Re: Forwarding event logs to Collector Agent syslog-like way
not sure what are your capabilities.
Here are some options I thought of how to get user logons to FSSO and FortiGate:
- if you need Syslog, then FortiAuthenticator can process Syslog messages into FSSO.
- if you use NPS or any RADIUS, then it, or NAS (like WLC/AP who asked for authentication) might be able to produce RADIUS Accounting messages. Those can be processed directly on FortiGate (feature is usually called RSSO), or on standalone Collector (Advanced Settings > RADIUS Accounting), or FortiAuthenticator (RADIUS Accounting Sources in SSO).
- if your setup do not allow installations on DC but allow communication to DC, then you can have standalone FSSO Collector Agent installed on domain member, server class Microsoft OS, and poll Windows EventLogs of selected DCs from that Collector Agent. I would suggest to go with WMI WinSec polling method (chosen during agent setup or later during its configuration).
- if, due to any obscurity, you are not allowed even to poll/read WinSec Log from remote server, then last possible option seems to me is to use standalone Collector Agent, installed on some domain member server class OS, and in Advanced Settings use tab 'Forwarded Event Server'. Each entry needs a domain name and hostname/IP. Then in 'Select Domains to Monitor' from GUI select domain you'd like to process events for. Also in 'Advanced Settings->General' , and set 'Event IDs to poll' to number 2.
Then this collector will listen, so use Microsoft Event log forwarding feature on DCs of your choice to actually forward EventLog records to this server where you installed Collector and which is not a DC.