| Scope |
Windows Agent 4.4.x, 5.x, 7.x.x, 7.1.x.
Linux Agent 6.x.x, 7.x.x, 7.1.x.
Supervisor and Collector 6.x, 7.x, 7.1.x. |
| Solution |
Prerequisites:
- The Collector should already be registered with the Supervisor, and the Collector's health status should show as normal. If there is any issue with Collector status, fix the issue with the Collector first.
- The agent registered successfully with the Supervisor - In CMDB, the host Status shows as approved and the Agent Status shows as registered. Agent Monitor Templates should be already created - see this document for Windows or this document for Linux for more information.
- Host To Template Associations should be already created: from the Configuration Agents link above, see Associate Windows Agents to Templates. For Linux, see Define the Agent Monitor Templates.
Make sure to press the 'Apply' button that is between the Delete and Up sections in the host template association section. Note: If the Apply button is not pressed, the changes are not sent to the agent.
Troubleshooting:
Communication flow:
Agent ---> outbound HTTPS (443) ---> Supervisor (Registration and Updates)
Agent ---> outbound HTTPS (443) ---> Collector (Upload events)
- Test the connection from the host to the Collector on port 443 with the following command in Powershell:
Test-NetConnection <Collector_IP> -port 443
- Run the following command to confirm the host is reaching the Collector and verify the HTTP codes:
cat /etc/httpd/logs/ssl_access_log | grep <HOST_IP>
- If there are no logs filtering the host's IP, check if there is any agent traffic reaching the Collector. Depending on the networking configuration, the traffic is sometimes sent with a different host IP.
cat /etc/httpd/logs/ssl_access_log
For a Windows host:
If there is no traffic reaching the Collector, change the Agent log to Debug mode:
- Open a NotePad as an Administrator.
- Open the file C:/Program Files/Fortinet/FortiSIEM/log4net.config.
- Replace <LogLevel>ERROR</LogLevel> with <LogLevel>DEBUG</LogLevel> and Save.
- Wait for 5/10 mins for the logs to be collected and revert the changes back.
- Check the Agent Application log that is located in C:\ProgramData\FortiSIEM\Agent\Logs\Trace.log. Review errors or which IP/FQDN the Win Agent is using to upload the events.
- If the debug logs show the agent is using the Supervisor IP to upload the events, review the following:
- Open RegEdit > HKEY_LOCAL_MACHINE\Software\Fortinet\FortiSIEM.
Registration information should be:
SuperName -> Supervisor IP/FQDN.
supers -> empty.
When in 'supers', the registry contains the Supervisor IP/FQDN. This IP is sent to the Agent when an IP is added under Admin -> Settings -> System -> Cluster Config -> Supervisors.
To resolve this:
- Remove the IP/FQDN through Admin -> Settings -> System -> Cluster Config -> Supervisors.
- Remove the IP/FQDN from the host RegEdit Agent registration 'supers'.
- Restart the FSMLogAgent Process: Open Task Manager -> Processes -> Select FSMLogAgent -> End task. The process will start automatically.
For a Linux host, review the Application log: /opt/fortinet/fortisiem/linux-agent/log/phoenix.log.
Lastly, review the Service log: /opt/fortinet/fortisiem/linux-agent/log/fortisiem-linux-agent.log.
|
