FortiSIEM Collector Buffer Filling Up – Collector Uploading to Its Own IP

ismailurek22 · ‎09-24-2025

Hello,

In our FortiSIEM environment, we are receiving the following health warning:

---> Event Pipeline: Warning (Collector Buffer between 20MB and 50MB)

After checking the logs, I observed that the collector is trying to upload events to a worker, and the destination IP is the collector’s own IP address. However, we are not using any workers in this deployment – only a Supervisor and a Collector.

Because of this, the collector keeps sending HTTP requests to itself, receives a failed response, and then writes the events into:

" /opt/phoenix/cache/parser/events/ "

This continuously increases the collector buffer size.

As a temporary workaround, I manually delete the .dat files in that directory, which clears the warning, but the issue reappears after a short while because the collector continues to target its own IP.

What would be the correct permanent solution for this issue?

Best Regards,

İsmail Ürek

ismailurek22 · ‎09-26-2025

Hi Fortinet Community,

This document has resolved the issue.

https://community.fortinet.com/t5/FortiSIEM/Troubleshooting-Tip-New-Collector-goes-into-Critical-Sta...

Best regards,

İsmail Ürek

View solution in original post

ismailurek22 · ‎09-26-2025

Hi Fortinet Community,

This document has resolved the issue.

https://community.fortinet.com/t5/FortiSIEM/Troubleshooting-Tip-New-Collector-goes-into-Critical-Sta...

Best regards,

İsmail Ürek

FortiSIEM Collector Buffer Filling Up – Collector Uploading to Its Own IP

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website