FortiSIEM Windows Agent

FortiSIEM Windows Agent can collect a wide variety of logs and other telemetry for Windows hosts. See the External Systems Configuration Guide - Windows Servers via Agent for details.

This document covers the following topics related to installing, upgrading, and managing Windows Agent.

• Supported Operating Systems

• Supported Languages

• Hardware Requirements

• Software Requirements

• Communication Ports

• Other Installation Considerations

• Installing Windows Agent

  • Installing Windows Agent via GUI

  • Installing Windows Agent via GPO

  • Installing Windows Agent via Command Line

  • Installing Windows Agent in VDI Environment

  • Installing Windows Agent Without Supervisor Communication
• Enabling FIPS
• Next Steps After Installing Windows Agent
• Upgrading Windows Agent
  • Upgrading from Windows Agent 4.2.x and Later
  • Upgrading from Windows Agent 4.0.0 to 4.1.x
  • Verify Agent Version and Template Associations
• Managing Windows Agent
• Uninstalling Windows Agent
• REST APIs used for Communication
• Troubleshooting from Windows Agent

Supported Operating Systems

FortiSIEM Windows Agent 7.2.4 runs on the following Operating Systems:

• Windows 7 Enterprise/Professional
• Windows 8
• Windows 10
• Windows 11
• Windows Server 2008 R2
• Windows Server 2012
• Windows Server 2012 R2
• Windows Server 2016
• Windows Server 2016 Core
• Windows Server 2019
• Windows Server 2019 Core
• Windows Server 2022

Supported Languages

All languages in which the Windows Operating System is available are supported.

Hardware Requirements

Component	Requirement
CPU	x86 or x64 (or compatible) at 2 GHz or higher
Hard Disk Free space	10 GB (minimum)
Server Operating System	- Windows Server 2008 R2 and above (strongly recommended) - Desktop Operating System: Windows 7, 8,10 and above
RAM	- For 32 bit OS: 2 GB for Windows 7, 8, 10 minimum - For 64 bit OS: 4 GB for Windows 7, 8, 10, Windows Server 2008 / 2012 minimum

Software Requirements

Windows Agent Version	Component	Requirement	Notes
4.2	Installed Software	.NET Framework 4.5	.NET Framework 4.5 can be downloaded from http://www.microsoft.com/en-us/download/details.aspx?id=30653, and is already available on Windows 8 and Windows Server 2012.
4.3.0+	Installed Software	.NET Framework 4.6 or later.	.NET Framework 4.6 can be downloaded from https://www.microsoft.com/en-us/download/details.aspx?id=48137.

Communication Ports

FortiSIEM Windows Agent 7.2.4 communicates outbound via HTTPS with Supervisor and Collectors.

1. The Agent registers to the Supervisor and periodically receives monitoring template updates if any, via HTTP(S).
2. The Agent then forwards the events to the Collectors via HTTP(S).

Ensure that Firewalls, if any, between the Agents and Supervisor/Collector permit HTTP(S) traffic on port 443. If you decide to upgrade Windows Agent 4.2.0 or later from the Supervisor (see Upgrade from Supervisor), then make sure the Supervisor can communicate with FortiGuard Service (update.fortiguard.net) on port 443 to validate the upgrade images.

Other Installation Considerations

• Certificate Validation

• Trusted Hosts

• Prerequisites Beginning with Windows Agent 5.0.0 and later

• Prerequisites Beginning with Windows Agent 3.0

Certificate Validation

The FortiInsight UEBA module uses WinVeifyTrust APIs to validate that its executable hasn't been tampered with. This process requires the root certificate chain to be present on the endpoint device in question. FortiSIEM Windows Agent is signed using a DigiCert Authenticode Certificate, which requires the DigiCert Trusted Root G4 Certificate to be present in the Certificate Store.

Normally these certificates will be updated along with Windows Updates, however if the endpoint device does not allow for Certificate Authorities to be updated via this mechanism, you must install it manually for the FortiInsight UEBA module to work correctly.

These certificates can be found here:

https://www.digicert.com/kb/digicert-root-certificates.htm

Search for G4 root certificate, serial number: 05:9B:1B:57:9E:8E:21:32:E2:39:07:BD:A7:77:75:5C.

Or direct link to DER/CRT: https://cacerts.digicert.com/DigiCertTrustedRootG4.crt

Once the certificate has been downloaded, simply right click the certificate from the download and select "install certificate".

Follow the certificate wizard and import will complete.

Trusted Hosts

If you have defined Trusted Hosts in FortiSIEM, then remember to include the Windows Agents, else they will not be able to register.

Information on Trusted Hosts can be found here.

Prerequisites Beginning with Windows Agent 5.0.0 and later

If antivirus software interferes with the FortiSIEM Windows Agent, you can consider whitelisting the following files on the endpoint. This is useful if the antivirus software uses application sandboxing heuristics that wrap around any new applications. This can result in high CPU and memory usage and can significantly slow down the machine.

• <Windows drive>:\Program Files\Fortinet\FortiSIEM\certs.pem

• <Windows drive>:\Program Files\Fortinet\FortiSIEM\cn.bat

• <Windows drive>:\Program Files\Fortinet\FortiSIEM\fins.xml

• <Windows drive>:\Program Files\Fortinet\FortiSIEM\FortiSIEM.Common.dll

• <Windows drive>:\Program Files\Fortinet\FortiSIEM\FortiSIEM.Security.dll

• <Windows drive>:\Program Files\Fortinet\FortiSIEM\FortiSIEM.Utilities.dll

• <Windows drive>:\Program Files\Fortinet\FortiSIEM\FortiSIEM.Utilities.manifest

• <Windows drive>:\Program Files\Fortinet\FortiSIEM\FortiSIEM.WebProxy.dll

• <Windows drive>:\Program Files\Fortinet\FortiSIEM\FortiSIEM.WebProxy.manifest

• <Windows drive>:\Program Files\Fortinet\FortiSIEM\FortiSIEM.WinRTWrapper.dll

• <Windows drive>:\Program Files\Fortinet\FortiSIEM\FSMLogAgent.exe

• <Windows drive>:\Program Files\Fortinet\FortiSIEM\FSMLogAgent.exe.config

• <Windows drive>:\Program Files\Fortinet\FortiSIEM\License_3rd_party.txt

• <Windows drive>:\Program Files\Fortinet\FortiSIEM\log4net.config

• <Windows drive>:\Program Files\Fortinet\FortiSIEM\log4net.dll

• <Windows drive>:\Program Files\Fortinet\FortiSIEM\monitorStatus.xml

• <Windows drive>:\Program Files\Fortinet\FortiSIEM\osquery.exe

• <Windows drive>:\Program Files\Fortinet\FortiSIEM\data\*

• <Windows drive>:\Program Files\Fortinet\FortiSIEM\logs\*

• <Windows drive>:\ProgramData\FortiSIEM\Database\*

• <Windows drive>:\ProgramData\FortiSIEM\Logs\*

• <Windows drive>:\Windows\System32\drivers\FortiInsight.sys

Prerequisites Beginning with Windows Agent 3.0

Beginning with Windows Agent release 3.0:

• Agents must upload event data to a Collector. Therefore, minimum architecture is one Super appliance and one Collector appliance.
• The Collector must be installed as IPv4 only. Dual stack IPv4/IPv6 or IPv6 Collectors are not supported with Agents.
• Enable TLS 1.2 for Windows Agent to communicate with FortiSIEM Super/Worker/Collector nodes. Without TLS 1.2 enabled, Windows Agent installation will fail. By default, SSL3 / TLS 1.0 is enabled in Windows 7, 8 and 2008-R2. Before proceeding with the Windows Agent installation, please enable TLS 1.2 (if not already enabled) as follows:
  1. Start elevated Command Prompt (i.e., with administrative privilege)
  2. Run the following commands sequentially as shown.

     REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v DisabledByDefault /t

     REG_DWORD /d 00000000

• Switch off Disk Fair Share. If it is on, then the real user in UEBA may not be captured. You can switch it off by running the following commands in powershell:

  $temp = (gwmi win32_terminalservicesetting -N "root\cimv2\terminalservices")

  $temp.enableDiskFSS = 0

  $temp.put()

  For more information on Disk Fair Share, see https://support.microsoft.com/en-gb/help/4494631/fair-share-technologies-enabled-by-default-in-remote-desktop-services.

Installing Windows Agent

During installation, the Windows Agent will register with FortiSIEM Supervisor.

The required parameters are:

• SUPER_IP: IP Address or Host name/FQDN of Supervisor node
• ORG_ID: FortiSIEM Organization Id to which this Agent belongs
• ORG_NAME: FortiSIEM Organization Name
• AGENT_USER: Agent user name (for registration only)
• AGENT_PASSWORD: Agent password (for registration only)

• HOST_NAME: This name will be displayed in FortiSIEM CMDB. FortiSIEM recommends using a Fully Qualified Domain Name (FQDN), especially if SNMP or WMI is also going to be used against this device. FQDN allows for standardized naming convention.

For Service Provider installations, the Agent user name and password is defined in the Organization. See here for details. For Enterprise installations, Agent user name and password is defined in CMDB > User page. You must create a user and check Agent Admin. See here for details.

Follow the instructions for the Windows Agent version you plan to install.

• Installing Windows Agent via GUI

• Installing Windows Agent via GPO

• Installing Windows Agent via Command Line

• Installing Windows Agent in VDI Environment

• Installing Windows Agent Without Supervisor Communication

Notes: Starting with release 4.4.0, Agent Setup GUI allows you to select your License Type as Enterprise or Service Provider from a drop-down list.

Starting with release 4.2.0, Agent Setup GUI allows you to enter the Agent Configuration parameters (See Installing Windows Agent via GUI). Also, version 4.2.3 provides a way for the user to install the agent so that service can be stopped (See Installing Windows Agent via Command Line).

Installing Windows Agent via GUI

To install Windows Agent via GUI, take the following steps.

1. Log in to the Windows machine as Administrator.
2. Copy the Windows Agent binary file (Example: FSMLogAgent-v7.2.x.exe) to the same folder.
3. Ensure that the FSMLogAgent file (Example: FSMLogAgent-v7.2.x.exe) in step 2 is in the same folder (example: copy to c:\Temp\).
4. Double-click the FSMLogAgent executable package and the installation process will start.
5. In the Choose License Type dialog box, select Enterprise or Service Provider, and click Next.
   Note: With Windows Agent 4.4.0 and later, the dialog box is replaced with a License Type drop-down list.
   

6. In the FortiSIEM LogAgent Setup window, fill in the fields. See the following table for more information.
   

   Field	Required	Description	Example
   License Type	Yes	Choose your license type: Enterprise or Service Provider. Note: With Windows Agent 4.4.0 and later, the dialog box is replaced with a License Type drop-down list.
   Supervisor IP/Name	Yes	Enter the Supervisor IP address or hostname.	IP Address: 192.0.20.0 Hostname: example.com
   Supervisor Port	Yes (Default 443)	Enter the Supervisor port number. The default auto-fill value is 443.	443
   Organization Name	Yes	Enter the organization name. Note: The field will be greyed out if it is not applicable.	org3
   Organization ID	Yes	Enter the organization's ID number. Note: The field will be greyed out if it is not applicable.	2003
   Agent HostName	Yes	Enter the agent hostname. Auto-filled by default.	examplehost
   Agent Username	Yes	Enter the agent username to access Windows Agent. Note: The agent username cannot contain special characters: !#%&/\\:;<>=?[]{}^`|~	agent
   Agent Password	Yes	Enter the agent password associated with the agent username. Note: The password must be between 8-64 characters, with at least 1 letter, 1 number and 1 special character (e.g. $*&%).	agentpass*1
   Network Adapter Name Note: For Windows Agent 7.1.0 or later only.	No (Default NIC will be used)	Enter the name of the Network Adapter that will be used to report logs. If left blank, the default NIC will be used.	Ethernet1
   Supers Override Note: For Windows Agent 7.1.7 or later only.	No	Enter a FQDN or IP Address to override the Supervisor address when running in locked down or private networks.	FQDN: collector-proxy.local.dns IP Address: 10.0.0.1
   Verify Host TLS/SSL certificate	No	Check the checkbox if you want Windows Agent to verify host TLS/SSL certificate.
   VDI deployment	No	Check if deploying in a VDI environment. See Installing Windows Agent in VDI Environment for detailed steps.
   Ignore System Proxy	No	Check the Ignore System Proxy checkbox to ignore/bypass the system proxy setting.

   

7. Click Next to proceed with installation.
   
   If any settings errors are detected, a dialog box will instruct you on the field that needs to be re-entered. When all fields are valid, the installation will start. After a successful installation, the Agent will register to the Supervisor and start running.
   Note: If the installation returns a pop-up to restart your computer, click Close.
   

Installing Windows Agent via GPO

Once you have created a MSI transforms file, you then use this to pre-load all properties into the install during GPO. For information on creating a MSI transform file, see Creating a MSI Transforms File.

To install, take the following steps.

1. Navigate to the download location of the FortiSIEM Windows Agent.

2. 2. Run the following command:
   

   msiexec /i FSMLogAgent_x64.msi /qn TRANSFORMS=<transforms_file>

   Example:

   msiexec /i FSMLogAgent_x64.msi /qn TRANSFORMS=fsmlogagent.mst

   Once complete the transforms file will be used to provide the required properties when installing the FortiSIEM Windows Agent.
   

To check for successful registration, take the following steps.

1. Log in to FortiSIEM in Super Global mode as Admin user.
2. Go to CMDB and search for the Agent Host name.
3. Check the Status column.

Make sure the Templates and Host to Template association policies are defined for this Host by taking the following steps:

1. Log in to FortiSIEM in Super Global mode.
2. Go to Admin > Setup > Windows Agent and make sure the templates and host to template associations are defined.
   One of the host-to-template association policies must match this agent. The first matched policy will be selected.

Creating a MSI Transforms File

When deploying the FortiSIEM Windows Agent via Active Directory Group Policy Object, you are advised to create a MSI transforms file to pre-populate the MSI properties.

Outlined below is a way to create a transforms file using ORCA, a third party application provided by Microsoft. Although other third party tools are available, this process was verified and tested on ORCA version 5.0.10011.0.

After installing ORCA, load the FortiSIEM Windows Agent MSI by taking the following steps.

1. Select File > Open.

2. Navigate to the FortiSIEM Windows Agent download location.

3. Select the MSI file you want to create a transforms file for (FSMLogAgent_x64.msi is used in this example).

Once the chosen MSI is loaded into ORCA, you can create a new transforms file ready for use by taking the following steps.

1. In ORCA, select Transform > New Transform.

2. Select Property from the left Tables side panel.
   

3. Add the following properties from the following table , with your specific values, either by:

   1. Clicking on a new row to add property.

   2. Right clicking on empty space, and select Add Row.

   3. Using key combination of CTRL+R.
      

      Property	Example	Description
      SUPERNAME	192.0.20.1	Super IP or Hostname
      AGENTUSER	agent	Agent user name with permission to register new agent
      AGENTPASSWORD	Agentpass*1	Agent user password with permission to register new agent
      ORGID	2000	The organization ID to register agent to
      ORGNAME	ORG01	The organization name to register agent to

      Adding Properties Screenshot Example:

      

      Required Properties Screenshot Example:

      

4. Once all required properties are added, select Transform > Generate Transform.

5. Save the newly generated transforms file to your required location.

6. Once generated, close the MSI you are editing by clicking File > Close.

7. Repeat the process for both x64 and x86 MSI files.
   

   The generated transforms file can then be used to create a software package, using Active Directory GPO, see Installing Windows Agent via GPO.

Installing Windows Agent via Command Line

To install Windows Agent via Command Line (CLI), take the following steps.

1. Log in to the Windows machine where Windows Agent will be installed as Administrator.
2. Copy the Windows Agent binary (Example: FSMLogAgent-v7.2.x.exe) to the same folder.
3. Ensure that the FSMLogAgent executable (Example: FSMLogAgent-v7.2.x.exe) in step 2 is in the same folder (example: copy to c:\Temp\).

4. Launch Command Prompt, go to the Installation packages saved location, and run
   

   FSMLogAgent.exe <Parameter_1>="Parameter_1_Info" <Parameter_2>="Parameter_2_Info" ...

   See the following table for parameters and descriptions.

   FSMLogAgent Command Parameters	Required	Description of Parameter Information	Example
   SUPERNAME	Yes	The Supervisor IP Address or Hostname.	192.0.20.0 example.com
   SUPERPORT	Yes (Default 443)	The Supervisor port number.	443
   ORGNAME	Yes	The organization name.	org2
   ORGID	Yes	The organization ID.	2001
   AGENTUSER	Yes	The Agent username.	agent
   AGENTPASSWORD	Yes	The Agent password.	agentpass*1
   HOSTNAME	Yes	The Hostname of the Agent. If left blank, the default hostname will be used.	examplehost
   NIC Note: For Windows Agent 7.1.0 or later only.	No (Default NIC name)	The network adapter name. If left blank, the default NIC name will be used.	Ethernet1
   SUPERS Note: For Windows Agent 7.1.7 or later only.	No	The FQDN or IP Address to override the Supervisor address when running in locked down or private networks.	collector-proxy.local.dns 10.0.0.1
   SSLCERT	No	Use '1' to Verify Host TLS/SSL certificate. Do not use this parameter if you don’t need to verify Host TLS/SSL certificate.
   /quiet	No	To run in silent mode, add “ /quiet” to the end of the installation command.

   
   Example for 4.2.x-5.x:
   C:\Temp\FSMLogAgent.exe SUPERNAME="192.0.20.0" SUPERPORT="443" ORGNAME="org2" ORGID="2001" AGENTUSER="agent" AGENTPASSWORD="agentpass*1" HOSTNAME="examplehost"
   
   

   Example for 7.1.x with NIC:

   C:\Temp\FSMLogAgent.exe SUPERNAME="192.0.2.0" SUPERPORT="443" ORGNAME="org2" ORGID="2001" AGENTUSER="agent" AGENTPASSWORD="agentpass*1" HOSTNAME="examplehost" NIC="Ethernet1" SSLCERT="1"
   
   

   Example for 7.1.7 with Supers Override:

   C:\Temp\FSMLogAgent.exe SUPERNAME="192.0.20.0" SUPERPORT="443" ORGNAME="org2" ORGID="2001" AGENTUSER="agent" AGENTPASSWORD="agentpass*1" HOSTNAME=""SUPERS="192.0.20.3"
   

   
   Example Using Silent Mode:
   C:\Temp\FSMLogAgent.exe SUPERNAME="192.0.20.0" SUPERPORT="443" ORGNAME="org2" ORGID="2001" AGENTUSER="agent" AGENTPASSWORD="agentpass*1" HOSTNAME="examplehost" SSLCERT="1" /quiet
   

5. The installation process will start. If any settings errors are detected, the install process will fail, otherwise it will succeed. The Agent will register to the Supervisor and start running.

Using Special Characters in Password when Registering via CLI

Choose characters from the set published here: https://owasp.org/www-community/password-special-characters

The password needs to be enclosed in double quote. If the password contains double quote("), then use double quote(") to escape - e.g. "Password""11"

Installing with the Ability to Stop Agent Service

Normal installations do not allow you to stop the Windows Agent from Windows Service Control Manager. Starting with release 4.2.3, you can do this by adding the UNPROTECT=1 option to the command line, e.g.
./FSMLogAgent.exe SUPERNAME="192.0.20.0" SUPERPORT="443" ORGNAME="org2" ORGID="2001" AGENTUSER="agent" AGENTPASSWORD="agentpass*1" HOSTNAME="examplehost" UNPROTECT=1

If you do not add the UNPROTECT=1 flag, then the process cannot be stopped from Windows Service Control Manager. This is the default behavior.

If you add the UNPROTECT=1 flag , then the Administrator can stop the process from Windows Service Control Manager.

Installing Windows Agent in VDI Environment

Starting with release 4.4.0, the Windows Agent supports Virtual Desktop Infrastructure (VDI) as a deployment mechanism. VDI deployment also supports ReadOnly VDI images. In this scenario, device names will be added to CMDB > Device list as the active session user, separating domain and username with two underscores ‘__’ (I.e. domain__username).

To install onto a VDI, the ReadOnly images installation process is similar to a regular installation, but must follow these initial steps.

1. Install the Windows Agent onto the Golden image of your VDI image. When prompted for settings, ensure that you check the VDI deployment checkbox.

   

2. Allow the Golden Image to register and send data to your FortiSIEM Deployment.

3. Once verified, create a snapshot of your Golden Image.

4. Start your ReadOnly VDI image.

5. Verify the new VDI session (with domain__user) has been able to register, and is in Running Active State.

6. Shutdown the VDI session.

When the user logs on to the VDI environment and downloads a VM from the VDI Server, the VM contains a VDI transient image (containing the Windows Agent). The agent automatically registers to the FortiSIEM Supervisor node, with host name set to <DOMAIN>__<USERNAME> in CMDB.

When the user logs off from the VDI environment, the agent automatically unregisters to the FortiSIEM Supervisor node. The agent's status is decommissioned, so that it does not consume an agent license.

Installing Windows Agent Without Supervisor Communication

In typical installations, FortiSIEM Agents register to the Supervisor node, but send the events by using the Collector. In many MSSP situations, customers do not want Agents to directly communicate with the Supervisor node. This requirement can be satisfied by setting up the Collector as an HTTPS proxy between the Agent and the Supervisor. This section describes the required configurations.

• Step 1: Setup the Collector as an HTTPS Proxy
• Step 2: Install Agents to Work with the Collector

Step 1: Setup the Collector as an HTTPS Proxy

Follow these steps to setup the Collector as an HTTPS proxy:

1. Log in to the Collector.

2. Go to /etc/httpd/conf.d.

3. Download the following configuration file agent-proxy.conf here.

4. Make the following modifications to the downloaded agent-proxy.conf file.

   1. Replace <Supervisor IP Address> with your FortiSIEM Supervisor IP address.
      

      Lines 1 - 8 are for the basic Windows Agent proxy configuration.

      Lines 12 - 16 are required to upgrade Windows Agent 6.4.0+, allowing Windows Agent to download the necessary files for an upgrade while utilizing the Collector as a proxy.

      Lines 20 -21 add an additional required route for Windows Agent 5.0.0 and later.

      Lines 25-26 add another required route for Windows Agent 7.1.0 and later for the osquery feature to function.
      

5. Copy/overwrite the updated agent-proxy.conf file to the Collector /etc/httpd/conf.d directory.

6. Restart httpd, for example: service httpd restart.

Step 2: Install Agents to Work with the Collector

Follow these steps to install the Windows Agents to work with the Collector.

1. If you already have agents registered with the Supervisor, then uninstall them.
2. Re-install the Windows Agents, following the instructions here. During installation, set the Supervisor IP, and Supers Override to the IP address of the Collector node.

The Supers Override parameter is used to ensure that the agent will only utilize the collector as its main point of communication. Once set, the agent will disregard any instruction to use multiple supervisors, which is the default behavior.

Enabling FIPS

Follow the steps below to enable FIPS on a Windows system:

1. Click Start > Run and enter the command secpol.msc to open the Local Security Policy window.
2. Select Security Settings > Local Policies > Security Options.
3. In the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing and select Enabled.
4. Click Apply and then OK.

Next Steps After Installing Windows Agent

After Window Agent has been successfully installed, it will appear under CMDB > Devices. If no Windows Agent Monitor template and Host to Template Associations have been set up, the Status of this device will appear as Unmanaged, and the Agent Status will appear as Registered.

Your next step is to create your Windows Agent Monitor template and Host to Template Associations by navigating to Admin > Setup > Windows Agent, then applying the template. See Configuring Windows Agent for more information on configuring a Windows Agent Monitor template and its host to template associations, and the External Systems Configuration Guide - Windows Servers via Agent for further details.

After applying the Windows Agent template, Status will appear as Pending, and Agent Status will appears as Running active if successful.

Note: It may take a few minutes for Agent Status to appear as Running active. Agent Status will display Running inactive while the Windows Agent template is being processed.

Upgrading Windows Agent

• Upgrade from Windows Agent 4.2.x and Later

  • Upgrade from Supervisor

  • Upgrade via Agent Setup GUI

  • Upgrade via Command Line

• Upgrade from Windows Agent 4.0.0 to 4.1.x

  • Upgrade via Windows File Explorer

  • Upgrade via Command Line

• Verify Agent Version and Template Associations
  

Upgrading from Windows Agent 4.2.x and Later

If you are running Agent 4.2.0 or later, then you can upgrade in one of the following 3 ways.

• Upgrade from Supervisor

• Upgrade via Agent Setup GUI

• Upgrade via Command Line

The first method needs you to upgrade Agents remotely via Supervisor. Unlike the last two methods, no local access to Windows Server is required. However, the Supervisor method needs Supervisor access to FortiGuard Data Services (update.fortinet.net) on port 443.

Upgrade from Supervisor

Navigate to Admin > Settings > System > Image Server and follow the instructions in Upgrading Windows Agent from the Online Help.

Note: Upgrade from FortiSIEM Supervisor Install requires FortiSIEM 6.4.0 or later, and FortiSIEM Windows Agent 4.2.0 or later.

Upgrade via Agent Setup GUI

With this option, you will be re-installing the new version on top of the older version using the Agent Setup GUI.

To upgrade through the graphical user interface (GUI), take the following steps.

1. Log in to your Windows machine as an Administrator.

2. Ensure that the Windows Agent binary file (Example: FSMLogAgent-v7.2.x.exe) file is in the same folder.

3. Double-click the package (Example: FSMLogAgent-v7.2.x.exe) and the installation process will start.
   

4. In the Choose License Type dialog box, select Enterprise or Service Provider, and click Next.
   Note: With Windows Agent 4.4.0 and later, the dialog box is replaced with a License Type drop-down list.
   

5. In the FortiSIEM LogAgent Setup window, fill in the fields. See the following table for more information.
   

   Field	Required	Description	Example
   License Type	Yes	Choose your license type: Enterprise or Service Provider. Note: With Windows Agent 4.4.0 and later, the dialog box is replaced with a License Type drop-down list.
   Supervisor IP/Name	Yes	Enter the Supervisor IP address or hostname.	IP Address: 192.0.20.0 Hostname: example.com
   Supervisor Port	Yes (Default 443)	Enter the Supervisor port number. The default auto-fill value is 443.	443
   Organization Name	Yes	Enter the organization name. Note: The field will be greyed out if it is not applicable.	org3
   Organization ID	Yes	Enter the organization's ID number. Note: The field will be greyed out if it is not applicable.	2003
   Agent HostName	Yes	Enter the agent hostname. This is auto-filled by default.	examplehost
   Agent Username	Yes	Enter the agent username to access Windows Agent. Note: The agent username cannot contain special characters: !#%&/\\:;<>=?[]{}^`|~	agent
   Agent Password	Yes	Enter the agent password associated with the agent username. Note: The password must be between 8-64 characters, with at least 1 letter, 1 number and 1 special character (e.g. $*&%).	agentpass*1
   Network Adapter Name Note: For Windows Agent 7.1.0 or later only.	No (Default NIC name)	Enter the name of the Network Adapter that will be used to report logs. If left blank, the default NIC name will be used.	Ethernet1
   Supers Override Note: For Windows Agent 7.1.7 or later only.	No	Enter a FQDN or IP Address to override the super address when running in locked down or private networks.	FQDN: collector-proxy.local.dns IP Address: 10.0.0.1
   Verify Host TLS/SSL certificate	No	Check the checkbox if you want Windows Agent to verify host TLS/SSL certificate.
   VDI deployment	No	Check if deploying in a VDI environment. See Installing Windows Agent in VDI Environment for detailed steps.
   Ignore System Proxy	No	Check the Ignore System Proxy checkbox to ignore/bypass the system proxy setting.

   

6. Click Next to proceed with installation.
   
   If any settings errors are detected, a dialog box will instruct you on the field that needs to be re-entered. When all fields are valid, the installation will start. After a successful installation, the Agent will register to the Supervisor and start running.
   Note: If the installation returns a pop-up to restart your computer, click Close.
   
   

7. Proceed to Verify Agent Version and Template Associations.
   

Upgrade via Command Line

With this option, you will be re-installing the new version on top of the older version using command line. The agent configuration parameters are provided in command line arguments.

To upgrade through the command line interface (CLI), take the following steps.

1. Log in to the Windows machine as an Administrator.

2. Ensure that the Windows Agent binary file (Example: FSMLogAgent-v7.2.x.exe) file is in the same folder.

3. Launch Command Prompt.

4. Go to the directory where the Installation packages were saved.

5. Run FSMLogAgent.exe <Parameter_1>="Parameter_1_Info" <Parameter_2>="Parameter_2_Info" ...
   

   See the following table for parameters and descriptions.

   FSMLogAgent Command Parameters	Required	Description of Parameter Information	Example
   SUPERNAME	Yes	The Supervisor IP Address or Hostname.	192.0.20.0 example.com
   SUPERPORT	Yes (default 443)	The Supervisor port number.	443
   ORGNAME	Yes	The organization name.	org2
   ORGID	Yes	The organization ID.	2001
   AGENTUSER	Yes	The Agent username.	agent
   AGENTPASSWORD	Yes	The Agent password.	agentpass*1
   HOSTNAME	Yes	The Hostname of the Agent. If left blank, the default hostname will be used.	examplehost
   NIC Note: For Windows Agent 7.1.0 or later only.	No (Default NIC name)	The network adapter name. If left blank, the default NIC name will be used.	Ethernet1
   SUPERS Note: For Windows Agent 7.1.7 or later only.	No	The FQDN or IP Address to override the Supervisor address when running in locked down or private networks.	collector-proxy.local.dns 10.0.0.1
   SSLCERT	No	Use '1' to Verify Host TLS/SSL certificate. Do not use this parameter if you don’t need to verify Host TLS/SSL certificate.
   /quiet	No	To run in silent mode, add “ /quiet” to the end of the installation command.

   Example for 4.2.x-5.x:
   C:\Temp\FSMLogAgent.exe SUPERNAME="192.0.20.0" SUPERPORT="443" ORGNAME="org2" ORGID="2001" AGENTUSER="agent" AGENTPASSWORD="agentpass*1" HOSTNAME="examplehost"

   Example for 7.1.x with NIC:

   C:\Temp\FSMLogAgent.exe SUPERNAME="192.0.2.0" SUPERPORT="443" ORGNAME="org2" ORGID="2001" AGENTUSER="agent" AGENTPASSWORD="agentpass*1" HOSTNAME="examplehost" NIC="Ethernet1" SSLCERT="1"

   Example for 7.1.7 with Supers Override:

   C:\Temp\FSMLogAgent.exe SUPERNAME="192.0.20.0" SUPERPORT="443" ORGNAME="org2" ORGID="2001" AGENTUSER="agent" AGENTPASSWORD="agentpass*1" HOSTNAME="" SUPERS="192.0.20.3"

   Example Using Silent Mode:
   C:\Temp\FSMLogAgent.exe SUPERNAME="192.0.20.0" SUPERPORT="443" ORGNAME="org2" ORGID="2001" AGENTUSER="agent" AGENTPASSWORD="agentpass*1" HOSTNAME="examplehost" SSLCERT="1" /quiet
   

   
   The installation process will start. If any settings errors are detected, the install process will fail, otherwise it will succeed. The Agent will register to the Supervisor and start running.
   
   For more information on special characters, see Using Special Characters in Password when Registering via CLI.
   
   For more information on how to install with the ability to stop service, see Installing with the Ability to Stop Agent Service.
   Note: This requires Agent 4.2.3 or later.
   
   

6. Proceed to Verify Agent Version and Template Associations.

Upgrading from Windows Agent 4.0.0 to 4.1.x

Upgrade can be done in one of two ways.

• Upgrade via Windows File Explorer

• Upgrade via Command Line

These methods both require you to login to the Windows Server. Once you are on Version 4.2.0 or later, you can upgrade remotely via the Supervisor.

Upgrade via Windows File Explorer

With this option, you will be re-installing the new version on top of the older version using Windows File Explorer.

To upgrade through the graphical user interface (GUI), take the following steps.

1. Log in to your Windows machine as an administrator.

2. Ensure that the FSMLogAgent-v4.0.x.exe or FSMLogAgent-v4.1.x.exe and InstallSettings.xml files are in the same folder.

3. Double-click the FSMLogAgent-v4.0.x.exe or FSMLogAgent-v4.1.x.exe package and the installation process will start. If any settings errors are detected, the install process will fail, otherwise it will succeed. The Agent will register to the Supervisor and start running.

   Note: If the installation returns a pop-up to restart your computer, click Close.
   
   

4. Proceed to Verify Agent Version and Template Associations.
   

Upgrade via Command Line

With this option, you will be re-installing the new version on top of the older version using command line. The agent configuration parameters are provided in command line arguments.

To upgrade through the command line interface (CLI), take the following steps.

1. Log in to the Windows machine as an administrator.

2. Ensure that the FSMLogAgent-v4.0.x.exe or FSMLogAgent-v4.1.x.exe and InstallSettings.xml files are in the same folder.

3. Launch Command Prompt.

4. Go to the directory where the Installation packages were saved.

5. Run FSMLogAgent-v4.0.x-mmddyyyy.exe or FSMLogAgent-v4.1.x-mmddyyyy.exe with the /norestart option.

   Example: C:\Temp\FSMLogAgent-v4.1.0-03052021.exe /norestart
   
   The installation process will start. If any settings errors are detected, the install process will fail, otherwise it will succeed. The Agent will register to the Supervisor and start running.

6. Proceed to Verify Agent Version and Template Associations.

Verify Agent Version and Template Associations

You will need to navigate to CMDB to check the status and version of your Windows agent. Take the following steps.

1. Log in to FortiSIEM in Super Global mode as an admin user.

2. Navigate to CMDB > Devices.

3. In the Search... field, enter your Agent Host name to locate your agent.

4. Check the Agent Version column for your Agent and confirm that the version is the upgraded version.

5. Check the Status column to see the Agent status. The status should update to "Running Active" after a few minutes.

6. Navigate to ADMIN > Setup > Windows Agent.

7. Under Host To Template Associations, select an existing configuration and confirm it is still defined.

Managing Windows Agent

Agent Service

When the Windows Agent is running, the FSMLogAgent is shown as part of your services on your Windows machine. The ability to Start, Stop, Pause, or Resume this service is disabled. This is intentional, to provide service level protection. An option is available starting with Windows Agent 4.2.3 to stop Windows Agent. See Installing with the Ability to Stop Agent Service.

Auto Restart Service Behavior

In the event of a Windows Agent crash, Windows Agent will automatically restart itself after 60 seconds has passed.

It is possible to terminate the FSMLogAgent process via the Windows Task Manager. This action will cause Windows Agent to restart automatically.

Uninstalling Windows Agent

• Uninstalling Windows Agent via GUI

• Uninstalling Windows Agent via CLI

Uninstalling Windows Agent via GUI

To uninstall FortiSIEM Windows Agent, run the FortiSIEM Installer. When prompted, click Uninstall.

Uninstalling Windows Agent via CLI

To uninstall the FortiSIEM Windows Agent via the CLI, take the following steps:

1. Login to the Windows machine where the Windows Agent will be uninstalled.

2. Copy the Windows Agent binary (Example: FSMLogAgent-v7.2.x.exe or FSMLogAgent_x64.msi or FSMLogAgent_x86.msi).

   Note: To uninstall the product, you must use the same binary used to install the Windows Agent.

3. Launch command prompt, as an administrator, then depending on whether you used an .exe or .msi file for installation, follow the respective uninstall.

   1. For bundle uninstall, execute the following:
      

      FSMLogAgent-v7.2.x.exe -uninstall

   2. For MSI based uninstall, execute the following:
      

      msiexec /x FSMLogAgent_x64.msi

4. Once complete, the FortiSIEM Windows Agent will be uninstalled from the Windows machine.

REST APIs used for Communication

A Windows Agent uses the following REST APIs:

Purpose	URL	Notes
Registration to Supervisor	https://<SuperFQDN>:<port>/phoenix/rest/register/windowsAgent	Supported Port is 443
Status update to Supervisor	https://<SuperFQDN>:<port>/phoenix/rest/windowsAgent/update	Supported Port is 443
Event Upload to Collectors	https://<CollectorFQDNorIP>:<port>/winupload_direct?<AgentID>	Supported Port is 443

Troubleshooting from Windows Agent

Follow the troubleshooting steps for your version of Windows Agent.

• Windows Agent 4.3.x and later

• Windows Agent 4.2.x and earlier

Windows Agent 4.3.x and later

In Windows Agent 4.3.x and later, edit the following:

• In C:/Program Files/Fortinet/FortiSIEM/log4net.config

  • Replace <LogLevel>ERROR</LogLevel> with <LogLevel>DEBUG</LogLevel>.

• In C:/Program Files/Fortinet/FortiSIEM/fins.xml

  • Replace <LogLevel>4</LogLevel> with <LogLevel>1</LogLevel>.

• In registry HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiSIEM

  • Edit the value LogLevel from 1 to 2.

These changes instantly take affect. Allow logs to be collected for at least 5 minutes, once complete revert the changes back to their original values.

The debugging information is available in the following log files:

• Agent Service logs are located in C:\ProgramData\FortiSIEM\Agent\Logs\FSMLogAgent.log

• Agent Application logs are located in C:\ProgramData\FortiSIEM\Agent\Logs\Trace.log

• Other Agent Application logs are located in C\Program Files\Fortinet\FortiSIEM\logs\cms.log

Windows Agent 4.2.x and earlier

In Windows Agent 4.2.x and earlier, edit the following:

• In registry HKEY_LOCAL_MACHINE\SOFTWARE\AccelOps\Agent

  • Edit the value LogLevel from 1 to 2.

These changes instantly take affect. Allow logs to be collected for at least 5 minutes, once complete revert the changes back to their original values.

The debugging information is available in the following log files:

• Agent Service logs are located in C:\ProgramData\AccelOps\Agent\Logs\AoWinAgt.log
• Agent Application logs are located in C:\ProgramData\AccelOps\Agent\Logs\ProxyTrace.log