Worker denying logs from Collector (FortiSIEM)

gwaihir · ‎07-11-2024

Hello

Please anyone has experience with this log, that seems that Worker is denying logs from Collector. (This is a Clickhouse environment with one Worker and one Supervisor)

[root@shard1 ~]# tail -f /etc/httpd/logs/ssl_access_log
ip_collec- 10001 [11/Jul/2024:09:48:46 -0500] "PUT //evthandler2?10001 HTTP/1.1" 550 527
ip_collec - 10000 [11/Jul/2024:09:48:51 -0500] "PUT //evthandler2?10000 HTTP/1.1" 550 527
ip_collec - 10001 [11/Jul/2024:09:49:47 -0500] "PUT //evthandler2?10001 HTTP/1.1" 550 527
ip_collec - 10000 [11/Jul/2024:09:49:52 -0500] "PUT //evthandler2?10000 HTTP/1.1" 550 527
ip_collec - 10001 [11/Jul/2024:09:50:48 -0500] "PUT //evthandler2?10001 HTTP/1.1" 550 527
ip_collec - 10000 [11/Jul/2024:09:50:54 -0500] "PUT //evthandler2?10000 HTTP/1.1" 550 527
ip_collec - 10001 [11/Jul/2024:09:51:49 -0500] "PUT //evthandler2?10001 HTTP/1.1" 550 527

Regards.

Secusaurus · ‎07-14-2024

Hi @gwaihir,

There are a lot of possibilities for these errors - wrong/changed passwords/organization names, certificate issues, writing issues in the ClickHouse DB, etc.

I assume, we are looking at the logs from the worker - does it look similar (550) from the collector's perspective?

Has this ever worked before and just changed recently? Is there a proxy/deep-ssl-inspection in between? Is the worker in the internet or is the communication purely internal?

Anyways, I would recommend taking the AOLogs and reaching out for the TAC here.

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner

View solution in original post

Secusaurus · ‎07-14-2024