FortiSIEM Collector Buffer Filling Up – Collector Uploading to Its Own IP

Forum|Forum|8 months ago
September 24, 2025
1 reply
438 views

Hello,

In our FortiSIEM environment, we are receiving the following health warning:

---> Event Pipeline: Warning (Collector Buffer between 20MB and 50MB)

After checking the logs, I observed that the collector is trying to upload events to a worker, and the destination IP is the collector’s own IP address. However, we are not using any workers in this deployment – only a Supervisor and a Collector.

Because of this, the collector keeps sending HTTP requests to itself, receives a failed response, and then writes the events into:

" /opt/phoenix/cache/parser/events/ "

This continuously increases the collector buffer size.

As a temporary workaround, I manually delete the .dat files in that directory, which clears the warning, but the issue reappears after a short while because the collector continues to target its own IP.

What would be the correct permanent solution for this issue?

Best Regards,

İsmail Ürek

Fortisiem

Best answer by ismailurek22

Hi Fortinet Community,

This document has resolved the issue.

https://community.fortinet.com/t5/FortiSIEM/Troubleshooting-Tip-New-Collector-goes-into-Critical-Status-due/ta-p/337988

Best regards,

İsmail Ürek

ismailurek22AuthorAnswer

New Member

Hi Fortinet Community,

This document has resolved the issue.

https://community.fortinet.com/t5/FortiSIEM/Troubleshooting-Tip-New-Collector-goes-into-Critical-Status-due/ta-p/337988

Best regards,

İsmail Ürek

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded