mmddyyyy.exe with the /norestart option.

    Example: C:\Temp\FSMLogAgent-v4.1.0-03052021.exe /norestart

    The installation process will start. If any settings errors are detected, the install process will fail, otherwise it will succeed. The Agent will register to the Supervisor and start running.

  6. Proceed to Verify Agent Version and Template Associations.

Verify Agent Version and Template Associations

You will need to navigate to CMDB to check the status and version of your Windows agent. Take the following steps.

  1. Log in to FortiSIEM in Super Global mode as an admin user.

  2. Navigate to CMDB > Devices.

  3. In the Search... field, enter your Agent Host name to locate your agent.

  4. Check the Agent Version column for your Agent and confirm that the version is the upgraded version.

  5. Check the Status column to see the Agent status. The status should update to "Running Active" after a few minutes.

  6. Navigate to ADMIN > Setup > Windows Agent.

  7. Under Host To Template Associations, select an existing configuration and confirm it is still defined.

Managing Windows Agent

Agent Service

When the Windows Agent is running, the FSMLogAgent is shown as part of your services on your Windows machine. The ability to Start, Stop, Pause, or Resume this service is disabled. This is intentional, to provide service level protection. An option is available starting with Windows Agent 4.2.3 to stop Windows Agent. See Installing with the Ability to Stop Agent Service.

Auto Restart Service Behavior

In the event of a Windows Agent crash, Windows Agent will automatically restart itself after 60 seconds has passed.

It is possible to terminate the FSMLogAgent process via the Windows Task Manager. This action will cause Windows Agent to restart automatically.

Configuring Windows Servers for FortiSIEM Agents

Configuring Windows Sysmon

The supported Sysmon versions are 5.02 and above. The latest Sysmon download instructions are available here.

  1. Log in to the Windows machine.
  2. Download the popular Sysmon configuration file and save it as https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml
  3. Save the configuration file as sysmonconfig.xml
  4. Check whether the Sysmon executable is installed or not by running: Sysmon64.exe -c
    1. If Sysmon is running, update the Sysmon configuration by using the command with administrator rights: sysmon.exe -c sysmonconfig.xml
    2. If Sysmon is not available on the system, download and install using the command with administrator rights: sysmon.exe -accepteula -i sysmonconfig.xml
  5. Check the new configuration using the command: Sysmon64.exe -c
  6. Check for Sysmon events:
    1. Go to EventViewer > Applications and Service Logs > Microsoft > Windows > Sysmon > Operational.
    2. Check for Sysmon logs on the right panel.
    3. Right-click on Operational and choose Properties.
    4. Note the Full Name (typically 'Microsoft-Windows-Sysmon/Operational') for FortiSIEM configuration.

Configuring Windows DNS

Follow the steps below to configure DNS server:

  1. Log in to the Windows machine.
  2. Configure DNS logging:
    1. Launch DNS Manager.
    2. Select the specific DNS Server and click Properties.
    3. On Debug Logging tab, enable Log packets for debugging.
    4. Specify the log file name and path, for example C:\DNSLogs.log.

  3. Check for DNS logs. If logs are present, FortiSIEM Agent will automatically collect these logs.
    1. Go to EventViewer > Applications and Service Logs > DNS Server.
    2. Check for DNS logs on the right panel.

Configuring Windows DHCP

Follow the steps below to configure DHCP server:

  1. Log in to the Windows machine.
  2. Configure DHCP logging:
    1. Launch DHCP Manager.
    2. Select the specific DHCP Server and click IPv4 > Properties.
    3. Enable DHCP Audit Logging.
  3. Check for DHCP events. If logs are present, FortiSIEM Agent will automatically collect these logs:
    1. Go to EventViewer > Applications and Service Logs > Microsoft > Windows > DHCP Server.
    2. Check for DHCP logs on the right panel.

Configuring Windows IIS

Follow these steps to configure the IIS Server:

  1. Log in to the Windows machine.
  2. Configure IIS logging:
    1. Launch IIS Manager.
      • From the Start menu, click Programs or All Programs, and point to Administrative Tools.
      • On Administrative Tools, Click Internet Information Services (IIS) Manager.
    2. Select the specific IIS Server and click the Logging icon on the panel on the right side.

    3. Specify the log path if default path (%SystemDrive%\inetpub\logs\LogFiles) does not exist.

  3. Check for IIS events. If logs are present, FortiSIEM Agent will automatically collect these logs:
    1. Go to IIS logs default path, example: C:\inetpub\logs\LogFiles\.
    2. Check for IIS traffic logs.

Configuring DNS Analytical Logs

Microsoft recommends that customers enable DNS Analytical logs only to debug DNS traffic or to troubleshoot DNS server issues. Enabling DNS Analytical logs can cause system performance issues (see Microsoft Logging and Diagnostics).

If the DNS server is running Windows Server 2012 R2, download the hotfix from http://support.microsoft.com/kb/2956577

You can find more information on this topic in Enable Analytic and Debug Logs in the Microsoft User Guide.

Follow these steps to configure FortiSIEM Windows Agent to collect DNS Analytical logs:

  1. Enter eventvwr.msc at an elevated command prompt and press Enter to open the Event Viewer.
  2. In the Event Viewer, navigate to Applications and Services Logs\Microsoft\Windows\DNS-Server.
  3. Right-click DNS-Server, point to View, and click Show Analytic and Debug Logs. The Analytical log is displayed.
  4. Right-click Analytical and then click Properties.
  5. Under When maximum event log size is reached, choose Do not overwrite events (Clear logs manually).
  6. Select the Enable logging checkbox.
  7. Click OK when you are asked if you want to enable this log. See the following example.

  8. Click OK again to enable the DNS Server Analytic event log.
  9. Note the Full Name value in the screenshot in Step7: Microsoft-Windows-DNSServer/Analytical. This name must be entered in FortiSIEM.

Configuring Generic Binary Logs

Analytic and Debug logs are disabled by default, because these logs can quickly fill the disk with a large number of entries.

For this reason, you will probably want to turn them on for a specified period to gather some troubleshooting data and then turn them off again.

Follow these steps to configure FortiSIEM Windows Agent to collect Generic Binary logs:

  1. Enter eventvwr.msc at an elevated command prompt and press Enter to open the Event Viewer.
  2. In the Event Viewer, navigate to Applications and Services Logs > Microsoft > Windows >, then select an Application that needs to capture Analytic/Debug logs.
  3. Right-click Application, point to View, and click Show Analytic and Debug Logs. The Analytic/Debug/Diagnostic log is displayed.
  4. Right-click Analytic/Debug/Diagnostic and then click Properties.
  5. Under When maximum event log size is reached, choose Do not overwrite events (Clear logs manually).
  6. Select the Enable logging checkbox, and click OK when you are asked if you want to enable this log. See the following example “PowerShell Debug logs”.

  7. Click OK again to enable the Application Analytic/Debug/Diagnostic event log.
  8. Note the Full Name in the screenshot in Step 6: Microsoft-Windows-PowerShell/Debug. This name must be entered in FortiSIEM.

Configuring Windows Event Forwarding

Using Windows Event Forwarding, it is possible for Windows Servers (called Event Source Computers) to forward events to a central Windows Server where FortiSIEM Windows Agent (called Event Collector Computer) is running. The Agent can then send to FortiSIEM Collector, Worker, and Supervisor nodes. This is an alternative to running FortiSIEM Agent on every Windows Server. The disadvantage of this approach is that only Windows (Security, application, and system) events can be collected in this way, while FortiSIEM native Agent can collect other information such as FIM, Custom log, Sysmon, etc. FortiSIEM can parse the forwarded Windows events so that the actual reporting Windows server is captured and all the attributes are parsed as sent by native agents.

Configuring Locale on Windows Servers

Configure Locale on Windows 10

To set the locale of Collector machine to en-US:

  1. Go to the Windows Settings page.
  2. Go to Time And Language, and choose the Language option.
  3. Change the Windows Display Language to English (United States).
  4. Select the Region option on the left.
  5. Choose the option Additional Date, time & regional settings on the right side of the page.

  6. Choose the option Region and open the Administrative tab.
  7. Click the Change system locale... button and change the locale to English (United States) in the provided dialog box. Click OK.
  8. In the Administrative tab, click the Copy Settings... button.
  9. In that property page tab, select both check boxes: Welcome screen and system accounts and New user accounts. Click OK.

  10. Restart your computer.

Configure Locale on Generic Servers

  1. Go to the Control Panel.
  2. Choose the Language option.
  3. Select the language English (United States) and move it to top of the list.
  4. Select the option Change date, time, or number formats on the left side of the page.

  5. In this property page tab, select the Location tab and choose the Home Location as United States. Click Apply.

  6. Select the Administrative tab.
  7. Click Change system locale.... Change the locale to English (United States) in the provided dialog. Click OK.

  8. In the Administrative tab, click Copy Settings....
  9. In this property page tab, select both check boxes: Welcome screen and system accounts and New user accounts. Click OK.

  10. Restart your computer.

Configuring Source-Initiated Subscription

Configure the Event Collector Computer

You must complete the following steps on the Event Collector computer where the FSM Agent is installed:

  1. Open a command prompt in an elevated privilege (for example,Run as Administrator…) and run this command to configure the Windows Remote Management (WinRM) service:

    winrm qc -q

  2. Run this command to configure the Windows Event Collector service:

    wecutil qc /q

  3. Copy and save the following XML in a file (Configuration.xml) and edit the values depending on your requirements or scenario.

    The XML configuration will grant the Domain Computers and Network Service accounts as the local event forwarder for the source computers. The XML configuration will contain the language locale, which is same as the Collector computer's language locale.

    <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">

    <SubscriptionId>FwdSubscription</SubscriptionId>

    <SubscriptionType>SourceInitiated</SubscriptionType>

    <Description>Source Initiated Subscription</Description>

    <Enabled>true</Enabled>

    <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>

    <!-- Use Normal (default), Custom, MinLatency, MinBandwidth -->

    <ConfigurationMode>Custom</ConfigurationMode>

    <Delivery Mode="Push">

    <Batching>

    <MaxItems>1</MaxItems>

    <MaxLatencyTime>1000</MaxLatencyTime>

    </Batching>

    <PushSettings>

    <Heartbeat Interval="30000" />

    </PushSettings>

    </Delivery>

    <Expires>2025-01-01T00:00:00.000Z</Expires>

    <Query>

    <![CDATA[

    <QueryList>

    <Query Path="Security">

    <Select>*</Select>

    </Query>

    </QueryList>]]>

    </Query>

    <ReadExistingEvents>true</ReadExistingEvents>

    <TransportName>http</TransportName>

    <ContentFormat>RenderedText</ContentFormat>

    <Locale Language="en-US" />

    <LogFile>ForwardedEvents</LogFile>

    <AllowedSourceNonDomainComputers></AllowedSourceNonDomainComputers>

    <AllowedSourceDomainComputers>O:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;NS)</AllowedSourceDomainComputers>

    </Subscription>

  4. From the Command Prompt, enter the following command to create the subscription according to the specified XML configuration file:

    wecutil cs Configuration.xml

  5. From the Command Prompt, enter the following command to add an inbound and outbound exception in the firewall for port 5985 (http):

    netsh advfirewall firewall add rule name=“Winrm HTTP Remote Management” protocol=TCP dir=in localport=5985 action=allow
    
    netsh advfirewall firewall add rule name=“Winrm HTTP Remote Management” protocol=TCP dir=out remoteport=5985 action=allow

Configure the Event Source Computer

You must complete these steps on the Event Source computer.

  1. Open a Command Prompt in an elevated privilege (for examle, Run as Administrator…) and run the following commands:

    net localgroup "Event log readers" "NT Authority\Network Service" /add
    
    net localgroup "Event log readers" "Domain Computers" /add
    
    winrm qc -q
  2. From the command prompt enter the following command to add an inbound and outbound exception in the firewall for port 5985 (http):

    netsh advfirewall firewall add rule name=“Winrm HTTP Remote Management” protocol=TCP dir=in localport=5985 action=allow	
    netsh advfirewall firewall add rule name=“Winrm HTTP Remote Management” protocol=TCP dir=out remoteport=5985 action=allow

Configure the Domain Controller or Source Computer

The following policy changes must be performed on the Domain Controller (for domain environments) or Source Computers (for non-domain environments).

  1. Run the local group policy editor (for non-domain environments) or the domain group policy editor (for domain environments).
  2. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Event Forwarding.

  3. Open Configure target Subscription Manager.

  4. Choose the Enabled option.
  5. Click the Show... button beside SubscriptionManagers.
  6. Add the value Server=http://<Collector FQDN>:5985/wsman/SubscriptionManager/WEC to the list and click OK.

  7. In the Configure target Subscription Manager dialog box, click Apply and then OK.
  8. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management > WinRM Service.

  9. Open Turn On Compatibility HTTP Listener.
  10. Choose the option Enabled.

  11. Click Apply and then OK.
  12. Close the group policy editor.
  13. Start the Command Prompt in admin mode and run the following command:

    gpupdate /force

Configuring Auditing Policies

The following policy changes must be performed on the Domain Controller (for domain environments) or Source Computers (for non-domain environments).

Configure Security Audit Logging Policy

Configure this policy to control Windows logging. Because Windows generates many security logs, specify the categories of events that you want to be logged and available for monitoring by FortiSIEM.

  1. Log in to the machine where you want to configure the policy as an administrator.
  2. Go to Programs > Administrative Tools > Local Security Policy.
  3. Expand Local Policies and select Audit Policy.
    You will see the current security audit settings.
  4. Select a policy and edit the Local Security Settings for the events you want to be audited. The recommended settings are:
  5. Policy Description Settings
    Audit account logon events and Audit logon events For auditing log in activity. Select Success and Failure.
    Audit object access events

    For auditing access to files and folders. There is an additional configuration requirement for specifying which files and folders, users and user actions will be audited. See the next section, Configuring File Auditing Policy.

    Select Success and Failure.
    Audit system events Includes system up/down messages.
  6. For an Enterprise Server's Domain Group Policy, make sure you set the following under Group Policy > Local Policies > Audit Policy:

    Policy = Audit object access

    Security Setting = Success or Failure

Configure File Auditing Policy

Configure this policy to see user meta data in file auditing events.

  1. Log in to the machine where you want to set the policy with administrator privileges.
    On a domain computer, a Domain administrator account is needed.
  2. Open Windows Explorer, select the file you want to set the auditing policy for, right-click on it, and select Properties. By default, the General tab will be shown. Select the Security tab to continue.
  3. In the Security tab, click Advanced.

  4. Select the Auditing tab, and click Add, then click Select a principal.
    This button is labeled Edit in Windows 2008.

  5. In the Select User or Group dialog, click Advanced, and find and select the users, or groups, whose access to this file you want to monitor. If you want to audit all users access to the audited folder, select Everyone as shown below.

  6. Click OK after adding the users.
  7. In the Permissions tab, set the permissions for each user added.

    The configuration is now complete. Windows will generate audit events when the users or groups you specified take the actions specified on the files or folders for which you set the audit policies.

Configure Audit File System Policy

Configure this policy to enable change events for permission and/or ownership changes to files and/or directories. The policy will also upload the monitored files to FortiSIEM. This feature is available in FortiSIEM Windows Agent 5.x.x.

Complete these steps to enable Audit File System policy:

  1. Log in, with administrator privileges, to the machine where you want to set the policy.

    On a domain computer, you must have a Domain administrator account.

  2. Go to Programs > Administrative Tools > Local Security Policy.
  3. Expand the Advanced Audit Policy Configuration node.
  4. Expand System Audit Policies-Local Group Policy Object node.

    You will see the current security audit settings.

  5. Select Object Access.
  6. Select Audit File System on the left side of the window.
  7. Double-click Audit File System. In the pop-up window, select both Success and Failure under Configure the following audit events.
  8. Click Apply, then OK.

The Audit File System Policy is now enabled. Reboot your system to apply the changes.

Disable Audit Token Right Adjusted Success Events

As per Microsoft, it is recommended to Disable "Success" auditing for "Audit Token Right Adjusted".

Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703#security-monitoring-recommendations.

By enabling "Success Auditing" for Audit Token Right Adjusted (Detailed Tracking ), 800+ (4703) events can be generated in a second, resulting in this high volume event impacting system performance.

Complete these steps to disable "Success" for "Audit Token Right Adjusted".

  1. Log in, with administrator privileges, to the machine where you want to set the policy.

    On a domain computer, you must have a Domain administrator account.

  2. Go to Programs > Administrative Tools > Local Security Policy.
  3. Expand to Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Detailed Tracking.
  4. Go to the Detailed Tracking subcategory, and select Audit Token Right Adjusted.
  5. Double click Audit Token Right Adjusted, select the Configure the following audit events: checkbox.
  6. Uncheck the Success checkbox if needed to disable.
  7. Click Apply.

Configuring Print Log

FortiSIEM supports pull Windows print log from Windows agent. To configure, take the following steps.

Enabling Logging Print Log after WMI Configuration

After WMI Configuration is completed (See External Systems Configuration Guide Microsoft Windows Server), enable logging print log by taking the following steps.

  1. Open the Event Viewer window and navigate to Applications and Services Logs > Microsoft > Windows > PrintService.
  2. Click Operational.
  3. Right click, and select Properties.
  4. Add a checkmark to the Enable logging checkbox.
  5. Click Apply.
  6. Click OK.

    All print activities will be logged by Event Viewer through WMI. Event logs can be viewed under Applications and Services Logs -> Microsoft -> Windows -> PrintService -> Operational.

Setup in FortiSIEM

Take the following steps to access print logs in FortiSIEM.

  1. Log on to your Windows Server and navigate to Event viewer > App and Service logs > Microsoft > windows > printservice > properties.
  2. Copy the full name from log properties.
  3. Log onto FortiSIEM in super global.
  4. Navigate to ADMIN > Setup > Windows Agent.
  5. Under Windows Agent Monitor Templates, click New to create a Monitor Template.
  6. In the Name field, enter a name for the template.
  7. Click the Event tab.
  8. In the Event Log row, click on New.
  9. In the Type drop-down list, select Other.
  10. In the Event Name field, enter/paste the full name from step 2.
  11. Click < Save.
  12. Click Save.
  13. Under Host to Template Associations, create a host to template association by clicking New.
  14. In the Name field, enter a name.
  15. Choose an organization.
  16. Select the monitor template you created through steps 5-12.
  17. Select a collector.
  18. Click Save.
  19. Click Apply.

FortiSIEM now automatically parses events received via WMI or FortiSIEM Windows Agent.

Configuring Windows Agent for Terminal Services

Take the following steps to configure audit log collection in Windows Agent for terminal services.

  1. Log onto FortiSIEM in super global.
  2. Navigate to ADMIN > Setup > Windows Agent.
  3. Under Windows Agent Monitor Templates, click New to create a Monitor Template.
  4. In the Name field, enter a name for the template.
  5. Click the Event tab.
  6. Select the File Log: DHCP checkbox.
  7. In the Event Log row, click on New.
  8. Take the following steps:
    1. In the Type drop-down list, select Security.
    2. For the Include Event field, leave as ALL.
    3. For the Exclude Event field, leave as NONE.
    4. Click < Save.
  9. In the Event Log row, click on New.
  10. Take the following steps:
    1. In the Type drop-down list, select Application.
    2. In the Source drop-down list, select All.
    3. For the Include Event field, leave as ALL.
    4. For the Exclude Event field, leave as NONE.
    5. Click < Save.
  11. In the Event Log row, click on New.
  12. Take the following steps:
    1. In the Type drop-down list, select Other.
    2. In the Event Name field, enter "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational".
    3. For the Include Event field, leave as ALL.
    4. For the Exclude Event field, leave as NONE.
    5. Click < Save.
  13. In the Event Log row, click on New.
  14. Take the following steps:
    1. In the Type drop-down list, select Other.
    2. In the Event Name field, enter "Microsoft-Windows-TerminalServices-RDPClient/Operational".
    3. For the Include Event field, leave as ALL.
    4. For the Exclude Event field, leave as NONE.
    5. Click < Save.
  15. In the Event Log row, click on New.
  16. Take the following steps:
    1. In the Type drop-down list, select Other.
    2. In the Event Name field, enter "Microsoft-Windows-TerminalServices-Gateway/Operational".
    3. For the Include Event field, leave as ALL.
    4. For the Exclude Event field, leave as NONE.
    5. Click < Save.
  17. Click Save.
  18. Under Host to Template Associations, create a host to template association by clicking New.
  19. In the Name field, enter a name.
  20. Choose an organization.
  21. Select the monitor template you created from step 3.
  22. Select collector(s).
  23. Click Save.
  24. Click Apply.

Enabling FIPS

Follow the steps below to enable FIPS on a Windows system:

  1. Click Start > Run and enter the command secpol.msc to open the Local Security Policy window.
  2. Select Security Settings > Local Policies > Security Options.
  3. In the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing and select Enabled.
  4. Click Apply and then OK.

Configuring Monitoring Policies in FortiSIEM

After you have configured Windows Servers in the previous step (Configuring Windows Servers for FortiSIEM Agents), you must create monitoring policies in FortiSIEM. For more information, see Define the Windows Agent Monitor Templates and Associate Windows Agents to Templates in the FortiSIEM User's Guide.

Verifying Events in FortiSIEM

Follow the steps below to verify the events in FortiSIEM:

    1. Go to ANALYTICS tab.
    2. Click the Filters field.
    3. Create the following condition: Attribute= Raw Event Log, Operator = CONTAIN, Value = AccelOps-WUA and click Save & Run.
      Note: All event types for all Windows Server generated logs are prefixed by AccelOps-WUA.
    4. Select the following Group By:
      1. Reporting Device Name
      2. Reporting IP
    5. Select the following Display Fields:
      1. Reporting Device Name
      2. Reporting IP
      3. COUNT(Matched Events)
    6. Run the query for the last 15 minutes.
      The Query will return all hosts that reported events in the last 15 minutes.

Uninstalling Windows Agent

To uninstall FortiSIEM Windows Agent, run the FortiSIEM Installer. When prompted, click Uninstall.

REST APIs used for Communication

A Windows Agent uses the following REST APIs:

Purpose URL Notes
Registration to Supervisor https://<SuperFQDN>:<port>/phoenix/rest/register/windowsAgent Supported Port is 443
Status update to Supervisor https://<SuperFQDN>:<port>/phoenix/rest/windowsAgent/update Supported Port is 443
Event Upload to Collectors https://<CollectorFQDNorIP>:<port>/winupload_direct?<AgentID> Supported Port is 443

Troubleshooting from Windows Agent

Follow the troubleshooting steps for your version of Windows Agent.

Windows Agent 4.3.x and later

In Windows Agent 4.3.x and later, edit the following:

  • In C:/Program Files/Fortinet/FortiSIEM/log4net.config

    • Replace <LogLevel>ERROR</LogLevel> with <LogLevel>DEBUG</LogLevel>.

  • In C:/Program Files/Fortinet/FortiSIEM/fins.xml

    • Replace <LogLevel>4</LogLevel> with <LogLevel>1</LogLevel>.

  • In registry HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiSIEM

    • Edit the value LogLevel from 1 to 2.

These changes instantly take affect. Allow logs to be collected for at least 5 minutes, once complete revert the changes back to their original values.

The debugging information is available in the following log files:

  • Agent Service logs are located in C:\ProgramData\FortiSIEM\Agent\Logs\FSMLogAgent.log

  • Agent Application logs are located in C:\ProgramData\FortiSIEM\Agent\Logs\Trace.log

  • Other Agent Application logs are located in C\Program Files\Fortinet\FortiSIEM\logs\cms.log

Windows Agent 4.2.x and earlier

In Windows Agent 4.2.X and earlier, edit the following:

  • In registry HKEY_LOCAL_MACHINE\SOFTWARE\AccelOps\Agent

    • Edit the value LogLevel from 1 to 2.

These changes instantly take affect. Allow logs to be collected for at least 5 minutes, once complete revert the changes back to their original values.

The debugging information is available in the following log files:

  • Agent Service logs are located in C:\ProgramData\AccelOps\Agent\Logs\AoWinAgt.log
  • Agent Application logs are located in C:\ProgramData\AccelOps\Agent\Logs\ProxyTrace.log

Sample Windows Agent Logs

For sample Windows Agent logs, see Sample Windows Agent Logs in the FortiSIEM User's Guide.

FortiSIEM Windows Agent 5.x.x

FortiSIEM Windows Agent

FortiSIEM Windows Agents provide a scalable way to collect logs and other audit violations from a large number of Windows servers.

This section describes how to install, setup, maintain, and troubleshoot FortiSIEM Windows Agent 5.x.x.
Note: Starting with Windows Agent 4.2.0, the Windows Agent Installation offers an enhanced GUI interface.

Prerequisites

Ensure that the following prerequisites are met before installing FortiSIEM Windows Agent:

Supported Operating Systems

FortiSIEM Windows Agent 5.x.x runs on the following Operating Systems:

  • Windows 7 Enterprise/Professional
  • Windows 8
  • Windows 10
  • Windows 11
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2016 Core
  • Windows Server 2019
  • Windows Server 2019 Core
  • Windows Server 2022

Supported Languages

All languages in which the Windows Operating System is available are supported.

Hardware Requirements

Component Requirement
CPU x86 or x64 (or compatible) at 2 GHz or higher
Hard Disk Free space 10 GB (minimum)
Server Operating System - Windows Server 2008 R2 and above (strongly recommended)
- Desktop Operating System: Windows 7, 8,10 and above
RAM - For 32 bit OS: 2 GB for Windows 7, 8, 10 minimum
- For 64 bit OS: 4 GB for Windows 7, 8, 10, Windows Server 2008 / 2012 minimum

Software Requirements

Windows Agent Version

Component Requirement Notes

4.2

Installed Software

.NET Framework 4.5

.NET Framework 4.5 can be downloaded from http://www.microsoft.com/en-us/download/details.aspx?id=30653, and is already available on Windows 8 and Windows Server 2012.

4.3.0+

Installed Software

.NET Framework 4.6 or later

.NET Framework 4.6 can be downloaded from https://www.microsoft.com/en-us/download/details.aspx?id=48137.

Communication Ports

FortiSIEM Windows Agent 5.x.x communicates outbound via HTTPS with Supervisor and Collectors.

  1. The Agent registers to the Supervisor and periodically receives monitoring template updates if any, via HTTP(S).
  2. The Agent then forwards the events to the Collectors via HTTP(S).

Ensure that Firewalls, if any, between the Agents and Supervisor/Collector permit HTTP(S) traffic on port 443. If you decide to upgrade Windows Agent 4.2.0 or later from the Supervisor (see Upgrade from Supervisor), then make sure the Supervisor can communicate with FortiGuard Service (update.fortiguard.net) on port 443 to validate the upgrade images.

Other Installation Considerations

Certificate Validation

The FortiInsight UEBA module uses WinVeifyTrust APIs to validate that its executable hasn't been tampered with. This process requires the root certificate chain to be present on the endpoint device in question. FortiSIEM Windows Agent is signed using a DigiCert Authenticode Certificate, which requires the DigiCert Trusted Root G4 Certificate to be present in the Certificate Store.

Normally these certificates will be updated along with Windows Updates, however if the endpoint device does not allow for Certificate Authorities to be updated via this mechanism, you must install it manually for the FortiInsight UEBA module to work correctly.


These certificates can be found here:

https://www.digicert.com/kb/digicert-root-certificates.htm


Search for G4 root certificate, serial number: 05:9B:1B:57:9E:8E:21:32:E2:39:07:BD:A7:77:75:5C.

Or direct link to DER/CRT: https://cacerts.digicert.com/DigiCertTrustedRootG4.crt


Once the certificate has been downloaded, simply right click the certificate from the download and select "install certificate".

Follow the certificate wizard and import will complete.

Prerequisites Beginning with Windows Agent 5.0.0 and later

If antivirus software interferes with the FortiSIEM Windows Agent, you can consider whitelisting the following files on the endpoint. This is useful if the antivirus software uses application sandboxing heuristics that wrap around any new applications. This can result in high CPU and memory usage and can significantly slow down the machine.

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\certs.pem

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\cn.bat

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\fins.xml

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\FortiSIEM.Common.dll

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\FortiSIEM.Security.dll

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\FortiSIEM.Utilities.dll

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\FortiSIEM.Utilities.manifest

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\FortiSIEM.WebProxy.dll

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\FortiSIEM.WebProxy.manifest

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\FortiSIEM.WinRTWrapper.dll

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\FSMLogAgent.exe

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\FSMLogAgent.exe.config

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\License_3rd_party.txt

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\log4net.config

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\log4net.dll

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\monitorStatus.xml

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\osquery.exe

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\data\*

  • <Windows drive>:\Program Files\Fortinet\FortiSIEM\logs\*

  • <Windows drive>:\ProgramData\FortiSIEM\Database\*

  • <Windows drive>:\ProgramData\FortiSIEM\Logs\*

  • <Windows drive>:\Windows\System32\drivers\FortiInsight.sys

Prerequisites Beginning with Windows Agent 3.0

Beginning with Windows Agent release 3.0:

  • Agents must upload event data to a Collector. Therefore, minimum architecture is one Super appliance and one Collector appliance.
  • The Collector must be installed as IPv4 only. Dual stack IPv4/IPv6 or IPv6 Collectors are not supported with Agents.
  • Enable TLS 1.2 for Windows Agent to communicate with FortiSIEM Super/Worker/Collector nodes. Without TLS 1.2 enabled, Windows Agent installation will fail. By default, SSL3 / TLS 1.0 is enabled in Windows 7, 8 and 2008-R2. Before proceeding with the Windows Agent installation, please enable TLS 1.2 (if not already enabled) as follows:
    1. Start elevated Command Prompt (i.e., with administrative privilege)
    2. Run the following commands sequentially as shown.

      REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v DisabledByDefault /t

      REG_DWORD /d 00000000

  • Switch off Disk Fair Share. If it is on, then the real user in UEBA may not be captured. You can switch it off by running the following commands in powershell:

    $temp = (gwmi win32_terminalservicesetting -N "root\cimv2\terminalservices")

    $temp.enableDiskFSS = 0

    $temp.put()

    For more information on Disk Fair Share, see https://support.microsoft.com/en-gb/help/4494631/fair-share-technologies-enabled-by-default-in-remote-desktop-services.

Installing Windows Agent

caution icon

Before installing FortiSIEM Agent on FortSIEM Nodes, you must do detailed performance testing since FortSIEM nodes consume significant CPU to process a high volume of events in real-time.

During installation, the Windows Agent will register with FortiSIEM Supervisor.

The required parameters are:

  • SUPER_IP: IP Address or Host name/FQDN of Supervisor node
  • ORG_ID: FortiSIEM Organization Id to which this Agent belongs
  • ORG_NAME: FortiSIEM Organization Name
  • AGENT_USER: Agent user name (for registration only)
  • AGENT_PASSWORD: Agent password (for registration only)
  • HOST_NAME: This name will be displayed in FortiSIEM CMDB. FortiSIEM recommends using a Fully Qualified Domain Name (FQDN), especially if SNMP or WMI is also going to be used against this device. FQDN allows for standardized naming convention.
caution icon

For Service Provider installations, the Agent user name and password is defined in the Organization. See here for details.

For Enterprise installations, Agent user name and password is defined in CMDB > User page. You must create a user and check Agent Admin. See here for details.

Follow the instructions for the Windows Agent version you plan to install.

Notes: Starting with release 4.4.0, Agent Setup GUI allows you to select your License Type as Enterprise or Service Provider from a drop-down list.

Starting with release 4.2.0, Agent Setup GUI allows you to enter the Agent Configuration parameters (See Installing Windows Agent 4.2.x and Later via GUI). Also, version 4.2.3 provides a way for the user to install the agent so that service can be stopped (See Installing Windows Agent 4.2.x and Later via Command Line).

Installing Windows Agent in VDI Environment

Starting with release 4.4.0, the Windows Agent supports Virtual Desktop Infrastructure (VDI) as a deployment mechanism. VDI deployment also supports ReadOnly VDI images. In this scenario, device names will be added to CMDB > Device list as the active session user, separating domain and username with two underscores ‘__’ (I.e. domain__username).

To install onto a VDI, the ReadOnly images installation process is similar to a regular installation, but must follow these initial steps.

  1. Install the Windows Agent onto the Golden image of your VDI image. When prompted for settings, ensure that you check the VDI deployment checkbox.


  2. Allow the Golden Image to register and send data to your FortiSIEM Deployment.

  3. Once verified, create a snapshot of your Golden Image.

  4. Start your ReadOnly VDI image.

  5. Verify the new VDI session (with domain__user) has been able to register, and is in Running Active State.

  6. Shutdown the VDI session.

When the user logs on to the VDI environment and downloads a VM from the VDI Server, the VM contains a VDI transient image (containing the Windows Agent). The agent automatically registers to the FortiSIEM Supervisor node, with host name set to <DOMAIN>__<USERNAME> in CMDB.

When the user logs off from the VDI environment, the agent automatically unregisters to the FortiSIEM Supervisor node. The agent's status is decommissioned, so that it does not consume an agent license.

Installing Windows Agent 4.2.x and Later via GUI

To install Windows Agent 4.2.x and later via GUI, take the following steps.

  1. Log in to the Windows machine as Administrator.
  2. Copy Windows Agent 4.2.x binary FSMLogAgent-v4.2.x.exe, Windows Agent 4.3.x binary FSMLogAgent-v4.3.x.exe, or Windows Agent 4.4.x binary FSMLogAgent-v4.4.x.exe to the same folder.
  3. Ensure that the FSMLogAgent-v4.2.x.exe, FSMLogAgent-v4.3.x.exe, or Windows Agent 4.4.x binary FSMLogAgent-v4.4.x.exe in step 2 is in the same folder (example: copy to c:\Temp\).
  4. Double-click the FSMLogAgent-v4.2.x.exe, FSMLogAgent-v4.3.x.exe, or Windows Agent 4.4.x binary FSMLogAgent-v4.4.x.exe package and the installation process will start.
  5. In the Choose License Type dialog box, select Enterprise or Service Provider, and click Next.
    Note: With Windows Agent 4.4.0 and later, the dialog box is replaced with a License Type drop-down list.


  6. In the Supervisor IP/Name field, enter the Supervisor IP address or hostname.
  7. In the Supervisor Port field, enter the Supervisor port number. The default value is 443.
  8. If applicable, in the Organization Name field, enter the organization name.
    Note: The field will be greyed out if it is not applicable.
  9. If applicable, in the Organization ID field, enter the organization ID.
    Note: The field will be greyed out if it is not applicable.
  10. In the Agent HostName field, enter the agent hostname.
  11. In the Agent Username field, enter the agent username to access the Windows Agent.
    Note: The agent username cannot contain special characters: !#%&/\\:;<>=?[]{}^`|~
  12. In the Agent Password field, enter the password associated with the agent username entered earlier.
    Note: The password must be between 8-64 characters, with at least 1 letter, 1 number and 1 special character (e.g. $*&%).
  13. Check the Verify Host TLS/SSL certificate checkbox if you wish to confirm the Host TLS/SSL certificate.
  14. Click Next to proceed with installation.

    If any settings errors are detected, a dialog box will instruct you on the field that needs to be re-entered. When all fields are valid, the installation will start. After a successful installation, the Agent will register to the Supervisor and start running.
    Note: If the installation returns a pop-up to restart your computer, click Close.

Installing Windows Agent 4.2.x and Later via Command Line

To install Windows Agent 4.2.x and Later via Command Line (CLI), take the following steps.

  1. Log in to the Windows machine where Windows Agent will be installed as Administrator.
  2. Copy Windows Agent 4.2.x binary FSMLogAgent-v4.2.x.exe, Windows Agent 4.3.x binary FSMLogAgent-v4.3.x.exe, or Windows Agent 4.4.x binary FSMLogAgent-v4.4.x.exe to the same folder.
  3. Ensure that the FSMLogAgent-v4.2.x.exe, FSMLogAgent-v4.3.x.exe, or FSMLogAgent-v4.4.x.exe in step 2 is in the same folder (example: copy to c:\Temp\).
  4. Launch Command Prompt, go to the Installation packages saved location, and run
    FSMLogAgent.exe SUPERNAME="<Supervisor IP Address or Hostname>" SUPERPORT="<Supervisor port #>" ORGNAME="<Organization name>" ORGID="<Organization ID>" AGENTUSER="<Agent username>" AGENTPASSWORD="<Agent password>" HOSTNAME="<Hostname of the Agent, Leave blank to use the default name>" SSLCERT="<Use '1' to Verify Host TLS/SSL certificate, don't use this parameter if you don’t need verify Host TLS/SSL certificate>"

    Example:
    C:\Temp\FSMLogAgent.exe SUPERNAME="192.0.20.0" SUPERPORT="443" ORGNAME="org2" ORGID="2001" AGENTUSER="agent" AGENTPASSWORD="agentpass*1" HOSTNAME="examplehost"

    To run in silent mode, add “ /quiet” to the end of the installation command.
    Example:
    C:\Temp\FSMLogAgent.exe SUPERNAME="192.0.2.0" SUPERPORT="443" ORGNAME="org2" ORGID="2001" AGENTUSER="agent" AGENTPASSWORD="agentpass*1" HOSTNAME="examplehost" SSLCERT="1" /quiet

  5. The installation process will start. If any settings errors are detected, the install process will fail, otherwise it will succeed. The Agent will register to the Supervisor and start running.
Using Special Characters in Password when Registering via CLI

Choose characters from the set published here: https://owasp.org/www-community/password-special-characters

The password needs to be enclosed in double quote. If the password contains double quote("), then use double quote(") to escape - e.g. "Password""11"

Installing with the Ability to Stop Agent Service

Normal installations do not allow you to stop the Windows Agent from Windows Service Control Manager. Starting with release 4.2.3, you can do this by adding the UNPROTECT=1 option to the command line, e.g.
./FSMLogAgent.exe SUPERNAME="192.0.20.0" SUPERPORT="443" ORGNAME="org2" ORGID="2001" AGENTUSER="agent" AGENTPASSWORD="agentpass*1" HOSTNAME="examplehost" UNPROTECT=1

If you do not add the UNPROTECT=1 flag, then the process cannot be stopped from Windows Service Control Manager. This is the default behavior.

If you add the UNPROTECT=1 flag , then the Administrator can stop the process from Windows Service Control Manager.

Installing Windows Agent 4.2.x and Later via GPO

Once you have created a MSI transforms file, you then use this to pre-load all properties into the install during GPO. For information on creating a MSI transform file, see Creating a MSI Transforms File.

To install, take the following steps.

  1. Navigate to the download location of the FortiSIEM Windows Agent.

  2. 2. Run the following command:

    msiexec /i FSMLogAgent_x64.msi /qn TRANSFORMS=<transforms_file>

    Example:

    msiexec /i FSMLogAgent_x64.msi /qn TRANSFORMS=fsmlogagent.mst

    Once complete the transforms file will be used to provide the required properties when installing the FortiSIEM Windows Agent.

    To check for successful registration, take the following steps.
  1. Log in to FortiSIEM in Super Global mode as Admin user.
  2. Go to CMDB and search for the Agent Host name.
  3. Check the Status column.

Make sure the Templates and Host to Template association policies are defined for this Host by taking the following steps:

  1. Log in to FortiSIEM in Super Global mode.
  2. Go to ADMIN > Setup > Windows Agent and make sure the templates and host to template associations are defined.
    One of the host-to-template association policies must match this agent. The first matched policy will be selected.

Creating a MSI Transforms File

When deploying the FortiSIEM Windows Agent via Active Directory Group Policy Object, you are advised to create a MSI transforms file to pre-populate the MSI properties.

Outlined below is a way to create a transforms file using ORCA, a third party application provided by Microsoft. Although other third party tools are available, this process was verified and tested on ORCA version 5.0.10011.0.

After installing ORCA, load the FortiSIEM Windows Agent MSI by taking the following steps.

  1. Select File > Open.

  2. Navigate to the FortiSIEM Windows Agent download location.

  3. Select the MSI file you want to create a transforms file for (FSMLogAgent_x64.msi is used in this example).

Once the chosen MSI is loaded into ORCA, you can create a new transforms file ready for use by taking the following steps.

  1. In ORCA, select Transform > New Transform.

  2. Select Property from the left Tables side panel.

  3. Add the following properties from the following table , with your specific values, either by:

    1. Clicking on a new row to add property.

    2. Right clicking on empty space, and select Add Row.

    3. Using key combination of CTRL+R.

      Property

      Example

      Description

      SUPERNAME

      192.0.20.1

      Super IP or Hostname

      AGENTUSER

      agent

      Agent user name with permission to register new agent

      AGENTPASSWORD

      Agentpass*1

      Agent user password with permission to register new agent

      ORGID

      2000

      The organization ID to register agent to

      ORGNAME

      ORG01

      The organization name to register agent to

      Adding Properties Screenshot Example:

      Required Properties Screenshot Example:

  4. Once all required properties are added, select Transform > Generate Transform.

  5. Save the newly generated transforms file to your required location.

  6. Once generated, close the MSI you are editing by clicking File > Close.

  7. Repeat the process for both x64 and x86 MSI files.

    The generated transforms file can then be used to create a software package, using Active Directory GPO, see Installing Windows Agent 4.2.x and Later via GPO.

Installing Windows Agent 4.0.0 to 4.1.x

In these versions, the Agent configuration parameters have to be entered into an InstallSettings.xml file. The Agent Setup GUI is only available from 4.2.0 onwards. Also, the FortiSIEM LogAgent Service cannot be stopped.

Follow the steps below to install Windows Agent:

  1. Log in to the Windows machine where Windows Agent will be installed.
  2. Copy Windows Agent 4.0.x or 4.1.x binaries: FSMLogAgent-v4.0.x.exe or FSMLogAgent-v4.1.x.exe and InstallSettings.xml to the same folder.
  3. Obtain the Organization ID, Organization Name and Agent registration credentials.
    1. When using the multi-tennant version of FortiSIEM, follow these substeps to find these items:
      1. Log in to FortiSIEM in Super Global mode as Admin user.
      2. Go to ADMIN > Setup > Organizations and locate the Organization (ID, Name) to which this Agent belongs. If not present, create an Organization.
      3. Locate the Agent Registration User and Password for the Organization. If not present, define them.
    2. When using the Enterprise version of FortiSIEM, use “1” for the Organization ID and “super” for the Organization Name.
  4. Download the InstallSettings.xml file, and edit the fields for your environment.
    1. Use your favorite text editor to create an XML file named InstallSettings.xml in the same folder where you copied the Windows Agent binaries. Use the following code as a template.
    2. Provide the values for the Organization name (ORG_NAME), the Agent Registration User name (AGENT_USER), and Password (AGENT_PASSWORD) from step 3. Make sure that AGENT_PASSWORD is enclosed within a CDATA block as in the sample InstallSettings.xml file. This enables the AGENT_PASSWORD to contain non-ASCII characters like "&", "<", ">", "!", "#", etc... Make sure that there are no leading and trailing white spaces between CDATA[ and ]].
      For example, <Password><![CDATA[ myPassword ]]></Password> is not acceptable.
      It would need to be changed to <Password><![CDATA[myPassword]]></Password>.
      Note: When viewing the InstallSettings.xml file through a web browser, extraneous space characters may appear. Fortinet recommends saving the InstallSettings.xml file, then viewing it through a proper XML editor.
    3. It is recommended that you specify the Agent Host name in the <HostName>AGENT_HOST_NAME</HostName> tag. This will be the device name in the FortiSIEM CMDB. If this attribute is not specified, then the agent will pick up the NetBios Name, which will also be the device name in CMDB.
  5. Install the Agent:
    Choose one of options listed to install your Windows Agent.
    1. Option 1: Install via Windows File Explorer
      1. Log in to the Windows machine as Administrator.
      2. Ensure that the FSMLogAgent-v4.0.x.exe or FSMLogAgent-v4.1.x.exe in step 2 and InstallSettings.xml in step 4 are in the same folder (example: copy to c:\Temp\).
      3. Double-click the FSMLogAgent-v4.0.x.exe or FSMLogAgent-v4.1.x.exe package and the installation process will start. If any settings errors are detected, the install process will fail, otherwise it will succeed. The Agent will register to the Supervisor and start running.
        Note: If the installation returns a pop-up to restart your computer, click Close.

    2. Option 2: Install via Command Line
      1. Log in to the Windows machine as Administrator.
      2. Ensure that the FSMLogAgent-v4.0.x.exe or FSMLogAgent-v4.1.x.exe in step 2 and InstallSettings.xml in step 4 are in the same folder (example: copy to c:\Temp\).
      3. Launch Command Prompt, go to the Installation packages saved location, and run FSMLogAgent-v4.x.x-mmddyyyy.exe with the /norestart option.
        For example, C:\Temp\FSMLogAgent-v4.1.0-03052021.exe /norestart

        The installation process will start. If any settings errors are detected, the install process will fail, otherwise it will succeed. The Agent will register to the Supervisor and start running.
  6. Check CMDB for successful registration:
    1. Log in to FortiSIEM in Super Global mode as Admin user.
    2. Go to CMDB and search for the Agent Host name.
    3. Check the Status column.
  7. Make sure the Templates and Host to Template association policies are defined for this Host:
    1. Log in to FortiSIEM in Super Global mode.
    2. Go to ADMIN > Setup > Windows Agent and make sure the templates and host to template associations are defined.
      One of the host-to-template association policies must match this agent. The first matched policy will be selected.

Installing Windows Agent Without Supervisor Communication

In typical installations, FortiSIEM Agents register to the Supervisor node, but send the events by using the Collector. In many MSSP situations, customers do not want Agents to directly communicate with the Supervisor node. This requirement can be satisfied by setting up the Collector as an HTTPS proxy between the Agent and the Supervisor. This section describes the required configurations.

Step 1: Setup the Collector as an HTTPS Proxy

Follow these steps to setup the Collector as an HTTPS proxy:

  1. Log in to the Collector.

  2. Go to /etc/httpd/conf.d.

  3. Create the configuration file agent-proxy.conf with the content here.

    agent-proxy.conf Content

    ProxyPass /phoenix/rest/register/windowsAgent https://<Supervisor IP Address>/phoenix/rest/register/windowsAgent

    ProxyPassReverse /phoenix/rest/register/windowsAgent https://<Supervisor IP Address>/phoenix/rest/register/windowsAgent

    ProxyPass /phoenix/rest/windowsAgent/update https://<Supervisor IP Address>/phoenix/rest/windowsAgent/update

    ProxyPassReverse /phoenix/rest/windowsAgent/update https://<Supervisor IP Address>/phoenix/rest/windowsAgent/update

    SSLProxyEngine on

    SSLProxyVerify none

    SSLProxyCheckPeerCN off

    SSLProxyCheckPeerExpire off

  4. In order to upgrade Windows Agent on 6.4.0+ while utilizing the Collector as a proxy, the following Windows Agent Upgrade Proxy Configuration is required to allow the Windows Agent to download the necessary files for the upgrade.

    Add this to agent-proxy.conf.

    Windows Agent Upgrade Proxy Configuration

    ProxyPass /WinAgentUpgrade/FSMLogAgent.exe https://<Supervisor IP Address>/WinAgentUpgrade/FSMLogAgent.exe
    ProxyPassReverse /WinAgentUpgrade/FSMLogAgent.exe https://<Supervisor IP Address>/WinAgentUpgrade/FSMLogAgent.exe
    
    ProxyPass /WinAgentUpgrade/AutoUpdate.exe https://<Supervisor IP Address>/WinAgentUpgrade/AutoUpdate.exe
    ProxyPassReverse /WinAgentUpgrade/AutoUpdate.exe https://<Supervisor IP Address>/WinAgentUpgrade/AutoUpdate.exe
  5. If running Windows 5.0.0 or later, add the following route to agent-proxy.conf.

    ProxyPass /phoenix/rest/device/update https://<Supervisor IP Address>/phoenix/rest/device/update
    ProxyPassReverse /phoenix/rest/device/update https://<Supervisor IP Address>/phoenix/rest/device/update
  6. Restart httpd, for example: service httpd restart.

Step 2: Install Agents to Work with the Collector

Follow these steps to install the Windows Agents to work with the Collector.

  1. If you already have agents registered with the Supervisor, then uninstall them.
  2. Re-install the Windows Agents, following the instructions here. During installation, set the Supervisor IP to the IP address of the Collector node.

Upgrading Windows Agent

Upgrading from Windows Agent Version 4.2.x and Later

If you are running Agent 4.2.0 or later, then you can upgrade in one of the following 3 ways.

Upgrade in one of three ways.

The first method needs you to upgrade Agents remotely via Supervisor. Unlike the last two methods, no local access to Windows Server is required. However, the Supervisor method needs Supervisor access to FortiGuard Data Services (update.fortinet.net) on port 443.

Upgrade from Supervisor

Navigate to ADMIN > Settings > System > Image Server and follow the instructions in Upgrading Windows Agent from the Online Help.

Note: Upgrade from FortiSIEM Supervisor Install requires FortiSIEM 6.4.0 or later, and FortiSIEM Windows Agent 4.2.0 or later.

Upgrade via Agent Setup GUI

With this option, you will be re-installing the new version on top of the older version using the Agent Setup GUI.

To upgrade through the graphical user interface (GUI), take the following steps.

  1. Log in to your Windows machine as an Administrator.

  2. Ensure that the FSMLogAgent-v4.2.x.exe, FSMLogAgent-v4.3.x.exe, or FSMLogAgent-v4.4.x.exe file is in the same folder.

  3. Double-click the FSMLogAgent-v4.2.x.exe, FSMLogAgent-v4.3.x.exe, or FSMLogAgent-v4.4.x.exe package and the installation process will start.

  4. In the Choose License Type dialog box, select Enterprise or Service Provider, and click Next.
    Note: With Windows Agent 4.4.0 and later, the dialog box is replaced with a License Type drop-down list.

  5. In the Supervisor IP/Name field, enter the Supervisor IP address or hostname.
  6. In the Supervisor Port field, enter the Supervisor port number. The default value is 443.
  7. If applicable, in the Organization Name field, enter the organization name.
    Note: The field will be greyed out if it is not applicable.
  8. If applicable, in the Organization ID field, enter the organization ID.
    Note: The field will be greyed out if it is not applicable.
  9. In the Agent HostName field, enter the agent hostname.
  10. In the Agent Username field, enter the agent username to access the Windows Agent.
    Note: The agent username cannot contain special characters: !#%&/\\:;<>=?[]{}^`|~
  11. In the Agent Password field, enter the password associated with the agent username entered earlier.
    Note: The password must be between 8-64 characters, with at least 1 letter, 1 number and 1 special character (e.g. $*&%).
  12. Check the Verify Host TLS/SSL certificate checkbox if you wish to confirm the Host TLS/SSL certificate.
  13. Click Next to proceed with installation.

    If any settings errors are detected, a dialog box will instruct you on the field that needs to be re-entered. When all fields are valid, the installation will start. After a successful installation, the Agent will register to the Supervisor and start running.
    Note: If the installation returns a pop-up to restart your computer, click Close.

  14. Proceed to Verify Agent Version and Template Associations.

Upgrade via Command Line

With this option, you will be re-installing the new version on top of the older version using command line. The agent configuration parameters are provided in command line arguments.

To upgrade through the command line interface (CLI), take the following steps.

  1. Log in to the Windows machine as an Administrator.

  2. Ensure that the FSMLogAgent-v4.2.x.exe, FSMLogAgent-v4.3.x.exe, or FSMLogAgent-v4.4.x.exe file is in the same folder.

  3. Launch Command Prompt.

  4. Go to the directory where the Installation packages were saved.

  5. Run
    FSMLogAgent.exe SUPERNAME="<Supervisor IP Address or Hostname>" SUPERPORT="<Supervisor port #>" ORGNAME="<Organization name>" ORGID="<Organization ID>" AGENTUSER="<Agent username>" AGENTPASSWORD="<Agent password>" HOSTNAME="<Hostname of the Agent, Leave blank to use the default name>" SSLCERT="<Use '1' to Verify Host TLS/SSL certificate, don't use this parameter if you don’t need verify Host TLS/SSL certificate>"

    Example:
    C:\Temp\FSMLogAgent.exe SUPERNAME="192.0.20.0" SUPERPORT="443" ORGNAME="org2" ORGID="2001" AGENTUSER="agent" AGENTPASSWORD="agentpass*1" HOSTNAME="examplehost"

    To run in silent mode, add “ /quiet” to the end of the installation command.
    Example:
    C:\Temp\FSMLogAgent.exe SUPERNAME="192.0.2.0" SUPERPORT="443" ORGNAME="org2" ORGID="2001" AGENTUSER="agent" AGENTPASSWORD="agentpass*1" HOSTNAME="examplehost" SSLCERT="1" /quiet

    The installation process will start. If any settings errors are detected, the install process will fail, otherwise it will succeed. The Agent will register to the Supervisor and start running.

    For more information on special characters, see Using Special Characters in Password when Registering via CLI.

    For more information on how to install with the ability to stop service, see Installing with the Ability to Stop Agent Service.
    Note: This requires Agent 4.2.3 or later.

  6. Proceed to Verify Agent Version and Template Associations.

Upgrading from Windows Agent 4.0.0 to 4.1.x

Upgrade can be done in one of two ways.

These methods both require you to login to the Windows Server. Once you are on Version 4.2.0 or later, you can upgrade remotely via the Supervisor.

Upgrade via Windows File Explorer

With this option, you will be re-installing the new version on top of the older version using Windows File Explorer.

To upgrade through the graphical user interface (GUI), take the following steps.

  1. Log in to your Windows machine as an administrator.

  2. Ensure that the FSMLogAgent-v4.0.x.exe or FSMLogAgent-v4.1.x.exe and InstallSettings.xml files are in the same folder.

  3. Double-click the FSMLogAgent-v4.0.x.exe or FSMLogAgent-v4.1.x.exe package and the installation process will start. If any settings errors are detected, the install process will fail, otherwise it will succeed. The Agent will register to the Supervisor and start running.

    Note: If the installation returns a pop-up to restart your computer, click Close.

  4. Proceed to Verify Agent Version and Template Associations.

Upgrade via Command Line

With this option, you will be re-installing the new version on top of the older version using command line. The agent configuration parameters are provided in command line arguments.

To upgrade through the command line interface (CLI), take the following steps.

  1. Log in to the Windows machine as an administrator.

  2. Ensure that the FSMLogAgent-v4.0.x.exe or FSMLogAgent-v4.1.x.exe and InstallSettings.xml files are in the same folder.

  3. Launch Command Prompt.

  4. Go to the directory where the Installation packages were saved.

  5. Run FSMLogAgent-v4.0.x-mmddyyyy.exe or FSMLogAgent-v4.1.x-mmddyyyy.exe with the /norestart option.

    Example: C:\Temp\FSMLogAgent-v4.1.0-03052021.exe /norestart

    The installation process will start. If any settings errors are detected, the install process will fail, otherwise it will succeed. The Agent will register to the Supervisor and start running.

  6. Proceed to Verify Agent Version and Template Associations.

Verify Agent Version and Template Associations

You will need to navigate to CMDB to check the status and version of your Windows agent. Take the following steps.

  1. Log in to FortiSIEM in Super Global mode as an admin user.

  2. Navigate to CMDB > Devices.

  3. In the Search... field, enter your Agent Host name to locate your agent.

  4. Check the Agent Version column for your Agent and confirm that the version is the upgraded version.

  5. Check the Status column to see the Agent status. The status should update to "Running Active" after a few minutes.

  6. Navigate to ADMIN > Setup > Windows Agent.

  7. Under Host To Template Associations, select an existing configuration and confirm it is still defined.

Managing Windows Agent

Agent Service

When the Windows Agent is running, the FSMLogAgent is shown as part of your services on your Windows machine. The ability to Start, Stop, Pause, or Resume this service is disabled. This is intentional, to provide service level protection. An option is available starting with Windows Agent 4.2.3 to stop Windows Agent. See Installing with the Ability to Stop Agent Service.

Auto Restart Service Behavior

In the event of a Windows Agent crash, Windows Agent will automatically restart itself after 60 seconds has passed.

It is possible to terminate the FSMLogAgent process via the Windows Task Manager. This action will cause Windows Agent to restart automatically.

Configuring Windows Servers for FortiSIEM Agents

Configuring Windows Sysmon

The supported Sysmon versions are 5.02 and above. The latest Sysmon download instructions are available here.

  1. Log in to the Windows machine.
  2. Download the popular Sysmon configuration file and save it as https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml
  3. Save the configuration file as sysmonconfig.xml
  4. Check whether the Sysmon executable is installed or not by running: Sysmon64.exe -c
    1. If Sysmon is running, update the Sysmon configuration by using the command with administrator rights: sysmon.exe -c sysmonconfig.xml
    2. If Sysmon is not available on the system, download and install using the command with administrator rights: sysmon.exe -accepteula -i sysmonconfig.xml
  5. Check the new configuration using the command: Sysmon64.exe -c
  6. Check for Sysmon events:
    1. Go to EventViewer > Applications and Service Logs > Microsoft > Windows > Sysmon > Operational.
    2. Check for Sysmon logs on the right panel.
    3. Right-click on Operational and choose Properties.
    4. Note the Full Name (typically 'Microsoft-Windows-Sysmon/Operational') for FortiSIEM configuration.

Configuring Windows DNS

Follow the steps below to configure DNS server:

  1. Log in to the Windows machine.
  2. Configure DNS logging:
    1. Launch DNS Manager.
    2. Select the specific DNS Server and click Properties.
    3. On Debug Logging tab, enable Log packets for debugging.
    4. Specify the log file name and path, for example C:\DNSLogs.log.

  3. Check for DNS logs. If logs are present, FortiSIEM Agent will automatically collect these logs.
    1. Go to EventViewer > Applications and Service Logs > DNS Server.
    2. Check for DNS logs on the right panel.

Configuring Windows DHCP

Follow the steps below to configure DHCP server:

  1. Log in to the Windows machine.
  2. Configure DHCP logging:
    1. Launch DHCP Manager.
    2. Select the specific DHCP Server and click IPv4 > Properties.
    3. Enable DHCP Audit Logging.
  3. Check for DHCP events. If logs are present, FortiSIEM Agent will automatically collect these logs:
    1. Go to EventViewer > Applications and Service Logs > Microsoft > Windows > DHCP Server.
    2. Check for DHCP logs on the right panel.

Configuring Windows IIS

Follow these steps to configure the IIS Server:

  1. Log in to the Windows machine.
  2. Configure IIS logging:
    1. Launch IIS Manager.
      • From the Start menu, click Programs or All Programs, and point to Administrative Tools.
      • On Administrative Tools, Click Internet Information Services (IIS) Manager.
    2. Select the specific IIS Server and click the Logging icon on the panel on the right side.

    3. Specify the log path if default path (%SystemDrive%\inetpub\logs\LogFiles) does not exist.

  3. Check for IIS events. If logs are present, FortiSIEM Agent will automatically collect these logs:
    1. Go to IIS logs default path, example: C:\inetpub\logs\LogFiles\.
    2. Check for IIS traffic logs.

Configuring DNS Analytical Logs

Microsoft recommends that customers enable DNS Analytical logs only to debug DNS traffic or to troubleshoot DNS server issues. Enabling DNS Analytical logs can cause system performance issues (see Microsoft Logging and Diagnostics).

If the DNS server is running Windows Server 2012 R2, download the hotfix from http://support.microsoft.com/kb/2956577

You can find more information on this topic in Enable Analytic and Debug Logs in the Microsoft User Guide.

Follow these steps to configure FortiSIEM Windows Agent to collect DNS Analytical logs:

  1. Enter eventvwr.msc at an elevated command prompt and press Enter to open the Event Viewer.
  2. In the Event Viewer, navigate to Applications and Services Logs\Microsoft\Windows\DNS-Server.
  3. Right-click DNS-Server, point to View, and click Show Analytic and Debug Logs. The Analytical log is displayed.
  4. Right-click Analytical and then click Properties.
  5. Under When maximum event log size is reached, choose Do not overwrite events (Clear logs manually).
  6. Select the Enable logging checkbox.
  7. Click OK when you are asked if you want to enable this log. See the following example.

  8. Click OK again to enable the DNS Server Analytic event log.
  9. Note the Full Name value in the screenshot in Step7: Microsoft-Windows-DNSServer/Analytical. This name must be entered in FortiSIEM.

Configuring Generic Binary Logs

Analytic and Debug logs are disabled by default, because these logs can quickly fill the disk with a large number of entries.

For this reason, you will probably want to turn them on for a specified period to gather some troubleshooting data and then turn them off again.

Follow these steps to configure FortiSIEM Windows Agent to collect Generic Binary logs:

  1. Enter eventvwr.msc at an elevated command prompt and press Enter to open the Event Viewer.
  2. In the Event Viewer, navigate to Applications and Services Logs > Microsoft > Windows >, then select an Application that needs to capture Analytic/Debug logs.
  3. Right-click Application, point to View, and click Show Analytic and Debug Logs. The Analytic/Debug/Diagnostic log is displayed.
  4. Right-click Analytic/Debug/Diagnostic and then click Properties.
  5. Under When maximum event log size is reached, choose Do not overwrite events (Clear logs manually).
  6. Select the Enable logging checkbox, and click OK when you are asked if you want to enable this log. See the following example “PowerShell Debug logs”.

  7. Click OK again to enable the Application Analytic/Debug/Diagnostic event log.
  8. Note the Full Name in the screenshot in Step 6: Microsoft-Windows-PowerShell/Debug. This name must be entered in FortiSIEM.

Configuring Windows Event Forwarding

Using Windows Event Forwarding, it is possible for Windows Servers (called Event Source Computers) to forward events to a central Windows Server where FortiSIEM Windows Agent (called Event Collector Computer) is running. The Agent can then send to FortiSIEM Collector, Worker, and Supervisor nodes. This is an alternative to running FortiSIEM Agent on every Windows Server. The disadvantage of this approach is that only Windows (Security, application, and system) events can be collected in this way, while FortiSIEM native Agent can collect other information such as FIM, Custom log, Sysmon, etc. FortiSIEM can parse the forwarded Windows events so that the actual reporting Windows server is captured and all the attributes are parsed as sent by native agents.

Configuring Locale on Windows Servers

Configure Locale on Windows 10

To set the locale of Collector machine to en-US:

  1. Go to the Windows Settings page.
  2. Go to Time And Language, and choose the Language option.
  3. Change the Windows Display Language to English (United States).
  4. Select the Region option on the left.
  5. Choose the option Additional Date, time & regional settings on the right side of the page.

  6. Choose the option Region and open the Administrative tab.
  7. Click the Change system locale... button and change the locale to English (United States) in the provided dialog box. Click OK.
  8. In the Administrative tab, click the Copy Settings... button.
  9. In that property page tab, select both check boxes: Welcome screen and system accounts and New user accounts. Click OK.

  10. Restart your computer.

Configure Locale on Generic Servers

  1. Go to the Control Panel.
  2. Choose the Language option.
  3. Select the language English (United States) and move it to top of the list.
  4. Select the option Change date, time, or number formats on the left side of the page.

  5. In this property page tab, select the Location tab and choose the Home Location as United States. Click Apply.

  6. Select the Administrative tab.
  7. Click Change system locale.... Change the locale to English (United States) in the provided dialog. Click OK.

  8. In the Administrative tab, click Copy Settings....
  9. In this property page tab, select both check boxes: Welcome screen and system accounts and New user accounts. Click OK.

  10. Restart your computer.

Configuring Source-Initiated Subscription

Configure the Event Collector Computer

You must complete the following steps on the Event Collector computer where the FSM Agent is installed:

  1. Open a command prompt in an elevated privilege (for example,Run as Administrator…) and run this command to configure the Windows Remote Management (WinRM) service:

    winrm qc -q

  2. Run this command to configure the Windows Event Collector service:

    wecutil qc /q

  3. Copy and save the following XML in a file (Configuration.xml) and edit the values depending on your requirements or scenario.

    The XML configuration will grant the Domain Computers and Network Service accounts as the local event forwarder for the source computers. The XML configuration will contain the language locale, which is same as the Collector computer's language locale.

    <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">

    <SubscriptionId>FwdSubscription</SubscriptionId>

    <SubscriptionType>SourceInitiated</SubscriptionType>

    <Description>Source Initiated Subscription</Description>

    <Enabled>true</Enabled>

    <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>

    <!-- Use Normal (default), Custom, MinLatency, MinBandwidth -->

    <ConfigurationMode>Custom</ConfigurationMode>

    <Delivery Mode="Push">

    <Batching>

    <MaxItems>1</MaxItems>

    <MaxLatencyTime>1000</MaxLatencyTime>

    </Batching>

    <PushSettings>

    <Heartbeat Interval="30000" />

    </PushSettings>

    </Delivery>

    <Expires>2025-01-01T00:00:00.000Z</Expires>

    <Query>

    <![CDATA[

    <QueryList>

    <Query Path="Security">

    <Select>*</Select>

    </Query>

    </QueryList>]]>

    </Query>

    <ReadExistingEvents>true</ReadExistingEvents>

    <TransportName>http</TransportName>

    <ContentFormat>RenderedText</ContentFormat>

    <Locale Language="en-US" />

    <LogFile>ForwardedEvents</LogFile>

    <AllowedSourceNonDomainComputers></AllowedSourceNonDomainComputers>

    <AllowedSourceDomainComputers>O:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;NS)</AllowedSourceDomainComputers>

    </Subscription>

  4. From the Command Prompt, enter the following command to create the subscription according to the specified XML configuration file:

    wecutil cs Configuration.xml

  5. From the Command Prompt, enter the following command to add an inbound and outbound exception in the firewall for port 5985 (http):

    netsh advfirewall firewall add rule name=“Winrm HTTP Remote Management” protocol=TCP dir=in localport=5985 action=allow
    
    netsh advfirewall firewall add rule name=“Winrm HTTP Remote Management” protocol=TCP dir=out remoteport=5985 action=allow

Configure the Event Source Computer

You must complete these steps on the Event Source computer.

  1. Open a Command Prompt in an elevated privilege (for examle, Run as Administrator…) and run the following commands:

    net localgroup "Event log readers" "NT Authority\Network Service" /add
    
    net localgroup "Event log readers" "Domain Computers" /add
    
    winrm qc -q
  2. From the command prompt enter the following command to add an inbound and outbound exception in the firewall for port 5985 (http):

    netsh advfirewall firewall add rule name=“Winrm HTTP Remote Management” protocol=TCP dir=in localport=5985 action=allow	
    netsh advfirewall firewall add rule name=“Winrm HTTP Remote Management” protocol=TCP dir=out remoteport=5985 action=allow

Configure the Domain Controller or Source Computer

The following policy changes must be performed on the Domain Controller (for domain environments) or Source Computers (for non-domain environments).

  1. Run the local group policy editor (for non-domain environments) or the domain group policy editor (for domain environments).
  2. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Event Forwarding.

  3. Open Configure target Subscription Manager.

  4. Choose the Enabled option.
  5. Click the Show... button beside SubscriptionManagers.
  6. Add the value Server=http://<Collector FQDN>:5985/wsman/SubscriptionManager/WEC to the list and click OK.

  7. In the Configure target Subscription Manager dialog box, click Apply and then OK.
  8. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management > WinRM Service.

  9. Open Turn On Compatibility HTTP Listener.
  10. Choose the option Enabled.

  11. Click Apply and then OK.
  12. Close the group policy editor.
  13. Start the Command Prompt in admin mode and run the following command:

    gpupdate /force

Configuring Auditing Policies

The following policy changes must be performed on the Domain Controller (for domain environments) or Source Computers (for non-domain environments).

Configure Security Audit Logging Policy

Configure this policy to control Windows logging. Because Windows generates many security logs, specify the categories of events that you want to be logged and available for monitoring by FortiSIEM.

  1. Log in to the machine where you want to configure the policy as an administrator.
  2. Go to Programs > Administrative Tools > Local Security Policy.
  3. Expand Local Policies and select Audit Policy.
    You will see the current security audit settings.
  4. Select a policy and edit the Local Security Settings for the events you want to be audited. The recommended settings are:
  5. Policy Description Settings
    Audit account logon events and Audit logon events For auditing log in activity. Select Success and Failure.
    Audit object access events

    For auditing access to files and folders. There is an additional configuration requirement for specifying which files and folders, users and user actions will be audited. See the next section, Configuring File Auditing Policy.

    Select Success and Failure.
    Audit system events Includes system up/down messages.
  6. For an Enterprise Server's Domain Group Policy, make sure you set the following under Group Policy > Local Policies > Audit Policy:

    Policy = Audit object access

    Security Setting = Success or Failure

Configure File Auditing Policy

Configure this policy to see user meta data in file auditing events.

  1. Log in to the machine where you want to set the policy with administrator privileges.
    On a domain computer, a Domain administrator account is needed.
  2. Open Windows Explorer, select the file you want to set the auditing policy for, right-click on it, and select Properties. By default, the General tab will be shown. Select the Security tab to continue.
  3. In the Security tab, click Advanced.

  4. Select the Auditing tab, and click Add, then click Select a principal.
    This button is labeled Edit in Windows 2008.

  5. In the Select User or Group dialog, click Advanced, and find and select the users, or groups, whose access to this file you want to monitor. If you want to audit all users access to the audited folder, select Everyone as shown below.

  6. Click OK after adding the users.
  7. In the Permissions tab, set the permissions for each user added.

    The configuration is now complete. Windows will generate audit events when the users or groups you specified take the actions specified on the files or folders for which you set the audit policies.

Configure Audit File System Policy

Configure this policy to enable change events for permission and/or ownership changes to files and/or directories. The policy will also upload the monitored files to FortiSIEM. This feature is available in FortiSIEM Windows Agent 5.x.x.

Complete these steps to enable Audit File System policy:

  1. Log in, with administrator privileges, to the machine where you want to set the policy.

    On a domain computer, you must have a Domain administrator account.

  2. Go to Programs > Administrative Tools > Local Security Policy.
  3. Expand the Advanced Audit Policy Configuration node.
  4. Expand System Audit Policies-Local Group Policy Object node.

    You will see the current security audit settings.

  5. Select Object Access.
  6. Select Audit File System on the left side of the window.
  7. Double-click Audit File System. In the pop-up window, select both Success and Failure under Configure the following audit events.
  8. Click Apply, then OK.

The Audit File System Policy is now enabled. Reboot your system to apply the changes.

Disable Audit Token Right Adjusted Success Events

As per Microsoft, it is recommended to Disable "Success" auditing for "Audit Token Right Adjusted".

Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703#security-monitoring-recommendations.

By enabling "Success Auditing" for Audit Token Right Adjusted (Detailed Tracking ), 800+ (4703) events can be generated in a second, resulting in this high volume event impacting system performance.

Complete these steps to disable "Success" for "Audit Token Right Adjusted".

  1. Log in, with administrator privileges, to the machine where you want to set the policy.

    On a domain computer, you must have a Domain administrator account.

  2. Go to Programs > Administrative Tools > Local Security Policy.
  3. Expand to Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Detailed Tracking.
  4. Go to the Detailed Tracking subcategory, and select Audit Token Right Adjusted.
  5. Double click Audit Token Right Adjusted, select the Configure the following audit events: checkbox.
  6. Uncheck the Success checkbox if needed to disable.
  7. Click Apply.

Configuring Print Log

FortiSIEM supports pull Windows print log from Windows agent. To configure, take the following steps.

Enabling Logging Print Log after WMI Configuration

After WMI Configuration is completed (See External Systems Configuration Guide Microsoft Windows Server), enable logging print log by taking the following steps.

  1. Open the Event Viewer window and navigate to Applications and Services Logs > Microsoft > Windows > PrintService.
  2. Click Operational.
  3. Right click, and select Properties.
  4. Add a checkmark to the Enable logging checkbox.
  5. Click Apply.
  6. Click OK.

    All print activities will be logged by Event Viewer through WMI. Event logs can be viewed under Applications and Services Logs -> Microsoft -> Windows -> PrintService -> Operational.

Setup in FortiSIEM

Take the following steps to access print logs in FortiSIEM.

  1. Log on to your Windows Server and navigate to Event viewer > App and Service logs > Microsoft > windows > printservice > properties.
  2. Copy the full name from log properties.
  3. Log onto FortiSIEM in super global.
  4. Navigate to ADMIN > Setup > Windows Agent.
  5. Under Windows Agent Monitor Templates, click New to create a Monitor Template.
  6. In the Name field, enter a name for the template.
  7. Click the Event tab.
  8. In the Event Log row, click on New.
  9. In the Type drop-down list, select Other.
  10. In the Event Name field, enter/paste the full name from step 2.
  11. Click < Save.
  12. Click Save.
  13. Under Host to Template Associations, create a host to template association by clicking New.
  14. In the Name field, enter a name.
  15. Choose an organization.
  16. Select the monitor template you created through steps 5-12.
  17. Select a collector.
  18. Click Save.
  19. Click Apply.

FortiSIEM now automatically parses events received via WMI or FortiSIEM Windows Agent.

Configuring Windows Agent for Terminal Services

Take the following steps to configure audit log collection in Windows Agent for terminal services.

  1. Log onto FortiSIEM in super global.
  2. Navigate to ADMIN > Setup > Windows Agent.
  3. Under Windows Agent Monitor Templates, click New to create a Monitor Template.
  4. In the Name field, enter a name for the template.
  5. Click the Event tab.
  6. Select the File Log: DHCP checkbox.
  7. In the Event Log row, click on New.
  8. Take the following steps:
    1. In the Type drop-down list, select Security.
    2. For the Include Event field, leave as ALL.
    3. For the Exclude Event field, leave as NONE.
    4. Click < Save.
  9. In the Event Log row, click on New.
  10. Take the following steps:
    1. In the Type drop-down list, select Application.
    2. In the Source drop-down list, select All.
    3. For the Include Event field, leave as ALL.
    4. For the Exclude Event field, leave as NONE.
    5. Click < Save.
  11. In the Event Log row, click on New.
  12. Take the following steps:
    1. In the Type drop-down list, select Other.
    2. In the Event Name field, enter "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational".
    3. For the Include Event field, leave as ALL.
    4. For the Exclude Event field, leave as NONE.
    5. Click < Save.
  13. In the Event Log row, click on New.
  14. Take the following steps:
    1. In the Type drop-down list, select Other.
    2. In the Event Name field, enter "Microsoft-Windows-TerminalServices-RDPClient/Operational".
    3. For the Include Event field, leave as ALL.
    4. For the Exclude Event field, leave as NONE.
    5. Click < Save.
  15. In the Event Log row, click on New.
  16. Take the following steps:
    1. In the Type drop-down list, select Other.
    2. In the Event Name field, enter "Microsoft-Windows-TerminalServices-Gateway/Operational".
    3. For the Include Event field, leave as ALL.
    4. For the Exclude Event field, leave as NONE.
    5. Click < Save.
  17. Click Save.
  18. Under Host to Template Associations, create a host to template association by clicking New.
  19. In the Name field, enter a name.
  20. Choose an organization.
  21. Select the monitor template you created from step 3.
  22. Select collector(s).
  23. Click Save.
  24. Click Apply.

Enabling FIPS

Follow the steps below to enable FIPS on a Windows system:

  1. Click Start > Run and enter the command secpol.msc to open the Local Security Policy window.
  2. Select Security Settings > Local Policies > Security Options.
  3. In the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing and select Enabled.
  4. Click Apply and then OK.

Configuring Monitoring Policies in FortiSIEM

After you have configured Windows Servers in the previous step (Configuring Windows Servers for FortiSIEM Agents), you must create monitoring policies in FortiSIEM. For more information, see Define the Windows Agent Monitor Templates and Associate Windows Agents to Templates in the FortiSIEM User's Guide.

Verifying Events in FortiSIEM

Follow the steps below to verify the events in FortiSIEM:

    1. Go to ANALYTICS tab.
    2. Click the Filters field.
    3. Create the following condition: Attribute= Raw Event Log, Operator = CONTAIN, Value = AccelOps-WUA and click Save & Run.
      Note: All event types for all Windows Server generated logs are prefixed by AccelOps-WUA.
    4. Select the following Group By:
      1. Reporting Device Name
      2. Reporting IP
    5. Select the following Display Fields:
      1. Reporting Device Name
      2. Reporting IP
      3. COUNT(Matched Events)
    6. Run the query for the last 15 minutes.
      The Query will return all hosts that reported events in the last 15 minutes.

Uninstalling Windows Agent

To uninstall FortiSIEM Windows Agent, run the FortiSIEM Installer. When prompted, click Uninstall.

REST APIs used for Communication

A Windows Agent uses the following REST APIs:

Purpose URL Notes
Registration to Supervisor https://<SuperFQDN>:<port>/phoenix/rest/register/windowsAgent Supported Port is 443
Status update to Supervisor https://<SuperFQDN>:<port>/phoenix/rest/windowsAgent/update Supported Port is 443
Event Upload to Collectors https://<CollectorFQDNorIP>:<port>/winupload_direct?<AgentID> Supported Port is 443

Troubleshooting from Windows Agent

Follow the troubleshooting steps for your version of Windows Agent.

Windows Agent 4.3.x and later

In Windows Agent 4.3.x and later, edit the following:

  • In C:/Program Files/Fortinet/FortiSIEM/log4net.config

    • Replace <LogLevel>ERROR</LogLevel> with <LogLevel>DEBUG</LogLevel>.

  • In C:/Program Files/Fortinet/FortiSIEM/fins.xml

    • Replace <LogLevel>4</LogLevel> with <LogLevel>1</LogLevel>.

  • In registry HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiSIEM

    • Edit the value LogLevel from 1 to 2.

These changes instantly take affect. Allow logs to be collected for at least 5 minutes, once complete revert the changes back to their original values.

The debugging information is available in the following log files:

  • Agent Service logs are located in C:\ProgramData\FortiSIEM\Agent\Logs\FSMLogAgent.log

  • Agent Application logs are located in C:\ProgramData\FortiSIEM\Agent\Logs\Trace.log

  • Other Agent Application logs are located in C\Program Files\Fortinet\FortiSIEM\logs\cms.log

Windows Agent 4.2.x and earlier

In Windows Agent 4.2.X and earlier, edit the following:

  • In registry HKEY_LOCAL_MACHINE\SOFTWARE\AccelOps\Agent

    • Edit the value LogLevel from 1 to 2.

These changes instantly take affect. Allow logs to be collected for at least 5 minutes, once complete revert the changes back to their original values.

The debugging information is available in the following log files:

  • Agent Service logs are located in C:\ProgramData\AccelOps\Agent\Logs\AoWinAgt.log
  • Agent Application logs are located in C:\ProgramData\AccelOps\Agent\Logs\ProxyTrace.log

Sample Windows Agent Logs

For sample Windows Agent logs, see Sample Windows Agent Logs in the FortiSIEM User's Guide.