Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
kdave
Staff
Staff

Created on ‎10-07-2024 05:57 AM

Article Id 347550

Technical Tip: How to prevent auditd and rsyslog service restart while Linux Agent has been installed on a Host

Description This article describes how to prevent the automatic restart of auditd and rsyslog service on a Linux host if a Linux agent has been installed.
Scope FortiSIEM, Linux Agent.
Solution

While installing a Linux agent in a Linux Host, directories and files can be monitored using the FIM feature.

After including files and directories, it has been often observed that auditd service gets restarted automatically.

 

In such cases, it can be tracked using below two ways below to know the exact reason for the service restart.

 

Check at the System level for service status using the below command, and check verbose-level log messages.

 

service status auditd

systemctl status rsyslog

 

Check the log '/opt/fortinet/fortisiem/linux-agent/log/phoenix.log'. It should provide further information about errors. Below are a few examples of correcting permissions related to FIM.

 

Example 1:

 

2024-09-18T15:12:17.105563-00:00 AGENTTEST phLinuxAgent[1637018]: [PH_UTIL_DIR_OPEN_FAILURE]:[eventSeverity]=PHL_ERROR,[procName]=phLinuxAgent,[fileName]=phMiscUtils.cpp,[lineNumber]=2284,[dirName]=/usr/bin,[errorNoInt]=13,[phLogDetail]=Dir could not be opened

 

Solution: Here, the '/usr/bin' directory cannot be opened, make sure that the parent directory has execute (x) permissions.

 

chmod +x /usr

 

The Target directory has read and execute permissions.

 

chmod +rx /usr/bin

 

Example 2:

 

2024-09-18T15:12:17.110981-00:00 AGENTTEST phLinuxAgent[1637018]: [PH_UTIL_FILE_READ_FAILURE]:[eventSeverity]=PHL_ERROR,[procName]=phLinuxAgent,[fileName]=phMiscUtils.cpp,[lineNumber]=3597,[filePath]=/var/spool/cron,[errorNoInt]=1,[phLogDetail]=Error reading file

 

Solution: /var/spool/cron is a directory that needs to be monitored. Make sure the following permissions are set.

Parent directories need to be assigned execute permissions.

 

chmod +x /var
chmod +x /var/spool

 

The target directory needs to be assigned read+execute permissions.


chmod +rx /var/spool/cron

 

Example 3:

 

2024-09-18T15:12:17.110020-00:00 AGENTTEST phLinuxAgent[1637018]: [PH_UTIL_FILE_OPEN_FAILURE]:[eventSeverity]=PHL_ERROR,[procName]=phLinuxAgent,[fileName]=phMiscUtils.cpp,[lineNumber]=3573,[filePath]=/opt/nxsoft/test.cfg,[errorNoInt]=2,[phLogDetail]=Failed to open file

 

Solution: Make sure the following permissions are set correctly.

 

chmod +x /opt
chmod +x /opt/nxsoft

 

Make sure the target file has been assigned read permissions.


chmod +r /opt/nxsoft/test.cfg

 

Once the above permissions are set, check again if auditd and rsyslog service remains up and does not get restarted frequently.

 

Additional reference information for setting correct permissions related to FIM can be found in the below link:

FortiSIEM Linux Agent
358
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.