Staff

Troubleshooting Tip: Windows Agent registration with Collector as Proxy and troubleshooting

Forum|Forum|1 year ago
December 31, 2024
0 replies
3245 views

Description

This article describes how to troubleshoot Windows and Agent registration when Collector is used as a Proxy.
Make sure to review the FortiSIEM Compatibility Matrix to verify that the correct Windows agent version is registered with a compatible Collector version: FortiSIEM Version Compatibility for Rocky Linux Based Releases.

Scope

Windows Agent from v4.4.x, to v7.3.x.

Supervisor and Collector from v6.x, to v7.3.x.

Solution

Installation procedure:

The Collector's Health Status should show as Normal:

If the collector has an issue, use the following KB article to review common collector issues:

Troubleshooting Tip: How to troubleshoot collector issues.

The agent-proxy.conf file should already be created in the Collector. Ensure there are no typos:
- For Windows Agent, review the proxy configuration: FortiSIEM Windows Agent 7.3.x.
- Ensure the httpd service has been restarted.
Run the agent installation using the Collector IP as the Supervisor. For example:

Note: If an IP is configured in Admin -> Settings -> System -> Cluster Config tab -> Supervisors.

Or, if the agent installation is performed in a locked-down or private network, use the Supervisor Override option by entering the same Collector IP.

The Supervisor Override option is available from Windows Agent v7.1.7 or later.

Troubleshooting steps:

Understand the Communication flow:

The agent will register with the Collector using -> Outbound HTTPS (443), which will be the only connection for this setup. The agent will use this outbound connection to register, send updates, and upload events.

Issue 1: Agent failed to register. Test the connection from the host to the Collector IP on port 443:

From the Windows host, run the following command in PowerShell:

Test-NetConnection <Collector_IP> -port 443

Issue 2: Agent registered successfully, but is not uploading events.

Confirm that the Super Override option was used during the registration.

In the Windows host, > Go to the RegEdit -> Registry Folder:

HKEY_LOCAL_MACHINE\Software\Fortinet\FortiSIEM

Solution: If the Supers field contains the Supervisor IP or FQDN, it is causing the issue with the upload events.

Uninstall the agent using the same file installer as the Configuration Guide indicates: Uninstalling Windows Agent.

Reinstall the agent using the option Super Override -> Add the same Collector IP.

Confirm the host reaches Collector correctly by verifying the HTTP codes in the Collector log:

Run the following command on the Collector:

cat /etc/httpd/logs/ssl_access_log | grep <HOST_>

If no logs filter the host's IP, check if agent traffic reaches the Collector without filtering any IP. The traffic might be sent with a different host IP depending on the networking configuration.

cat /etc/httpd/logs/ssl_access_log

Change Agent log-level to 'DEBUG':

Following the steps from the Agent Installation Guide -> Troubleshooting: FortiSIEM Windows Agent 7.3.x.

The Debug should show the following log if the uploading is to the correct Collector IP/FQDN:

DEBUG FortiSIEM.Webproxy.CollectorManager - SendData to server : 10.5.8.122

Note: If the Collector is configured with public and private IPs, the debug logs will show the private Collector IP/FQDN. The Agent received this IP/FQDN, as shown in the Collector Health tab.

To fix this, add the Public Collector IP in Host to Template Associations -> Virtual Collectors -> Save -> Apply.

Example: