Configuring Windows Agent

Before proceeding, follow the instructions in the Windows Agent Installation Guide to complete these steps:

  1. Install the Windows Agent using the correct installation file.
  2. Make sure the Agent appears in the CMDB page of the FortiSIEM GUI, using the host name defined in the installation file.
  3. Configure the Windows Server to receive the types logs of interest (see Microsoft Windows Servers via Agent in the External Systems Configuration Guide).

To receive logs from Windows Agent, you must complete the following steps:

  1. Define Windows Agent Monitor Templates
  2. Associate Windows Agents to Templates

Once these steps are completed, the Supervisor node will distribute monitoring policies to the Agents and you will be able to see events in FortiSIEM.

This section also covers these topics:

Note: Sample Windows Agent logs can be found in the Appendix here.

Define the Windows Agent Monitor Templates

A Windows Monitoring Template consists of:

  • Log Settings: Windows Event Logs and Log Files
  • Change Settings: File Integrity Monitoring, Registry Changes, Installed Software Changes, Removable media
  • Script Settings: WMI Classes and PowerShell Scripts

Complete these steps to add a Windows Agent Monitor Template:

  1. Go to ADMIN > Setup > Windows Agent tab.
  2. Click New under the section Windows Agent Monitor Templates.
  3. In the Windows Agent Monitor Template dialog box, enter the information under each tab with reference to the tables below.

    1. Configure the Generic settings with reference to the table below:

      Generic settingsGuidelines
      NameEnter the name of the Windows Agent Monitor Template. This name is used as a reference in Template associations.
      Note: The template name cannot contain a space (" ") character.
      DescriptionEnter a description of the Windows Agent Monitor Template.

    2. Configure the Monitor settings for Windows Agent using the table below. When done, click Save.

      Monitor settingsGuidelines
      Discover

      To configure Discover settings:

      Click the Discover checkbox to enable Windows Agent discovery.

      In the Hour(s) field, enter the frequency (in number of hours) that discovery will be done.

      MonitorTo configure Monitor settings:

      Click the appropriate Monitor checkboxes to enable specific monitoring performance of Windows Agents.

      • Uptime - Select to monitor uptime of Windows Agent.
      • CPU - Select to monitor CPU utilization.
      • Memory - Select to monitor memory utilization.
      • Disk - Select to monitor disk utilization.
      • Network - Select to monitor network utilization.
      • Running Applications - Select to monitoring running applications.
      In the time field, enter a numeric value for the monitoring frequency. The drop-down time field allows you to choose the frequency in Hour(s) or Minute(s).
    3. Configure the Event settings with reference to the table below. Make sure you have completed these steps from the Windows Agent Installation Guide:
      Event settingsGuidelines
      Event Log

      To configure Event log settings:

      1. Select the Type of log from the drop-down:
        • Application — Events that are logged by Windows Application. Select All, Exchange Server or SQL Server as Source.
        • Security — Log that contains records of login/logout activity or other security-related events specified by the system's audit policy.
        • System — Events that are logged by the operating system components.
        • DFS — Logs to identify the users who accessed the Distributed File System.
        • DNS — DNS Debug logs and Name Resolution Activity logs.
        • Hardware Events — Events related to hardware.
        • Key Management Service — Events related to creation and control of keys used to encrypt your data.
        • Setup — Log files for all actions that occur during installation.
        • Windows PowerShell — Logs related to Windows PowerShell.
        • Other — Any other log type (specify the name under Event Name setting.)
      2. Enter the events to be included under Include Event and the ones to exclude under Exclude Event by entering each event ID followed by a semicolon as a separator.
    4. Select UEBA to turn on UEBA functionality for all hosts running Windows 4.0 or later that are permitted by the UEBA license. For example, if you have 10 UEBA licenses and you applied the template to 100 hosts, system will apply the UEBA license to 10 random hosts. You can turn on/off UEBA on hosts via CMDB.
    5. Configure the User Log settings with reference to the table below:
      User Log settingsGuidelines
      User Log

      Click New to add the custom log files that must be monitored:

      • Full File Name—(Required) Enter the full file name (including path).
        Note: Windows System variables are also supported as part of this path. For example, %WINDIR% can be placed as part of the file path. The agent will then expand this property when evaluating the template, and use the correct path. For the full list of supported system variables, see Appendix - Windows Agent System Variables.
      • Log Prefix—(Required) Any prefix to the identify events from this file for better accessibility.

      Example:

      The contents of the file C:\test\test.txt needs to be brought into FortiSIEM for analysis. The log prefix FSMAGENT was chosen. To configure the Windows Agent template in FortiSIEM, from the User Log tab, you would take the following steps. 

      In the Full file Name field, you would enter "C:\test\test.txt".

      In the Log Prefix field, you would enter "FSMAGENT".


      Suppose the contents of the file C:\test\test.txt looks like this.

      User adds a comment
      User adds a comment 1
      User adds a comment 2

      FortiSIEM agent will send each line in a separate event.

      2024-06-26T19:09:54Z GFU-WIN2016-126.gfu.com 172.30.56.126 AccelOps-WUA-UserFile-FSMAGENT [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="967fcbac-7d74-445f-99de-c5a1f0acf59d" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [fileName]="C:\\test\\test.txt" [msg]="User adds a comment"
 
2024-06-26T19:10:16Z GFU-WIN2016-126.gfu.com 172.30.56.126 AccelOps-WUA-UserFile-FSMAGENT [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="967fcbac-7d74-445f-99de-c5a1f0acf59d" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [fileName]="C:\\test\\test.txt" [msg]="User adds a comment 1"
 
2024-06-26T19:10:34Z GFU-WIN2016-126.gfu.com 172.30.56.126 AccelOps-WUA-UserFile-FSMAGENT [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="967fcbac-7d74-445f-99de-c5a1f0acf59d" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [fileName]="C:\\test\\test.txt" [msg]="User adds a comment 2"

      The event type will be AO-WUA-UserFile-FSMAGENT.

    6. Configure the FIM settings with reference to the table below. Make sure you have completed these steps from the Microsoft Windows Server via Agent in the External Systems Configuration Guide.
      FIM settingsGuidelines
      FIM

      To include the file directory details:

      1. Click New to add the file directory details:
        • File/Directory— Enter the full path of the file directory:
        • Include Subfolder(s) — Select if you must include the directory sub-folders.
        • Exclude Subfolder(s) — Enter any sub-folders to exclude, if any.
        • Include File Type — Enter the file types to include separated by a semi-colon.
        • Exclude File Type — Enter the file types to exclude, if any, separated by a semi-colon.
        • On Modify:
          • Push Files—Select this if you want Windows Agent to push files to FortiSIEM whenever there is a change. File/Directory must specify a specific file and not a directory. Also, the absolute file name, including the path, must be specified. For example C:\temp\fileToBeMonitored.txt. The files are stored in SVN and are accessible from the Supervisor. These files are displayed in CMDB > Device > File. Send only important files, as this can fill up disk space.
            Note: Windows System variables are also supported as part of this path. For example, %WINDIR% can be placed as part of the file path. The agent will then expand this property when evaluating the template, and use the correct path. For the full list of supported system variables, see Appendix - Windows Agent System Variables.
          • Compare Baseline—Select this if you want to be alerted when the file changes from a baseline. File/Directory must specify a specific file and not a directory. Also, the absolute file name, including the path, must be specified. For example C:\temp\fileToBeMonitored.txt. This is common for configuration files that rarely change. If you choose this option, you will be asked to provide a copy of the baseline file. Click Choose File and upload the file from your workstation. The Supervisor will compute the MD5 checksum and distribute the checksum to the agents for comparison.
      2. Click Save.
        Use the Edit/Delete buttons to modify/remove any file directory information.

       

    7. Configure the Change settings with reference to the table below:

      Change settingsGuidelines
      Registry Change

      Select the required key(s) to monitor:

      • HKEY_CLASSES_ROOT—key that contains file extension association information, as well as a programmatic identifier, Class ID, and Interface ID data.
      • HKEY_CURRENT_USER—key that contains configuration information for Windows and software specific to the currently logged in user.
      • HKEY_LOCAL_MACHINE—hive that contains the majority of the configuration information for the software you have installed, as well as for the Windows Operating System.
      • HKEY_USERS—key that contains user-specific configuration information of all currently active users on the computer.
      • HKEY_CURRENT_CONFIG—key that acts as a shortcut to a registry key which keeps information about the hardware profile currently used.
      Check EverySet the time period to check the Registry Change in Minute(s) or Hour(s).
      Installed Software ChangeSelect to enable monitoring of any installed software change.
      Removable Drive

      Select the removable drive to track:

      • USB drive(s)
      • CD-DVD drive(s)
      Configure the Script settings with reference to the table below:

       

      Script settingsGuidelines
      WMI Classes

      To include a WMI Class:

      1. Click New to add a new WMI Class. Select the Name, WMI Class, and Attributes from the drop-down lists (Use ';' as the separator).
      2. Set the time period to monitor in Minute(s) or Hour(s) under Check Every setting.

      Use the Edit/Delete buttons to modify/remove any WMI Classes.

      PowerShell Script

      To include a PowerShell Script:

      Click New to add a new PowerShell Script and enter the Name and Script.

      Use the Edit/Delete buttons to modify/remove any PowerShell Script.

    8. Configure the Certificate Monitoring settings with reference to the table below for each Certificate Folder:

      Certificate Monitoring settingsGuidelines
      Store Name

      Select the following to monitor:

      Add - Event generated when certificate is added to store.

      Delete - Event generated when certificate is removed from store.

      Expired (Days) - From the drop-down list, select the number of days to receive notification when a certificate has expired.

      Expiry (Days) - From the drop-down list, select the period of days to receive notification prior to when a certificate is about to expire.

    9. Configure the Osquery settings with reference to the table below:

      Osquery settingsGuidelines
      osquery

      From the osquery drop-down list, select the osquery template to include in the Windows Agent Monitor Template.

      Click + to add a new entry.

      Select the osquery template to use.

      Click - to remove an existing entry.

  4. Click Save.
    Use the Edit button to modify any template or Delete button to remove any Windows Agent Monitor template.

Associate Windows Agents to Templates

After defining the monitoring templates, you must associate hosts to templates. To scale to a large number of hosts, this is done via Policies. A Policy is a mapping from Organization and Host to Templates and Collectors. Policies are evaluated in order (lower order or rank is higher priority) and the policy that matches first is selected. Therefore, define the exceptions first followed by broad policies. Hosts are defined in terms of CMDB Device Groups or Business Services. Multiple templates can be used in one Policy and the system detects conflicts, if any.

Complete these steps to associate a Host to Template:

  1. Click New under the section Host To Template Associations.
  2. In the Host To Template Associations dialog box, enter the information below.

    SettingsGuidelines
    NameName of the Host to Template Association.
    OrganizationSelect the organization.
    HostUse the drop-down list to browse the folders and select the Devices or/and Business Services to monitor and click Save.
    TemplateSelect one or more monitoring templates from the list or select All Templates to include all. You can also use the search bar to find any specific template.
    CollectorSelect the Collector from the list or select All Collectors to include all. Agents forward events to Collectors via HTTP(S). A Collector is chosen at random and if that Collector is not available or non-responsive, then another Collector in the list is chosen.

  3. Click Save and Apply.
    A Rank is automatically assigned to the association.

You can use the Edit button to modify or Delete button to remove any template association.

Viewing Agent Status

Complete these steps to view the Windows Agent status for any specific device:

  1. Go to CMDB > Devices and select the device.

    The following fields display the information related to the Agent:
    • Agent Status: status of the Agent on the device
    • Agent Policy: agent policy name
    • Monitor Status: status of monitoring

    The Agent Status indicates the following:

    StatusDescription
    RegisteredAgent has completed registration but has not received the monitoring template.
    Running ActiveAgent has received a monitoring template and it is performing properly.
    Running InactiveAgent is running but does not have a monitoring template – the reasons can be (a) no license or (b) incomplete definition - no Collector or Template is defined for that host.
    StoppedAgent is stopped on the Linux Server.
    DisconnectedSupervisor did not receive any status from the Agent for the last 10 minutes.

Enabling or Disabling an Agent

Complete these steps to enable or disable Agent for a specific device:

  1. Go to CMDB > Devices and select the required device.
  2. Select the Action drop-down menu and click Enable Agent to enable or Disable Agent to disable Agent monitoring for the selected device.

Viewing Files in FortiSIEM

If the FortiSIEM Agent is running on a Server and a FIM policy is enabled with Push Files On Modify, then the FortiSIEM Agent will send the files to FortiSIEM when a change is detected. FortiSIEM stores the files in SVN on the Supervisor.

  1. Go to the CMDB page. Make sure that AGENT is one of the Methods.
  2. Search for the device in CMDB by name.

    Use the host name that you used in the InstallSettings.xml file to install the Windows Agent.

  3. Click File beneath the device table.

    You will see all of the files that were changed since the monitoring template was applied.

  4. Select a file.

    If you need to search for a file, set the From and To dates. The files which changed between those dates will be displayed.

  5. Click the file name on the left and its contents will be displayed in the right hand window.

    Each file has a header containing file meta data followed by the actual file content.

    • FILEPATH: The full file name, including the path.

    • ARCHIVE: Set to true if ArchiveBit is set; set to false if it is not.

    • HASHCODE: The file hash.

    • HASHALGO: The algorithm used to compute file hash.

    • OWNER: The file owner.

    • USER, PERMIT, DENY: Permissions are specified as a (User, Permit, Deny) triple. This describes the actions that the user is allowed to perform.

    • MODIFIED_TIME: The time when the file was last modified.

  6. To see the differences between two files, select two files on left and click Diff.

Verifying Events in FortiSIEM

Follow the steps below to verify the events in FortiSIEM:

  1. Go to ANALYTICS tab.
  2. Click the Filters field.
  3. Create the following condition: Attribute= Raw Event LogOperator = CONTAIN, Value = AccelOps-WUA and click Save & Run.
    Note: All event types for all Windows Server generated logs are prefixed by AccelOps-WUA.
  4. Select the following Group By:
    1. Reporting Device Name
    2. Reporting IP
  5. Select the following Display Fields:
    1. Reporting Device Name
    2. Reporting IP
    3. COUNT(Matched Events)
  6. Run the query for the last 15 minutes.
    The query will return all hosts that reported events in the last 15 minutes.

Service Level Protection Properties

When Windows Agent is running, the FSMLogAgent is shown as part of your services on your Windows machine. The ability to Start, Stop, Pause, or Resume this service is disabled. This is intentional, to provide service level protection.

Auto Restart Service Behavior

In the event of a Windows Agent crash, Windows Agent will automatically restart itself after 60 seconds has passed.

Configuring Debug Trace Logging without Agent Service Restart

To enable/disable debug trace logging, you will need to modify the LogLevel entry in your Registry Editor. Take the following steps:

  1. Using the Registry Editor (Regedit), navigate to HKEY_LOCAL_MACHINE\SOFTWARE\AccelOps\Agent.
  2. Select LogLevel to edit.
  • Select Decimal for Base and change Value data to 2 to enable trace logging. Both "DBGTRACE" and "TRACE" information will be logged.
  • Select Decimal for Base and change Value data to 1 to enable debug logging. Only "DBGTRACE" information will be logged.

    Note: It will take about 2-3 minutes for your change to take effect.

Go to your log folder, typically C:\ProgramData\AccelOps\Agent\Logs, and examine your FSMLogAgent.log file with any text editor.

Configuring the Agent Database Size

The default size for your Agent Database is 1GB. If you wish to change this, you will need to modify the MaxDBSizeInMB entry in your Registry Editor. Take the following steps:

  1. Using the Registry Editor (Regedit), navigate to HKEY_LOCAL_MACHINE\SOFTWARE\AccelOps\Agent.
  2. Select MaxDBSizeInMB to edit.
  3. Select Decimal for Base and change Value data to the number of MB you wish to apply as the maximum capacity.

Agent Troubleshooting Notes

A Windows Agent can be in following states (shown in CMDB):

  • Registered
  • Running Inactive
  • Running Active
  • Disabled
  • Disconnected

When an Agent is installed and registered, then it is in Registered state. The following audit event is generated: PH_AUDIT_AGENT_INSTALLED.

When a monitoring template is assigned to the device, then the state moves to Running Inactive. When the agent receives the template and starts monitoring, then the state moves to Running Active. In both cases, the following audit event is generated: PH_AUDIT_AGENT_RUNNING.

Agent periodically sends heartbeat messages. When a heartbeat not received for 10 minutes, the state moves to Disconnected and the audit event PH_AUDIT_AGENT_NOTRESPONDING is generated. Status is checked every 1 hour. At that time, if we heard from the Agent in the last 15 minutes, the state moves back to Running Inactive and a PH_AUDIT_AGENT_RUNNING audit event is generated.

If the Agent is disabled from the GUI, the state moves to Disabled and PH_AUDIT_AGENT_DISABLED audit event is generated.

If the Agent is uninstalled or the service is stopped, then the state moves to Disconnected and the audit event PH_AUDIT_AGENT_NOTRESPONDING is generated.

Audit events are generated at state transitions, however, the event PH_AUDIT_AGENT_NOTRESPONDING is generated every hour to identify all agents that are currently disconnected. A nested query can be run to detect Agents that did not report in the last N hours. Note that PH_AUDIT events must be queried with System Event Category = 2. Rules do not need this condition.