Technical Tip: Collector account getting locked due to authentication failure
| Description | This article describes how to resolve an issue where the Collector account gets locked repeatedly due to authentication failures with the Supervisor. |
| Scope | FortiSIEM. |
| Solution | Collector authentication fails, and the account gets locked repeatedly. In the App Server logs, entries similar to the following can be observed:
[PH_AUDIT_ACCOUNT_LOCKED]: Account locked
HTTP 401 authentication errors may also appear in the logs. SSH to the Supervisor and take a backup of the file:
cp -rf /etc/httpd/accounts/passwds /tmp/
Edit the file:
vim /etc/httpd/accounts/passwds
Ensure the file only contains valid Collector ID entries, for example:
10001:<hash>
Remove any unnecessary or incorrect entries.
Restart the HTTP service:
systemctl restart httpd
When checking the configuration, verify the config phoenix_super.txt:
Both files should contain the Supervisor IP address, while the Collector may have been registered using the FQDN.
Restart httpd and re-register the Collector using the Supervisor IP address instead of the FQDN. After re-registration, the Collector authentication succeeds, and the Collector health returns to normal. |