Description
This article describes the best practice of configuring http_client_peer_verify in FortiSIEM.
Scope
FortiSIEM.
Solution
FortiSIEM contains a configuration to disable SSL verification for connection between the Supervisor and Collector. It can be found under the path below:
- Line 287 of '#vi /opt/phoenix/config/phoenix_config.txt'.
- Line 269 of '#vi /opt/phoenix/config/collector_config_template.txt'.
Note:
Both the Supervisor and Collector need to have the same configuration to ensure logs are uploaded successfully. If users notice Collector is unable to upload the logs after registering to the Supervisor, please troubleshoot withthe command below:
- Check sniffer on CLI of Supervisor:
# tshark -f “src <Collector IP>”
Note:
Users should see multiple RSTs from Collector due to SSL verification failure. '#curl -vk <Supervisor IP>' from Collector will be successful and it does not help troubleshoot these problems.
- Check logs on Collector:
# cat /opt/phoenix/log/phoenix.log |grep -i failed
Note:
Logs will show multiple 'Failed to upload Event Worker'.
In that case, users need to make sure both Supervisor and Collector are either enabled or disabled in the http_client_peer_verify option.
Related article:
Troubleshooting Tip: How to resolve Collector Event Upload errors with Self-signed Certificates inst...
