Help
FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
ymasaki
Staff
Staff

Created on ‎03-24-2024 10:19 PM

Article Id 306270

Troubleshooting Tip: Troubleshooting no security events available when a popup message displays on Collector

Description This article describes how to troubleshoot when no events are available upon a popup message displayed on Collector.
Scope FortiEDR.
Solution

FortiEDR Collector in Prevention mode displays a popup message whenever something is blocked based on the blocking policy.

 

no_event_1.png
Normally, the event will appear in the Event Viewer:


no_event_2.png

 

Sometimes the events may not be found in the Event Viewer when FortiEDR Collector displays a popup message.
Follow the troubleshooting steps below to check if Collector works fine and to search the events in the Event Viewer.

 

  1. Check the Collector status is Running:
  • The collector is in a Running state in Central Manager (INVENTORY -> Collectors).
  • Run the CLI command to check the status of the Collector.

 

Windows:

 

C:\Program Files\Fortinet\FortiEDR\FortiEDRCollectorServices.exe --status

 

Linux:

 

sudo /opt/FortiEDRCollector/control.sh --status

 

macOS:

 

sudo /Applications/FortiEDR.app/fortiedr_collector.sh status

 

 

  1. Confirm a connection is established to the Aggregator server on TCP port 8081:
  • From the Taskbar, 'right-click' on the FortiEDR icon and select View Activity Log. The connection status is available in the Advanced section.

 

no_event_4.png

 

  • Run the CLI command to confirm the connection to Aggregator(Port 8081)/Core(Port555) servers is established.

 

Windows:

 

netstat -an | findstr 8081

netstat -an | findstr 555

 

Linux/macOS:

 

netstat -an | grep 8081

netstat -an | grep 555

 

  1. A popup message can appear due to Communication Control events:
  • In this case, the events appear in the Communication Control instead of the Event Viewer.

 

no_event_5.png

 

  1. An application is blocked but the event is aggregated:
  • The event is aggregated in the Process view by default. It may hide the detected events under the aggregated event view.
  • Use Device view to narrow down to the specific collector machine to find the detected events.

 

no_event_6.png

 

  1. Events are in Archived view in the Event Viewer:
  • Unhandled (default) and All views do not include the events in the Archived view in Event Viewer.
  • FCS (FortiEDR Cloud Services) sometimes handles the events automatically and archives if it is a known good event.

 

no_event_7.png
127
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.