FortiSIEM Discussions
KarlH
Contributor

phProvisionCollector HTTP Status 401 - Not authorized This request required HTTP authentication.

Hello all. 

In registering the collector with the super.

/opt/phoenix/bin/phProvisionCollector --add 130859572admin 'passwordomited' <FQDN SIEM> <ORG>  <COLLECTOR NAME>

 

Error: HTTP Status 401 - Not authorized This request required HTTP authentication.

 

 

I am seeking from the community any experience or knowledge of this occurring and the creds NOT being the issue.

I  have found a wealth of connectivity troubleshooting articles. But nothing about  401 Not authorized return code error as a result of phProvisionCollector.

 

What we checked.

doubled check org name, admin name, etc.
checked the collector exists under their org settings in the SIEM
checked Phoenix log and found "PUT" command error 401 from the collector
we can see the super talking back on port 443
found the ssl_access_log and it to had the 401 error from the collector

 

Have not verified time sync by running the date command on collector and super,

if they are out of sync, I read that NTP needs to be set on both machines and can only be a 2 min gap.

Have not checked certificate authority. using the wget command on collector.

 

When we send that argument string across the network to the supervisor I am expecting it to be encrypted, Being new to FortiSIEM,  I wondered how the command is negotiating behind the scenes?

 

Basic Authentication requires sending appropriate Authorization headers containing Base64-encoded username and password combinations. If these headers are missing or improperly set up during communication between client and server, it can result in receiving a 401 response.

 

How can I verify the headers are ok would that show in the Phoenix logs? or ssl error and access logs?

 

Not sure how to debug this issue?

The definitive meaning of 401 is here at the RFC, https://www.rfc-editor.org/rfc/rfc7235#section-3.1

 

Thanks in advance.

 

 

 

Any help is appreciated.

Karl Henning, Security Engineer, CISSP
Karl Henning, Security Engineer, CISSP
1 Solution
KarlH

Alas I did all that and in the end I reset the password, when you do this the other collectors are also reset so future re-registration of the old collectors will work with the new password. The other way I verified the creds was to log into the SIEM GUI, using the collector admin name, pw and org provided in the registration string.  So yes  in the end it was a pw issue fore that 401 error.

Karl Henning, Security Engineer, CISSP

View solution in original post

Karl Henning, Security Engineer, CISSP
3 REPLIES 3
Hatibi
Staff
Staff

Checking internally is see this error is presented in cases when you put an invalid password in the registration command.

If not it might be worth enabling a packet capture/tcpdump on both sides by filtering for Host IP and then run the command to register the collector again.

KarlH

Alas I did all that and in the end I reset the password, when you do this the other collectors are also reset so future re-registration of the old collectors will work with the new password. The other way I verified the creds was to log into the SIEM GUI, using the collector admin name, pw and org provided in the registration string.  So yes  in the end it was a pw issue fore that 401 error.

Karl Henning, Security Engineer, CISSP
Karl Henning, Security Engineer, CISSP
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"