Troubleshooting Tip: Linux Agent registration with collector as proxy and troubleshooting

Installation:

1. The collector should already be registered with the Supervisor, and the collector's health status should show as Normal
   
    

    

If there are any issues with collector status, fix the issue with the collector first by following the steps in Troubleshooting Tip: How to troubleshoot collector issues.
 

2. Ensure agent-proxy.conf file has been created correctly in the collector and that there are no typos by referring to the Set up the collector as an HTTPS Proxy section in FortiSIEM Linux Agent and ensure the httpd service has been restarted.
   
   
3. Run the Linux Agent installation using the collector IP. For example:

Note: If there is a supervisor IP configured in the GUI -> Admin -> Settings -> System -> Cluster Config tab -> Supervisors, or if the Linux Agent registration/installation is performed in a locked-down network, use the Supervisor Override option ( -L) and add the same collector IP. See the Installing Linux Agent configuration guide section of FortiSIEM Linux Agent for more information.

The override option is available from Linux Agent version 7.3.0 or later.

Troubleshooting steps: 

The Linux Agent outbound connection HTTPS (443) to the collector is the only connection in this setup. This same connection is used for registration to send updates and upload events. 

Issue 1: The Linux Agent failed to register. Test the connection from the Linux host on the collector IP in port 443: 

wget --no-check-certificate https://<SUPER_IP>:443

The HTTP request sent should be '200 OK'. If the HTTP request failed, check the network connection between the host and the collector.

Issue 2: Linux Agent registers successfully, but no events are uploaded.

• The Monitor template configuration and association must be created to define what events the agent will collect. See Configuring Linux Agent.

Review the following Agent's log for errors:

/opt/fortinet/fortisiem/linux-agent/log/phoenix.log

The log may show any of the following errors: 

2026-02-23T18:50:45.340818-00:00 Ubuntu22043-VM.dmzforest.local phLinuxAgent[874]: [PH_GENERIC_WARNING]:[eventSeverity]=PHL_WARNING,[procName]=phLinuxAgent,[fileName]=phLinuxAgent.cpp,[lineNumber]=1351,[phLogDetail]=Cannot update agent template, respCode: 0, superIp: SuperIP.net.local

2026-02-23T18:50:45.340818-00:00 Ubuntu22043-VM.dmzforest.local phLinuxAgent[874]: [PH_GENERIC_WARNING]:[eventSeverity]=PHL_WARNING,[procName]=phLinuxAgent,[fileName]=phLinuxAgent.cpp,[lineNumber]=1351,[phLogDetail]=Cannot update agent template, respCode: 0, superIp: 172.16.3.122

If it does, this means there is a Supervisor IP or FQDN configured in GUI -> Admin -> Settings -> System -> Cluster Config tab -> Supervisors. To fix this, uninstall the Linux agent and reinstall it using the option (-L) as indicated in step 3.

• If the collector is configured with public and private IPs, the agent will use the collector's private IP (IP that shows the collector health tab) to upload the events. To fix this, add the public collector's IP in the Host to Template Association -> Virtual Collectors -> Save -> Apply.