FortiSIEM Login Errors

Forum|Forum|7 years ago
November 1, 2018
1 reply
8487 views

All,

My MSP vendor who uses FortiSIEM rebuilt their collector due to a serious crash this week. One of my FortiGates is currently logging this error: Administrator "FortiSIEM" login failed from ssh(1.1.1.1) because of invalid ssh key; This alert fires off a "Failed Login" alert in my FAZ and is driving me crazy. The collector actually logs in and out just fine; I don't understand why I'm getting this alert.

The only difference between this FortiGate and my other FortiGates is that it's currently running 5.6.6, the rest are 5.6.3. Anyone else seeing this?

My failed login alerts have been disabled due to alert fatigue.

DJRisq

New Member

@theFWdude: did you get a response? Solution? Have the same issue...

theFWdudeAuthor

New Member

Apologies for the delay. Unfortunately, the FortiSIEM is manged by a vendor of ours who was able to resolve the issue(s) with Fortinet Support. I wish I had some details to provide, but I do not.

saxon

New Member

It's a bit late, but in case anyone else finds this:

I'm willing to bet it's because you have an HA pair and Fortigate devices have the SSH key, not the cluster. So the software connecting to your pair saved the key when one of the devices was master and now the other one is master it's freaking out because of the key change.

If so, remove and save the line in your ~/.ssh/known_hosts for the device (search by its IP and/or hostname), reconnect and save the new key, then edit known_hosts and add the old key back in. Nnow you have two lines, one for each key, so it shouldn't care which is master.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded