Hello,
In our FortiSIEM environment, we are receiving the following health warning:
---> Event Pipeline: Warning (Collector Buffer between 20MB and 50MB)
After checking the logs, I observed that the collector is trying to upload events to a worker, and the destination IP is the collector’s own IP address. However, we are not using any workers in this deployment – only a Supervisor and a Collector.
Because of this, the collector keeps sending HTTP requests to itself, receives a failed response, and then writes the events into:
" /opt/phoenix/cache/parser/events/ "
This continuously increases the collector buffer size.
As a temporary workaround, I manually delete the .dat files in that directory, which clears the warning, but the issue reappears after a short while because the collector continues to target its own IP.
What would be the correct permanent solution for this issue?
Best Regards,
İsmail Ürek
Solved! Go to Solution.
Hi Fortinet Community,
This document has resolved the issue.
Best regards,
İsmail Ürek
Hi Fortinet Community,
This document has resolved the issue.
Best regards,
İsmail Ürek
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
User | Count |
---|---|
72 | |
25 | |
15 | |
10 | |
10 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.