Windows Agent Releases

Some Windows Agent 7.2.x, 7.1.x, Windows Agent 5.x.x, Windows Agent 4.4.x, Agent 4.3.x and 4.2.x features are only supported on FortiSIEM 6.4.0 or later.

Make sure you have the latest content update before installing/upgrading Windows Agent.

Windows Agent 7.2.5

Published November 11, 2024

This release resolves the following issue:

• OSQuery.exe, invoked by the FortiSIEM windows agent, may use significant memory to process event logs (Bug 1090576).

Windows Agent 7.2.4

Published September 11, 2024

This release resolves the following issue:

• DISABLEPROXY setting is not carried over during upgrade (Bug 1071795).
  

  Note: This fix applies to future upgrades from 7.1.11 or 7.2.4. If you are running a lower version and want to upgrade to 7.1.11 or 7.2.4 and want to keep the proxy settings, then you need to manually enter the following entry to the registry before running the upgrade via the GUI.
  

  reg add "HKLM\Software\Fortinet\FortiSIEM" /v DISABLEPROXY /t REG_DWORD /d 1 /f

Windows Agent 7.2.3

Published August 27, 2024

This release resolves the following issues:

• Sometimes Agent can fail to render message description which can result in the Agent failing to send events to Collector. This behavior has been observed for HyperV logs (Bug 1058897).

• Agent does not correctly send events in case there are multiple Virtual Collectors and name resolution failures. The Agent may get stuck if one Virtual Collector name to IP resolution fails (Bug 1067554).

Windows Agent 7.2.2

Published July 29, 2024

This release resolves the following issue:

• Windows Agent has a memory leak when processing non-security event logs (Bug 1048352).

Windows Agent 7.2.1

Published June 28, 2024

This release contains the following fixes.

• Windows Agent status in FortiSIEM GUI may show "Disconnected" after power cycling the Windows Server (Bug 1037398).

• Double quotes are missing for some attributes in the 'AO-WUA-InstSw-Removed' raw event (Bug 1037186).

Windows Agent 7.2.0

Published June 04, 2024

This release resolves the following issue:

• Windows System Event Log ID 1074 is not reported on Windows restart (Bug 1031491).

Windows Agent 7.1.8

Published June 28, 2024

This release contains the following fix.

• Windows Agent status in FortiSIEM GUI may show "Disconnected" after power cycling the Windows Server (Bug 1037398).

Windows Agent 7.1.7

Published May 01, 2024

This release resolves the following issues:

• Windows Agent leaves a few files in system (C:\Program Files\Fortinet\FortiSIEM) after uninstall (Bug 1018385).

• Windows Agent does not work with multiple Supervisors in High Availability mode, when using Collector Proxy (Bug 1023056).

Note: This requires FortiSIEM 7.1.4 or later with content update 607.

Windows Agent 7.1.6

Published April 12, 2024

This release resolves the following issue:

Windows Agent adds an extra escaping for \ and “ characters in the XML event sent to the Collectors.

As an example, “C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive1.dat” instead of “C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat”.

As a result, some rules that use strict file patterns may not trigger (Bug 1016204).

Windows Agent 7.1.5

Published March 25, 2024

This release contains the following fixes.

1. Resolves a situation where Windows System and Application Event Logs can contain empty <Message> nodes, resulting in incomplete logs, since <Message> contains useful information.

2. The system parser for Windows Agent events in XML format (WinOSXmlParser) has been improved to handle all Event logs. The parsed attributes are now comparable to the Windows OMI based parser. To get this fix, you must also install Content Update version 606 for all FortiSIEM 7.1.x versions.

Windows Agent 7.1.4

Published March 05, 2024

Windows Agent Log Handling Performance Improvement

To better handle larger volume of Windows events (specially Windows forwarded events), FortiSIEM Windows Agent now uses the Windows native XML format to transfer all Windows logs (Security, System, Application, Forwarded Events, etc.) to Collector. A new FortiSIEM Windows event parser (WinOSXmlParser) now parses event attributes directly from XML fields. By transferring the parsing load from Windows Agent to Collector, Agent CPU load is reduced, and the Collector CPU load is slightly increased. Fortinet has not noticed any significant load increases in Collector. From user perspective, only Windows raw message structure changes from FortiSIEM "[Attribute]:Value, [Attribute]:Value" format to Windows XML format.

Since Windows event log structure has changed, all user-written custom Windows parsers should be upgraded to parse XML fields, prior to upgrading Windows Agent. Please follow the parsing logic in WinOSXmlParser to adapt your custom Windows parsers.

An example Security log format change is below. For other examples, see here.

Current Format: 

2024-02-22T01:07:51Z Win10.acme.com 172.30.56.127 AccelOps-WUA-WinLog-Security [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="72f70ae7-fedf-4dc0-92e7-0c953f46f87e" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [eventName]="Security" [eventSource]="Microsoft-Windows-Security-Auditing" [eventId]="4703" [eventType]="Information" [domain]="" [computer]="Win10.acme.com" [user]="" [userSID]="" [userSIDAcctType]="" [eventTime]="Feb 22 2024 01:07:51" [deviceTime]="Feb 22 2024 01:07:51" [msg]="A token right was adjusted." [[Subject]][Security ID]="S-1-5-18" [Account Name]="GFU-WIN10$" [Account Domain]="ACME" [Logon ID]="0x3E7" [[Target Account]][Security ID]="S-1-5-18" [Account Name]="ACME-WIN10$" [Account Domain]="ACME" [Logon ID]="0x3E7" [[Process Information]][Process ID]="0x3348" [Process Name]="C:\\Windows\\System32\\msiexec.exe" [Enabled Privileges]="" [Disabled Privileges]="SeRestorePrivilege,SeTakeOwnershipPrivilege"

 

New Format:

2024-02-27T21:19:33Z Win10.acme.com 172.30.56.129 FSM-WUA-WinLog-Security [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="1e749ab9-bf6e-4052-806b-02068b2d4465" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [level]="Information" [xml]=<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4703</EventID><Version>0</Version><Level>0</Level><Task>13317</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-02-27T21:19:32.430796700Z'/><EventRecordID>9064813051</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='5944'/><Channel>Security</Channel><Computer>FSM-GFU-Windows2019-WIN2019-172-30-56-129</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>FSM-GFU-WINDOWS$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>FSM-GFU-WINDOWS$</Data><Data Name='TargetDomainName'>WORKGROUP</Data><Data Name='TargetLogonId'>0x3e7</Data><Data Name='ProcessName'>C:\\Windows\\System32\\svchost.exe</Data><Data Name='ProcessId'>0xbdc</Data><Data Name='EnabledPrivilegeList'>SeAssignPrimaryTokenPrivilege
   SeIncreaseQuotaPrivilege
   SeSecurityPrivilege
   SeTakeOwnershipPrivilege
   SeLoadDriverPrivilege
   SeSystemtimePrivilege
   SeBackupPrivilege
   SeRestorePrivilege
   SeShutdownPrivilege
   SeSystemEnvironmentPrivilege
   SeUndockPrivilege
   SeManageVolumePrivilege</Data><Data Name='DisabledPrivilegeList'>-</Data></EventData></Event>

Windows Agent 7.1.1

Published December 19, 2023

This release resolves the following issues.

1. Improve the memory usage of Windows Agent during event log process restart (Bug 968139).

2. When Collector has a TLS certificate, Windows Agent fails to communicate with Collector certificate verification failure error (Bug 954108).

3. Windows Agent reports Disk Full for (read only) Optical Drives (Bug 972752).

4. The field "Is Certificate Authority" should not show Null for expired certificates (Bug 965418).

Windows Agent 7.1.0

Published November 06, 2023

1. Windows Agent now offers the use of osquery to poll Windows devices. System and user defined osquery templates can be created and executed by Windows Agent on a regular schedule to gather data from Windows devices. For information on osquery, see osquery. For information on configuring osquery, see Configuring Windows Agent step 3j.

2. Certificate Monitoring has been added to give administrators more visibility into certificates that include alerts when an certificate has been added, deleted, is about to expire, and has expired. For information on configuring Certificate Monitoring, see Configuring Windows Agent step 3i.

3. When installing Windows Agent, the user can now select their interface by entering it in the Network Adapter Name field in the FortiSIEM LogAgent Setup.

Windows Agent 5.0.1

This Windows Agent release resolves the following issue:

If the Windows Agent loses network connection to the Collector for a period of time, then the performance monitoring events can have unknown event type. This can result in high Collector CPU (Bug 947196).

Windows Agent 5.0.0

This release contains the following features and enhancements:

1. In previous releases, discovery and performance monitoring for Windows Servers had to be performed via WMI/OMI only, which needed an account to be created on the server for FortiSIEM use. In this release, Windows Agent can perform discovery and performance monitoring, this feature has parity with WMI/OMI based discovery and performance monitoring.
   
   

   For configuring discovery and performance monitoring for Windows Agent, see Configuring Windows Agent - Monitor settings.

2. DNS Analytical logs are now collected via real time Events Tracing for Windows (ETW) provider. This is done to overcome an issue with the old design where DNS analytical logs can stop when the log size is full, requiring the agent to restart in order to pick up new analytical logs.

Windows Agent 4.4.1

This release includes the following bug fix.

For French locale, Windows Security, System and Application Event logs are incorrectly formatted, leading to important fields not being parsed (Bug 901252).

Windows Agent 4.4.0

This release contains the following new feature and bug fix.

Support for Virtual Desktop Infrastructure (VDI) Environment

Windows Agents can work in VDI environments using the following steps:

1. The administrator first installs the Windows Agent onto the VDI Golden image. See Installing Windows Agent in VDI Environment for details.

2. When user logs on to the VDI environment and downloads a VM from the VDI Server, the VM contains a VDI transient image (containing the Windows Agent). The agent automatically registers to the FortiSIEM Supervisor node, with host name set to <DOMAIN>__<USERNAME> in CMDB.

3. When user logs off from the VDI environment, the agent automatically unregisters to the FortiSIEM Supervisor node. The agent's status is decommissioned, so that it does not consume an agent license.

Bug Fix

Command line arguments in 'new process created' events are lowercased affecting base64 decoding of command line arguments (Bug 873700).

Windows Agent 4.3.0

This release provides the following features and improvements.

Software Installer Improvements

In earlier versions, FortiInsight User Entity Behavior Analysis (UEBA) was installed as a separate package and installer and showed up as a separate Windows service. Starting with this release, FortiInsight runs as an integrated module within FortiSIEM Windows Agent. This also means that FortiInsight will no longer be running in the background when the UEBA license, and template associations are not enabled.

Three installation options are provided: x86 MSI, x64 MSI and a bundled exe that automatically detects the correct MSI to use.

Installation paths, log files and registries have been renamed from AccelOps to FortiSIEM:

• Installation path has been updated from C:/Program Files/AccelOps to C:/Program Files/Fortinet/FortiSIEM

• ProgramData paths have been updated from C:/ProgramData/AccelOps to C:/ProgamData/FortiSIEM/

• Registry entries have been moved from HKLM/Software/AccelOps to HKLM/Software/Fortinet/FortiSIEM

• Log files have been added to C:/Program Files/Fortinet/FortiSIEM/logs

• ProxyTrace.log has been updated to C:/ProgramData/FortiSIEM/logs/Trace.log

• All libraries have been renamed from AccelOps to FortiSIEM.

  • AccelOps.Common > FortiSIEM.Common

  • AccelOps.Security > FortiSIEM.Security

  • AccelOps.Utilities > FortiSIEM.Utilities

  • AccelOps.WebProxy > FortiSIEM.WebProxy

Robust Detection of Event Log Restart (Event ID 1100)

In previous versions, Event Log restart was detected by tracking the Process ID (PID) of the Windows Event Log service. The assumption is that when Windows Event Log service restarts, the PID gets recycled. In some cases, however, the Windows Event Log “restart” does not recycle the PID, but just invalidates the handles.

This release adds a robust restart check by looking for the security Event ID 1100, which indicates a restart has occurred.

Restart Event Collection from Last Position

In previous versions, event collection starts from Agent startup time. This causes the Agent to miss events, especially in case of restart. In this release, the Windows Agent will store its last processed event and on restart, will begin event collection from that point. Restart will not result in Event loss.

Monitor Software Installed via Microsoft Apps

In previous versions, FortiSIEM Windows Agent would detect installed software when the user installed via standard installation mechanisms such as Control Panel or MSIs. This release adds support for the Microsoft App store, which has become more the standard for installing, and distributing Microsoft software. FortiSIEM Windows Agent 4.3 can now detect installed/removed software when the user installs software via the Microsoft App store.

Windows Agent 4.2.7

This release fixes the following issue.

Windows Agent process stops after enabling UEBA on Windows OS French language pack version (Bug 821479).

Windows Agent 4.2.6

This release fixes the following issue.

Virtual Collector configuration in Windows Agent Host to Template Association does not work correctly. Agent does not send events to the configured Virtual Collectors (Bug 812009).

Windows Agent 4.2.5

This release fixes the following issue.

Windows security logs with XML keyword are truncated. Examples are Windows Security Event ID 1202, 1203 for Active Directory Federation Service (ADFS) (Bug 799857).

Windows Agent 4.2.4

This release resolves the following issue.

Allow the following characters in the Windows Agent user name during registration: space, dollar, plus, minus, dot, at the rate of, underscore, left parenthesis, right parenthesis, in other words, these characters between double quote “ $*+-.@_()” (contains space) (Bug 790304).

Windows Agent 4.2.3

This release provides a way to install FortiSIEM Windows Agent so that the Administrator can stop the Agent Service if needed. To accomplish this, the user must install the Agent via the command line with the UNPROTECT = 1 option. For details, see Installing with the Ability to Stop Agent Service in the Windows Agent Guide.

Windows Agent 4.2.2

This release adds support for the full special characters set in specifying Windows Agent passwords. Supported character set is specified at this website:

https://owasp.org/www-community/password-special-characters

Specifically, it includes (between double quotes): " !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~"

These characters can be input both via the Windows Agent command line and the GUI.

Windows Agent 4.2.1

This release fixes the following three issues for FortiSIEM Windows Agent.

1. The Agent may not capture Windows Event Forwarding (WEF) logs when WEF is configured to write forwarded logs to any folder other than the Forwarded Events folder on the forwarded server. In addition, the Agent's performance of WEF log handling is improved. (Bug 766939)

2. The Agent limits the Collectors' name to only 50 characters, which may not work in AWS where FQDN can be long. (Bug 770632)
   
   Note: The name is now 253 characters.

3. The Agent stops sending logs after killing or restarting Windows Event Log Process. (Bug 744891)

Windows Agent 4.2.0

This release contains two enhancements.

1. A GUI is provided for installing the Agent. See Installing FortiSIEM Windows Agent 4.2.x in the Windows Agent 4.x.x Installation Guide.

2. Ability to upgrade multiple agents in parallel from the Supervisor. See here.

Windows Agent 4.1.6

This release fixes the following three issues for FortiSIEM Windows Agent.

1. The Agent may not capture Windows Event Forwarding (WEF) logs when WEF is configured to write forwarded logs to any folder other than the Forwarded Events folder on the forwarded server. In addition, the Agent's performance of WEF log handling is improved. (Bug 766939)

2. The Agent limits the Collectors' name to only 50 characters, which may not work in AWS where FQDN can be long. (Bug 770632)
   Note: The name is now 253 characters.

3. The Agent stops sending logs after killing or restarting Windows Event Log Process. (Bug 744891)

Windows Agent 4.1.5

This release resolves two security issues:

1. The log file contains plain text password used to register the agent to the Supervisor. This password is not used for any other purposes. (Bug 749499)

2. An authenticated windows user can run arbitrary Powershell scripts with Admin permissions. (Bug 749499)

Windows Agent 4.1.4

This release resolves two issues:

1. File handle leak while interfacing with local SQLite database. This can cause Windows Agent memory usage to grow overtime. (Bug 746978)

2. File handle leak while interfacing with Windows registry. This can cause Windows Agent memory usage to grow over time. (Bug 748252)

Windows Agent 4.1.3

This release resolves two issues:

1. When FortiSIEM monitors DNS Analytical logs, Windows EventLog service memory utilization maybe high. (Bug 723147)

2. Windows Agent may stop sending events if both the Supervisor and Collector go down for more than 10 minutes and then come up. (Bug 727842)

Windows Agent 4.1.2

This release adds the ability to work with FortiSIEM Management Extension Application (MEA) Collector released as part of FortiSIEM 6.3.0.

Windows Agent 4.1.1

This release fixes the following issues:

1. Windows Agent does not generate events when a monitoring template is chosen with a large set of comma separated eventIDs. Previous limit of 50 eventIDs or 250 characters is now extended to 1200 characters including comma separating characters. If you need more than this limit, you can always create multiple monitoring templates. (Bug 702090)

2. When Windows Event Forwarding is configured, FortiSIEM Agent running on the forwarded server may sometimes fail to get the message in Security Events. A new API is now used to collect the events from the Windows Forwarded Events folder. (Bug 710074)

Windows Agent 4.1.0

This release adds the following enhancements.

1. Agent will restart automatically after 1 minute if it is killed.

2. Service protection – user cannot Stop, Restart or Pause the agent from Windows Service Manager.

3. Users can change the logging level without restarting service by changing the registry key. Registry key instructions follow:

   1. Open HKEY_LOCAL_MACHINE\SOFTWARE\AccelOps\Agent key

   2. To update with trace logging, set “LogLevel” value to “2”

   3. To update with debug logging, set “LogLevel” value to “1”

4. Agent Database is used to store Agent configuration parameters and to store events when connectivity to collectors is lost. The default size for your Agent Database is 1GB. This can be changed by modifying the MaxDBSizeInMB entry in your Registry Editor.

Details are in the Windows Agent Guide.

Windows Agent 4.0.1

This release fixes three issues:

1. Agent status became disconnected on Windows server 2012R2. (Bug 672660)

2. The log file contains plain text password used to register the agent to the Supervisor. This password is not used for any other purposes. (Bug 749499)

3. An authenticated windows user can run arbitrary Powershell scripts with Admin permissions. (Bug 749499)

Windows Agent 4.0.0

This release provides User Entity Behavior Analysis (UEBA) by embedding a Kernel Agent that detects anomalies on these 10 user activities.

• Log on and log off

• Machine on and off

• File create

• file delete

• file read

• file write

• file rename

• file move

• file upload

• file download

• drive mount

• drive un-mount

Windows Agent 3.3.1

This release resolves two security issues:

1. The log file contains plain text password used to register the agent to the Supervisor. This password is not used for any other purposes. (Bug 749499)

2. An authenticated windows user can run arbitrary Powershell scripts with Admin permissions. (Bug 749499)

Windows Agent 3.3.0

This release fixes the following issue:

Windows Agent fails to send events to Collector after service restart or machine reboot. (Bug 659782)

Windows Agent 3.2.3

This release resolves two security issues:

1. The log file contains plain text password used to register the agent to the Supervisor. This password is not used for any other purposes. (Bug 749499)

2. An authenticated windows user can run arbitrary Powershell scripts with Admin permissions. (Bug 749499)

Windows Agent 3.2.2

This release fixes the following issue:

Windows Agent on certain platforms, including Windows10 Pro, may crash while doing File Integrity Monitoring checks. This can cause Agents to get disconnected from FortiSIEM GUI and cause events to stop coming. (Bug 653943)

Windows Agent 3.2.1

This release fixes the following issue:

Windows Agent service stops after a while with File Integrity Monitoring (FIM) turned on. (Bug 636060)

Windows Agent 3.2.0

This release includes several enhancements for File Integrity Monitoring (FIM) when using Windows Agents:

• Detect File Permission and Ownership changes.

• Ability to push monitored files from agents to the FortiSIEM Supervisor where an audit trail of file changes are kept in SVN. The user can then examine the differences between the files.

• Ability to detect file changes from a baseline.

Windows Agent 3.1.3

This release resolves two security issues:

1. The log file contains plain text password used to register the agent to the Supervisor. This password is not used for any other purposes. (Bug 749499)

2. An authenticated windows user can run arbitrary Powershell scripts with Admin permissions. (Bug 749499)

Windows Agent 3.1.2

This release adds the following new features and enhancements:

• Signed Agent binary: Windows Agent binaries are now cryptographically signed by Fortinet.

• Ability to specify host name: The user can specify a host name during Windows Agent installation. The Agent will register to the Supervisor with that host name. CMDB will show that host name.

• Virtual Collector Support: Agents can send events to a Virtual Collector (such as an F5 Load balancer) located between Agents and Collectors. Virtual Collectors can be defined in the Agent definition on the Supervisor.

• Agent fails to install if there is a file or folder named Program under C:\.

Windows Agent 3.1.0

This release contains the following Windows Agent specific enhancements, in addition to the ability to work without Agent Manager functionality described earlier.

• Support for Windows Event Forwarding: Windows can forward logs using Windows mechanisms to a Central Windows Server. A FortiSIEM agent on the central server can then bring all the events from the various windows servers to FortiSIEM. This is an alternative to running FortiSIEM agent on every Windows server. The disadvantage of this approach is that Windows (Security, application and system) event logs can be collected in this way, while FortiSIEM agent can collect other information such as FIM, Custom log, Sysmon etc. This release is able to parse the forwarded Windows events so that actual reporting Windows server is captured and all the attributes are parsed as sent by native agents.

• Support of Windows FIPS enabled mode: In earlier releases, the agent did not work properly if FIPS mode was turned on. This issue is addressed in this release.

• File hash for File Integrity Monitoring computed using SHA256: The file hash value for file/folder monitoring is now reported using SHA256 algorithm instead of MD5. This enables direct match with external threat intelligence malware file hashes.