Hot!FSSO missing user logon events in DC agent mode - "Too much request in the queue"

Author
James_G
Gold Member
  • Total Posts : 264
  • Scores: 15
  • Reward points: 0
  • Joined: 2016/02/28 02:55:47
  • Status: offline
2021/02/25 09:54:06 (permalink)
0

FSSO missing user logon events in DC agent mode - "Too much request in the queue"

Hi all - have FSSO in DC agent mode missing logon events and producing the following error in the dcagentlog (when logging enabled). I have a call open with support, but expect the forums could beat them to the fix the speed they are returning to my issues at the moment. Anyone with any ideas?
 
02/25/2021 17:31:51.428: processing Logon (level=1, logonid=0-0) WINCHNT\jgXXX (James XXX) from DESKTOP-WCCJB7E
Domain:WINCHNT DNS suffix added:XXX.uk.
Too much request in the queue, discard this logon event, domain:WINCHNT, workstation:DESKTOP-WCCJB7E, user:jgXXX, request in queue:100001
02/25/2021 17:31:51.428: finish processing.
post edited by James_G - 2021/02/25 09:55:20
#1

6 Replies Related Threads

    Philippe Gagne
    Bronze Member
    • Total Posts : 55
    • Scores: 6
    • Reward points: 0
    • Joined: 2015/06/25 17:55:25
    • Location: Trois-Rivieres
    • Status: offline
    Re: FSSO missing user logon events in DC agent mode - "Too much request in the queue" 2021/02/25 10:02:55 (permalink)
    0
    Hi,
     
    How the configuration is done in your Fortigate? Poll Active Directory or Full Collector?
     
    I already saw some installation where Polling was not fast enough to process all requests. 
     
    The most stable configuration is:
    DC Agent installed on all Active Directory Domain Controllers
    Collector on one or two servers or AD, two is only for redundancy purpose
    FSSO Agent on Windows AD configured in the Fortigate (External Connectors).
     
    With this configuration, I saw more than 800 computers in less than 15 minutes loging on the domain.
     
    I hope it helps! :-)
     
    Regards,
     
    Philippe
    #2
    James_G
    Gold Member
    • Total Posts : 264
    • Scores: 15
    • Reward points: 0
    • Joined: 2016/02/28 02:55:47
    • Status: offline
    Re: FSSO missing user logon events in DC agent mode - "Too much request in the queue" 2021/02/25 10:07:23 (permalink)
    0
    I am running full DC agent and collector on each domain controller, but seems that cannot keep up.
    #3
    Philippe Gagne
    Bronze Member
    • Total Posts : 55
    • Scores: 6
    • Reward points: 0
    • Joined: 2015/06/25 17:55:25
    • Location: Trois-Rivieres
    • Status: offline
    Re: FSSO missing user logon events in DC agent mode - "Too much request in the queue" 2021/02/25 10:10:01 (permalink)
    0
    User group source? Local or Collector Agent in the Fortigate.
     
    In the collector: standard or advanced?
     
     
    #4
    James_G
    Gold Member
    • Total Posts : 264
    • Scores: 15
    • Reward points: 0
    • Joined: 2016/02/28 02:55:47
    • Status: offline
    Re: FSSO missing user logon events in DC agent mode - "Too much request in the queue" 2021/02/25 10:18:52 (permalink)
    0
    User group source? Local or Collector Agent in the Fortigate. --> tried both, still fails
    In the collector: standard or advanced? --> tried both, still fails
    #5
    Philippe Gagne
    Bronze Member
    • Total Posts : 55
    • Scores: 6
    • Reward points: 0
    • Joined: 2015/06/25 17:55:25
    • Location: Trois-Rivieres
    • Status: offline
    Re: FSSO missing user logon events in DC agent mode - "Too much request in the queue" 2021/02/26 13:46:40 (permalink)
    0
    Hi James,
     
    Did you find a solution?
     
    Is the collector runs as a Domain user that can read Security Event Log? And where the collector is installed?
     
    Regards
     
    #6
    James_G
    Gold Member
    • Total Posts : 264
    • Scores: 15
    • Reward points: 0
    • Joined: 2016/02/28 02:55:47
    • Status: offline
    Re: FSSO missing user logon events in DC agent mode - "Too much request in the queue" 2021/02/27 02:01:09 (permalink)
    5 (1)
    Set "donot_resolve = 1" in the registry key of the FSSO DC agent
     
    It can happen when the DC agent cannot resolve DNS names. Can I ask you please to follow this KB and disable DNS name lookup on DC Agent:
    https://kb.fortinet.com/k....do?externalID=FD37705
    #7
    Jump to:
    © 2021 APG vNext Commercial Version 5.5