Hot!Forwarding event logs to Collector Agent syslog-like way

Author
itismo
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/29 01:48:54
  • Status: offline
2020/09/10 02:03:54 (permalink)
0

Forwarding event logs to Collector Agent syslog-like way

Hello all,
 
Is there any way to forward select login events from the DC to the Collector Agent similar to syslog style?
 
#1

5 Replies Related Threads

    xsilver
    Expert Member
    • Total Posts : 539
    • Scores: 135
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: Forwarding event logs to Collector Agent syslog-like way 2020/09/10 02:16:37 (permalink)
    5 (1)
    Hi,
    that's exactly what DC Agent is designed for.
    To spot logon attempts inside LSAS (even before they get to EventLog) on DC level, and forward those to pre-configured Collector Agent (or multiple Agents).
     

    Kind Regards,
    Tomas
    #2
    itismo
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/29 01:48:54
    • Status: offline
    Re: Forwarding event logs to Collector Agent syslog-like way 2020/09/10 03:55:09 (permalink)
    0
    Hello xsilver,
     
    Thank you for your reply but the setup requirements require no modification at all to the DCs so DC Agent installation is not possible, logs have to be natively forwarded from the DC event log syslog style.
    #3
    xsilver
    Expert Member
    • Total Posts : 539
    • Scores: 135
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: Forwarding event logs to Collector Agent syslog-like way 2020/09/10 06:36:52 (permalink)
    5 (1)
    Hi itismo,
     
    not sure what are your capabilities.
    Here are some options I thought of how to get user logons to FSSO and FortiGate:
    ---
    - if you need Syslog, then FortiAuthenticator can process Syslog messages into FSSO.
    - if you use NPS or any RADIUS, then it, or NAS (like WLC/AP who asked for authentication) might be able to produce RADIUS Accounting messages. Those can be processed directly on FortiGate (feature is usually called RSSO), or on standalone Collector (Advanced Settings > RADIUS Accounting), or FortiAuthenticator (RADIUS Accounting Sources in SSO).
     
    - if your setup do not allow installations on DC but allow communication to DC, then you can have standalone FSSO Collector Agent installed on domain member, server class Microsoft OS, and poll Windows EventLogs of selected DCs from that Collector Agent. I would suggest to go with WMI WinSec polling method (chosen during agent setup or later during its configuration).
     
    - if, due to any obscurity, you are not allowed even to poll/read WinSec Log from remote server, then last possible option seems to me is to use standalone Collector Agent, installed on some domain member server class OS, and in Advanced Settings use tab 'Forwarded Event Server'. Each entry needs a domain name and hostname/IP. Then in 'Select Domains to Monitor' from GUI select domain you'd like to process events for. Also in 'Advanced Settings->General' , and set 'Event IDs to poll' to number 2.
    Then this collector will listen, so use Microsoft Event log forwarding feature on DCs of your choice to actually forward EventLog records to this server where you installed Collector and which is not a DC.
     

    Kind Regards,
    Tomas
    #4
    itismo
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/29 01:48:54
    • Status: offline
    Re: Forwarding event logs to Collector Agent syslog-like way 2020/09/10 10:02:32 (permalink)
    0
    Many thanks xsilver for your input, I will check what can be applied to our environment.
    I am sure your answers will be useful to everyone here as well :)
    #5
    xsilver
    Expert Member
    • Total Posts : 539
    • Scores: 135
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: Forwarding event logs to Collector Agent syslog-like way 2020/09/11 00:05:55 (permalink)
    0
    itismo
    I am sure your answers will be useful to everyone here as well :)



    That's why I'm doing this and trying to add extra info to each answer, not just straightforward response.
    If you think it's helpful,  then mark it or like it .. 

    Kind Regards,
    Tomas
    #6
    Jump to:
    © 2020 APG vNext Commercial Version 5.5