Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
flunaibarra
Staff
Staff

Created on ‎03-13-2024 07:45 AM Edited on ‎03-13-2024 08:50 AM By Moderator

Article Id 304400

Technical Tip: Linux Agent Registration with Supervisor and Troubleshooting v6.x, 7.x, 7.1.x

Description This article describes how to register the Linux agent with the Supervisor and how to troubleshoot.
Before going through this documentation, review the doc links below to verify that the correct Linux agent package is for the version of the registered FortiSIEM.

Linux Agent Installation Guide:
FortiSIEM Linux Agent

 

FortiSIEM Compatibility Matrix:
FortiSIEM Version Compatibility for Rocky Linux Based Releases
Scope Linux Agent 6.x, 7.x, 7.1.x.
Supervisor 6.x.x, 7.0.x, 7.1.x.
Solution

Prerequisites:

 

  • From FortiSIEM: Create a new agent user account:
    • For Enterprise: Go to CMDB -> Users -> FortiSIEM Users -> New -> Add User Name, Select the pencil icon beside System Admin, checkmark Agent Admin, add password, and Save.
    • For Service Provider: Go to Global View -> Admin -> Setup -> Organization -> Select the Organization -> Edit -> Agent User: Enter a username, Agent Password: Enter a password > Save.
      • Collect the Organization's information from Admin -> Setup -> Organization (Organization Name and Organization ID).

  • From Linux Host: Make sure the software and package requirements are installed, depending on the OS version.               Software Requirements

  • Test connection from host to Supervisor on port 443.

    wget --no-check-certificate https://<SUPER_IP>:443

  • Run the Installation script:

    bash fortisiem-linux-agent-installer-7.x.xxxxxxsh -s <SUPER_IP> -i <ORG_ID> -o <ORG_NAME> -u <AGENT_USER> -p <AGENT_PWD> -n <HOST_NAME>


Troubleshooting:

 

There are 3 reasons for the registration to fail:

  1. Package requirements are not installed in the host or the OS version is not supported.
  2. Registration information is incorrect. This includes Supervisor IP/FDQN, username, password, Orgname, and OrgID.
  3. Connection issues include network configuration/communication on port 443, NAT, SSL inspection, external firewall rules blocking, and certificate configuration. Etc.

 

Review the Debugging information available in two log files:

/opt/fortinet/fortisiem/linux-agent/log/fortisiem-linux-agent.log
/opt/fortinet/fortisiem/linux-agent/log/phoenix.log

 

If error codes 401 and 403 are found, review registration information, such as the ORG name, ORG ID, agent username, and password. If necessary, create a new agent user account.

 

Check supervisor logs to verify the host connection. SSH to Supervisor:

    cat /var/log/httpd/ssl_access_log <-- Review the generic code.

 

Leave running the tail command in Supervisor and run the installation in the host:

    tail -f /opt/glas*/dom*/dom*/logs/phoenix.log <-- Registration log entries will be received.

 

For example:

[PH_AUDIT_AGENT_INSTALLED]:[phCustId]=1,[hostName]=Ubuntu22043-VM.dmzforest.local,[eventSeverity]=PHL_INFO,[phEventCategory]=2,[procName]=AppServer,[srcIpAddr]=172.16.4.135,[type]=Linux,[user]=agent_admin,[monitorState]=Registered,[phAgentId]=200106,[phLogDetail]=Agent is installed
[PH_AUDIT_USER_LOGIN_FAILURE]:[phCustId]=1,[eventSeverity]=PHL_INFO,[phEventCategory]=2,[procName]=AppServer,[srcIpAddr]=172.16.4.135,[user]=agent_admin,[phLogDetail]=Invalid username or password.
417
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.