Configuring FortiSIEM Windows Agents
This section describes how to setup FortiSIEM Windows Agent and Agent Manager as part of FortiSIEM infrastructure.
Configure FortiSIEM Supervisor
Register Windows Agent Manager to FortiSIEM Supervisor
Configure Windows Agent Manager
License and Template Assignments in Agent Manager via Export/Import Verify Events in FortiSIEM
Sample logs generated by FortiSIEM Windows Agents
Windows System logs
Windows Application logs
Windows Security logs
Windows DNS logs
Windows DHCP logs
Windows IIS logs
Windows DFS logs
Windows file content monitoring logs
Windows File integrity monitoring logs
Windows Installed Software logs
Windows Registry change logs
Windows WMI logs
Windows Powershell logs
Procedure
Configure FortiSIEM Supervisor
- Go to Admin > License Management and make sure that there are entries for Basic and Advanced Windows Agents.
- Go to Admin > Setup Wizard and add Agent Managers
- Click on Windows Agents tab
- Click Add and enter information for an Windows Agent Manager. This information will be used by the Agent Manager to register to FortiSIEM
- Enter Agent Manager Name
- Enter the number of Basic Agents and Advanced Agents assigned to this Agent Manager
- Enter the Start Time and End Time for license validity
- Choose Event Upload Destination – this is where the Agent Manager will upload events to.
- Select the Organization (Super for Enterprise version and Specific Organization for the Service Provider version)
- Select one or more Collectors belonging to the selected organization v. Click OK to Save
Register Windows Agent Manager to FortiSIEM Supervisor
- Log on to Windows Agent Manager
- Launch FortiSIEM Windows Agent Manager application
- Log on to the FortiSIEM Windows Agent Manager application using User ID and Password created during setup
- Register the Windows Agent Manager to FortiSIEM
- Enter Supervisor IP/Host
- Enter Agent Manager Name – this is defined in Step 2.b.i in Configure FortiSIEM Supervisor step
- Enter Organization Name – this is defined in Step 2.b.iv in Configure FortiSIEM Supervisor step
- Enter Organization User and Organization Password as the Organizations credentials defined when the Organization was created in Admin > Setup wizard.
- Click Register. If registration is successful, then Windows Agent Manager Dashboard page is displayed. All the installed agents show up in this page with Current Status as Running.
Configure Windows Agent Manager
Collectors. Agents send events to any collector they choose. If a particular collector is not responsive, Agent will send to other available collectors. Before Release 2.1, Agents sent events to Collector(s) via Windows Agent Manager.
- Go to Dashboard and make sure that it displays all Windows Servers with FortiSIEM agents installed.
- Create a Monitoring Template
- Go to Template Settings. Click on + to expand the options.
- Click Create Template.
- Enter a template name and description. Click Settings. ii. Specify options for each monitoring category
| Category |
Description |
Settings |
| File/Folder
Changes |
Monitor access and change to files and folders |
Click New.
Enter the full path of File/Folder to be modified
Select Include Subfolder(s) if the folders under the main directory needs to be monitored.
Narrow down the scope by either specify Include or Exclude files The chosen files/directories will be displayed
(Note: To get User information, you have do some special configuration in Windows Agents as defined in Step 2 of Pre-requisites in Installing FortiSIEM Windows Agent) |
| Registry
Changes |
Monitor changes to the root keys of Windows Registry hive |
Select the root keys (available keys are HK_CLASSES_ROOT, HKEY_CUR
RENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS, and HKEY_CURRE
NT_CONFIG)
Set the time interval for how often the Agent will check for change. More CPU will be used for shorter time intervals |
| Installed
Software |
Monitor software install / uninstall on a Windows server |
Select Product Name, Version and Vendor to be included in an event when a change is detected. |
| Logs |
Collect
System/Security/Application logs and specific application
logs |
Check System if you want to collect Windows System logs. Specify include/exclude event ids.
Check Security if you want to collect Windows Security logs. Specify include/exclude event ids.
Check DNS if you want to collect Windows DNS logs. Specify include/exclude event ids.
Check DFS if you want to collect Windows DFS logs. Specify include/exclude event ids.
Check Application if you want to collect Windows Application logs. Specify include/exclude event ids.
Check IIS if you want to collect Windows IIS logs. Specify include/exclude event ids.
Check DHCP if you want to collect Windows DHCP logs. Specify include/exclude event ids.
Check User Logs and specify the file(s) you want to monitored. Any time, the file changes, a log will be generated, |
| WMI
Classes |
Run a WMI command and
collect its output |
Select Category and then select the class
Select WMI Class Attributes
Specify how often the command needs to run
Note: you may need to write a parser in FortiSIEM to get accurate attribute based reporting |
| Powershell
Script |
Run Powershell command and send its output |
Enter a Powershell script
Specify how often the Powershell script needs to run
Note: you may need to write a parser in FortiSIEM to get accurate attribute based reporting |
iii. Click Apply to save the template iv. Click Save
- Associate Windows Computers with proper license and one or more Templates (Starting with release 2.0) and one or more collectors (starting with release 2.1)
- Click Associate License / Templates.
- Click Search to find the list of computers to apply the license/templates to
- Choose Simple or Advanced
- For Simple mode
- Select the field to Search in. Possible choices are Computer, OS, License Type, Template Name.
- Type in the string to search for in the adjacent edit box.
- Click Find.
- The list of matched computers will be displayed in the area below the Search box.
- Select the Computers to which license/templates would be assigned
- Select the header checkbox to select/unselect all
- Individually select/unselect the computers if needed
- For Advanced mode
- For searching by computer names, type the search text next to Computer.
- For searching by OS names, type the search text next to OS.
- For searching by License Types, select the desired license type from the drop down 4. For searching by Template Names, do one of the following.
- For exact template name matches, set Templates to ‘Specified from‘ and select one or more templates from the next drop down and select the operator: AND or OR
- For searching template names, set Templates to ‘Specified in‘ and type the search string
- Click Find.
- The list of matched computers will be displayed in the area below the Search boxSelect a Template for a Computer.
- Select the Computers to which license/templates would be assigned
- Select the header checkbox to select/unselect all
- Individually select/unselect the computers if needed
- Make sure the list of computers in view are correct for the license/template assignment and are checked. d. Click Assign
- License Assignment
Select License Type: Basic or Advanced or None
Click Assign
- Template Assignment
Select Template(s) from drop down list
Click Validate
Click Assign. The display would reflect the assignment.
Click Unassign to remove the template from the computer. The display would reflect the modification.
Select Collector and then choose a set of Collectors from the drop down
Click Associate to assign the collectors to the Computers. The display would reflect the assignment.
Click Dissociate to remove the template from the computer. The display would reflect the modification. Click Associate remaining to assign the remaining collectors to the Computers e. Click Close
License and Template Assignments in Agent Manager via Export/Import
- Logon to Agent Manager
- Go to Dashboard and make sure that the Agents are showing up
- Click Export – a list of Agents Computer name, Assigned license and Assigned template will be exported to a CSV formatted file named ‘ExportedAgentAssociation.csv’ in the directory ProgramData|AccelOps|
- Edit the CSV file to associate the right license type and monitoring template to each computer. Do not add any new computer or edit computer. Every computer known to the Agent Manager will be present in the csv file.
- Click Import and put the CSV file in the Open file Dialog
- Once Import finishes, a dialog will tell you the number of records processed and successfully updated.
- Click Assign Licenses to Computers to see the License assignments
- Click Associate Computers with Templates to see Template assignments
- Any warnings during import operations will be recorded in <CSVFilename>-<Date>-<Time>.log file in the directory ProgramData |AccelOps|
Verify Events in FortiSIEM
- Log on to FortiSIEM
- Go to Analytics > Historical Search.
- Select Filter Criteria: Structured
- Create the following condition: Raw Event Log CONTAIN AccelOps-WUA. Click Note that all event types for all Windows Server generated logs are prefixed by AccelOps-WUA.
- Select the following Group By
- Reporting Device Name
- Reporting IP
- Select the following Display Fields:
- Reporting Device Name ii. Reporting IP
iii. COUNT(Matched Events)
- Run the query for last 15 minutes
- The Query will return all hosts that reported events in the last 15 minutes.
- To drill down further, add Event Type to both Group By and Display Fields. Then rerun the query.
Sample logs generated by FortiSIEM Windows Agents
FortiSIEM Windows Agent Manager generates Windows logs in an easy to analyze “attribute=value” style without losing any information.
Windows System logs
#Win-System-Service-Control-Manager-7036
Thu May 07 02:13:42 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WinLo
[monitorStatus]=”Success” [eventName]=”System”
[eventSource]=”Service Control Manager” [eventId]=”7036″
[eventType]=”Information” [domain]=”” [computer]=”WIN-2008-LAW-agent”
[user]=”” [userSID]=”” [userSIDAcctType]=”” [eventTime]=”May 07 2015
10:13:41″ [deviceTime]=”May 07 2015 10:13:41″
[msg]=”The Skype Updater service entered the running state.”
Thu May 07 02:13:48 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WinLo
[monitorStatus]=”Success” [eventName]=”System”
[eventSource]=”Service Control Manager” [eventId]=”7036″
[eventType]=”Information” [domain]=”” [computer]=”WIN-2008-LAW-agent”
[user]=”” [userSID]=”” [userSIDAcctType]=”” [eventTime]=”May 07 2015
10:13:47″ [deviceTime]=”May 07 2015 10:13:47″
[msg]=”The Skype Updater service entered the stopped state.”
Windows Application logs
#Win-App-MSExchangeServiceHost-2001
Thu May 07 03:05:42 2015 WIN-2008-249.ersijiu.com 10.1.2.249
AccelOps-WUA-WinLog [monitorStatus]=”Success” [eventName]=”Application”
[eventSource]=”MSExchangeServiceHost” [eventId]=”2001″
[eventType]=”Information” [domain]=”” [computer]=”WIN-2008-249.ersijiu.co
[user]=”” [userSID]=”” [userSIDAcctType]=”” [eventTime]=”May 07 2015
11:05:42″ [deviceTime]=”May 07 2015 11:05:42″
[msg]=”Loading servicelet module
Microsoft.Exchange.OABMaintenanceServicelet.dll”
#MSSQL
#Win-App-MSSQLSERVER-17137
Thu May 07 03:10:16 2015 WIN-2008-249.ersijiu.com 10.1.2.249
AccelOps-WUA-WinLog [monitorStatus]=”Success” [eventName]=”Application”
[eventSource]=”MSSQLSERVER” [eventId]=”17137″ [eventType]=”Information”
[domain]=”” [computer]=”WIN-2008-249.ersijiu.com” [user]=””
[userSID]=”” [userSIDAcctType]=”” [eventTime]=”May 07 2015 11:10:16″
[deviceTime]=”May 07 2015 11:10:16″
[msg]=”Starting up database ‘model’.”
Windows Security logs
#Win-Security-4624(Windows logon success)
Thu May 07 02:23:58 2015 WIN-2008-249.ersijiu.com 10.1.2.249
AccelOps-WUA-WinLog [monitorStatus]=”Success” [eventName]=”Security”
[eventSource]=”Microsoft-Windows-Security-Auditing” [eventId]=”4624″
[eventType]=”Audit Success” [domain]=””
[computer]=”WIN-2008-249.ersijiu.com” [user]=”” [userSID]=””
[userSIDAcctType]=”” [eventTime]=”May 07 2015 10:23:56″ [deviceTime]=”May 07 2015 10:23:56″ [msg]=”An account was successfully logged on.” [[Subject]][Security ID]=”S-1-0-0″ [Account Name]=”” [Account Domain]=”” [Logon ID]=”0x0″ [Logon Type]=”3″ [[New
Logon]][Security ID]=”S-1-5-21-3459063063-1203930890-2363081030-500″
[Account Name]=”Administrator” [Account Domain]=”ERSIJIU” [Logon
ID]=”0xb9bd3″ [Logon GUID]=”{00000000-0000-0000-0000-000000000000}” [[Process Information]][Process ID]=”0x0″ [Process Name]=”” [[Network
Information]][Workstation Name]=”SP171″ [Source Network
Address]=”10.1.2.171″
[Source Port]=”52409″ [[Detailed Authentication Information]][Logon Process]=”NtLmSsp” [Authentication Package]=”NTLM” [Transited
Services]=””
[Package Name (NTLM only)]=”NTLM V2″ [Key Length]=”128″ [details]=””
Windows DNS logs
#DNS Debug Logs
#AO-WUA-DNS-Started
Thu May 07 02:35:43 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DNS
[monitorStatus]=”Success”
[msg]=”5/7/2015 10:34:05 AM 20BC EVENT The DNS server has started.”
#AO-WUA-DNS-ZoneDownloadComplete
Thu May 07 02:35:43 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DNS
[monitorStatus]=”Success” [msg]=”5/7/2015 10:34:05 AM 20BC EVENT The DNS server has finished the background loading of zones. All zones ar now available for DNS updates and zone transfers, as allowed by their individual zone configuration.”
#AO-WUA-DNS-A-Query-Success
Thu May 07 02:48:25 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DNS
[monitorStatus]=”Success” [msg]=”5/7/2015
10:47:13 AM 5D58 PACKET 0000000002B74600 UDP Rcv 10.1.20.232 0002 Q
[0001 D NOERROR] A (8)testyjyj(4)yjyj(3)com(0)”
Thu May 07 02:48:25 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DNS
[monitorStatus]=”Success” [msg]=”5/7/2015
10:47:13 AM 5D58 PACKET 0000000002B74600 UDP Snd 10.1.20.232 0002 R
[8085 A DR NOERROR] A (8)testyjyj(4)yjyj(3)com(0)”
#AO-WUA-DNS-PTR-Query-Success
Thu May 07 02:48:25 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DNS
[monitorStatus]=”Success” [msg]=”5/7/2015
10:47:22 AM 5D58 PACKET 00000000028AB4B0 UDP Rcv 10.1.20.232 0002 Q [0
D NOERROR] PTR
(3)223(3)102(3)102(3)102(7)in-addr(4)arpa(0)”
Thu May 07 02:48:25 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DNS
[monitorStatus]=”Success” [msg]=”5/7/2015
10:47:22 AM 5D58 PACKET 00000000028AB4B0 UDP Snd 10.1.20.232 0002 R
[8085 A DR NOERROR] PTR
(3)223(3)102(3)102(3)102(7)in-addr(4)arpa(0)”
#DNS System Logs
#Win-App-DNS-2(DNS Server started)
Thu May 07 02:39:17 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WinLo
[monitorStatus]=”Success”
[eventName]=”DNS Server” [eventSource]=”DNS” [eventId]=”2″
[eventType]=”Information” [domain]=”” [computer]=”WIN-2008-LAW-agent”
[user]=”” [userSID]=”” [userSIDAcctType]=”” [eventTime]=”May 07 2015
10:39:17″ [deviceTime]=”May 07 2015 10:39:17″
[msg]=”The DNS server has started.”
#Win-App-DNS-3(DNS Server shutdown)
Thu May 07 02:39:16 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WinLo
Windows DHCP logs
AO-WUA-DHCP-Generic
Thu May 07 05:44:44 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DHCP
[monitorStatus]=”Success” [ID]=”00″ [Date]=”05/07/15″
[Time]=”13:44:08″ [Description]=”Started” [IP Address]=”” [Host Name]=””
[MAC Address]=”” [User Name]=”” [ TransactionID]=”0″
[ QResult]=”6″ [Probationtime]=”” [ CorrelationID]=”” [Dhcid.]=””
#AO-WUA-DHCP-IP-ASSIGN
Thu May 07 05:56:41 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DHCP
[monitorStatus]=”Success” [ID]=”10″ [Date]=”05/07/15″
[Time]=”13:56:37″ [Description]=”Assign” [IP Address]=”10.1.2.124″ [Host
Name]=”Agent-247.yj” [MAC Address]=”000C2922118E”
[User Name]=”” [ TransactionID]=”2987030242″ [ QResult]=”0″
[Probationtime]=”” [ CorrelationID]=”” [Dhcid.]=””
#AO-WUA-DHCP-Generic(Release)
Thu May 07 05:56:41 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DHCP
[monitorStatus]=”Success” [ID]=”12″ [Date]=”05/07/15″
[Time]=”13:56:33″ [Description]=”Release” [IP Address]=”10.1.2.124″
[Host Name]=”Agent-247.yj” [MAC Address]=”000C2922118E”
[User Name]=”” [ TransactionID]=”2179405838″ [ QResult]=”0″
[Probationtime]=”” [ CorrelationID]=”” [Dhcid.]=””
#AO-WUA-DHCP-IP-LEASE-RENEW
Wed Feb 25 02:53:28 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DHCP
[monitorStatus]=”Success” [ID]=”11″ [Date]=”02/25/15″
[Time]=”10:53:19″ [Description]=”Renew” [IP Address]=”10.1.2.123″ [Host
Name]=”WIN-2008-249.yj” [MAC Address]=”0050568F1B5D”
[User Name]=”” [ TransactionID]=”1136957584″ [ QResult]=”0″
[Probationtime]=”” [ CorrelationID]=”” [Dhcid.]=””
Windows IIS logs
#AO-WUA-IIS-Web-Request-Success
Thu May 07 03:49:23 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-IIS
[monitorStatus]=”Success” [date]=”2015-05-07″
[time]=”03:44:28″ [s-sitename]=”W3SVC1″
[s-computername]=”WIN-2008-LAW-AG” [s-ip]=”10.1.2.242″ [cs-method]=”GET”
[cs-uri-stem]=”/welcome.png” [cs-uri-query]=”-” [s-port]=”80″
[cs-username]=”-” [c-ip]=”10.1.20.232″ [cs-version]=”HTTP/1.1″
[cs(User-Agent)]=”Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36
+(KHTML,+like+Gecko)+Chrome/42.0.2311.135+Safari/537.36″
[cs(Cookie)]=”-” [cs(Referer)]=”http://10.1.2.242/”
[cs-host]=”10.1.2.242″ [sc-status]=”200″ [sc-substatus]=”0″
[sc-win32-status]=”0″
[sc-bytes]=”185173″ [cs-bytes]=”324″ [time-taken]=”78″ [site]=”Default
Web Site” [format]=”W3C”
#AO-WUA-IIS-Web-Client-Error
Thu May 07 03:49:23 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-IIS
[monitorStatus]=”Success” [date]=”2015-05-07″ [time]=”03:44:37″
[s-sitename]=”W3SVC1″ [s-computername]=”WIN-2008-LAW-AG”
[s-ip]=”10.1.2.242″ [cs-method]=”GET” [cs-uri-stem]=”/wrongpage”
[cs-uri-query]=”-”
[s-port]=”80″ [cs-username]=”-” [c-ip]=”10.1.20.232″
[cs-version]=”HTTP/1.1″
[cs(User-Agent)]=”Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36
+(KHTML,+like+Gecko)+Chrome/42.0.2311.135+Safari/537.36″
[cs(Cookie)]=”-” [cs(Referer)]=”-” [cs-host]=”10.1.2.242″
[sc-status]=”404″
[sc-substatus]=”0″ [sc-win32-status]=”2″ [sc-bytes]=”1382″
[cs-bytes]=”347″ [time-taken]=”0″ [site]=”Default Web Site”
[format]=”W3C”
#AO-WUA-IIS-Web-Forbidden-Access-Denied
Thu May 07 03:30:39 2015 WIN-2008-249.ersijiu.com 10.1.2.249
AccelOps-WUA-IIS [monitorStatus]=”Success” [date]=”2015-05-07″
[time]=”03:30:15″
[s-ip]=”10.1.2.249″ [cs-method]=”POST”
[cs-uri-stem]=”/AOCACWS/AOCACWS.svc” [cs-uri-query]=”-” [s-port]=”80″
[cs-username]=”-”
[c-ip]=”10.1.2.42″ [cs(User-Agent)]=”-” [sc-status]=”403″ [sc-substatus]=”4″ [sc-win32-status]=”5″ [time-taken]=”1″
[site]=”Default Web Site”
[format]=”W3C”
Windows DFS logs
#Win-App-DFSR-1002
Thu May 07 03:01:12 2015 WIN-2008-LAW-agent 10.1.2.242
AccelOps-WUA-WinLog [monitorStatus]=”Success” [eventName]=”DFS
Replication”
[eventSource]=”DFSR” [eventId]=”1002″ [eventType]=”Information”
[domain]=”” [computer]=”WIN-2008-LAW-agent” [user]=”” [userSID]=””
[userSIDAcctType]=”” [eventTime]=”May 07 2015 11:01:12″ [deviceTime]=”May 07 2015 11:01:12″ [msg]=”The DFS Replication service is starting.”
#Win-App-DFSR-1004
Thu May 07 03:01:12 2015 WIN-2008-LAW-agent 10.1.2.242
AccelOps-WUA-WinLog [monitorStatus]=”Success” [eventName]=”DFS
Replication”
[eventSource]=”DFSR” [eventId]=”1004″ [eventType]=”Information”
[domain]=”” [computer]=”WIN-2008-LAW-agent” [user]=”” [userSID]=””
[userSIDAcctType]=”” [eventTime]=”May 07 2015 11:01:12″ [deviceTime]=”May 07 2015 11:01:12″ [msg]=”The DFS Replication service has started.”
#Win-App-DFSR-1006
Thu May 07 03:01:10 2015 WIN-2008-LAW-agent 10.1.2.242
AccelOps-WUA-WinLog [monitorStatus]=”Success” [eventName]=”DFS
Replication”
[eventSource]=”DFSR” [eventId]=”1006″ [eventType]=”Information”
[domain]=”” [computer]=”WIN-2008-LAW-agent” [user]=”” [userSID]=””
[userSIDAcctType]=”” [eventTime]=”May 07 2015 11:01:10″ [deviceTime]=”May 07 2015 11:01:10″ [msg]=”The DFS Replication service is stopping.”
#Win-App-DFSR-1008
Thu May 07 03:01:11 2015 WIN-2008-LAW-agent 10.1.2.242
AccelOps-WUA-WinLog [monitorStatus]=”Success” [eventName]=”DFS
Replication”
[eventSource]=”DFSR” [eventId]=”1008″ [eventType]=”Information”
[domain]=”” [computer]=”WIN-2008-LAW-agent” [user]=”” [userSID]=””
[userSIDAcctType]=”” [eventTime]=”May 07 2015 11:01:11″ [deviceTime]=”May 07 2015 11:01:11″ [msg]=”The DFS Replication service has stopped.”
Windows file content monitoring logs
Windows File integrity monitoring logs
#AO-WUA-FileMon-Added
Thu May 07 05:30:59 2015 WIN-2008-LAW-agent 10.1.2.242
AccelOps-WUA-FileMon [monitorStatus]=”Success” [userId]=”Administrator”
[eventTime]=”May 07 2015 05:30:58″ [fileName]=”C:\\test\\New Text
Document.txt” [osObjAction]=”Added”
[hashCode]=”d41d8cd98f00b204e9800998ecf8427e”
[msg]=””
#AO-WUA-FileMon-Renamed-New-Name
Thu May 07 05:31:02 2015 WIN-2008-LAW-agent 10.1.2.242
AccelOps-WUA-FileMon [monitorStatus]=”Success” [userId]=”Administrator”
[eventTime]=”May 07 2015 05:30:58″ [fileName]=”C:\\test\\test.txt”
[osObjAction]=”Renamed [New Name]”
[hashCode]=”d41d8cd98f00b204e9800998ecf8427e”
[msg]=””
#AO-WUA-FileMon-Renamed-Old-Name
Thu May 07 05:31:02 2015 WIN-2008-LAW-agent 10.1.2.242
AccelOps-WUA-FileMon [monitorStatus]=”Success” [userId]=”Administrator”
[eventTime]=”May 07 2015 05:31:01″ [fileName]=”C:\\test\\New Text
Document.txt” [osObjAction]=”Renamed [Old Name]” [hashCode]=””
[msg]=””
#AO-WUA-FileMon-Modified
Thu May 07 05:31:14 2015 WIN-2008-LAW-agent 10.1.2.242
AccelOps-WUA-FileMon [monitorStatus]=”Success” [userId]=”Administrator”
[eventTime]=”May 07 2015 05:31:13″ [fileName]=”C:\\test\\test.txt”
[osObjAction]=”Modified” [hashCode]=”23acb5410a432f14b141656c2e70d104″
[msg]=””
#AO-WUA-FileMon-Removed
Thu May 07 05:31:29 2015 WIN-2008-LAW-agent 10.1.2.242
AccelOps-WUA-FileMon [monitorStatus]=”Success” [userId]=”Administrator”
[eventTime]=”May 07 2015 05:31:27″ [fileName]=”C:\\test\\test.txt”
[osObjAction]=”Removed” [hashCode]=”” [msg]=””
Windows Installed Software logs
Windows Registry change logs
#AO-WUA-Registry-Modified
Thu May 07 04:01:58 2015 WIN-2008-249.ersijiu.com 10.1.2.249
AccelOps-WUA-Registry [monitorStatus]=”Success”
[regKeyPath]=”HKLM\\SOFTWARE\\Microsoft\\ExchangeServer\\v14\\ContentInde
CatalogHealth\\{0d2a342a-0b15-4995-93db-d18c3df5860d}”
[regValueName]=”TimeStamp” [regValueType]=”1″
[osObjAction]=”Modified”
[oldRegValue]=”MgAwADEANQAtADAANQAtADAANwAgADAAMwA6ADQAOQA6ADQANwBaAAAA” [newRegValue]=”MgAwADEANQAtADAANQAtADAANwAgADAANAA6ADAAMQA6ADQAOABaAAAA”
#AO-WUA-Registry-Removed
Thu May 07 05:25:09 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-Regis
[monitorStatus]=”Success”
[regKeyPath]=”HKLM\\SOFTWARE\\RegisteredApplications” [regValueName]=”Sky
[regValueType]=”1″ [osObjAction]=”Removed”
[oldRegValue]=”UwBPAEYAVABXAEEAUgBFAFwAQwBsAGkAZQBuAHQAcwBcAEkAbgB0AGUAcg
GUAdAAgAEMAYQBsAGwAXABTAGsAeQBwAGUAXABDAGEAcABhAGIAaQBsAGkAdABpAGUAcwBkAG
ABoAGQAaABkAGgAZABoAGQAAAA=” [newRegValue]=””
Windows WMI logs
#AO-WUA-WMI-Win32_Processor
Thu May 07 03:53:33 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WMI
[monitorStatus]=”Success” [__CLASS]=”Win32_Processor”
[AddressWidth]=”64″ [Architecture]=”9″ [Availability]=”3″ [Caption]=”Inte
Family 6 Model 26 Stepping 5″ [ConfigManagerErrorCode]=””
[ConfigManagerUserConfig]=”” [CpuStatus]=”1″
[CreationClassName]=”Win32_Processor” [CurrentClockSpeed]=”2266″
[CurrentVoltage]=”33″
[DataWidth]=”64″ [Description]=”Intel64 Family 6 Model 26 Stepping 5″
[DeviceID]=”CPU0″ [ErrorCleared]=”” [ErrorDescription]=””
[ExtClock]=”” [Family]=”12″ [InstallDate]=”” [L2CacheSize]=”0″
[L2CacheSpeed]=”” [L3CacheSize]=”0″ [L3CacheSpeed]=”0″
[LastErrorCode]=”” [Level]=”6″ [LoadPercentage]=”8″
[Manufacturer]=”GenuineIntel” [MaxClockSpeed]=”2266″
[Name]=”Intel(R) Xeon(R) CPU E5520 @ 2.27GHz” [NumberOfCores]=
[NumberOfLogicalProcessors]=”1″
[OtherFamilyDescription]=”” [PNPDeviceID]=””
[PowerManagementCapabilities]=”” [PowerManagementSupported]=”0″
[ProcessorId]=”0FEBFBFF000106A5″ [ProcessorType]=”3″ [Revision]=”6661″
[Role]=”CPU” [SocketDesignation]=”CPU socket #0″
[Status]=”OK” [StatusInfo]=”3″ [Stepping]=””
[SystemCreationClassName]=”Win32_ComputerSystem”
[SystemName]=”WIN-2008-LAW-AG”
UniqueId]=”” [UpgradeMethod]=”4″ [Version]=”” [VoltageCaps]=”2″
Windows Powershell logs
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
