Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
flunaibarra
Staff
Staff

Created on ‎03-13-2024 07:45 AM Edited on ‎12-30-2024 05:44 AM By Moderator

Article Id 304400

Technical Tip: Linux Agent Registration with Supervisor and Troubleshooting

Description This article describes how to register the Linux agent with the Supervisor and how to troubleshoot.
Before going through this documentation, review the document links below to verify that the correct Linux agent package is for the version of the registered FortiSIEM.
Scope Linux Agent 6.x, 7.x, 7.1.x, 7.2.x.
Supervisor 6.x.x, 7.0.x, 7.1.x, 7.2.x.
Solution

Prerequisites:

 

  • From FortiSIEM - Create a new agent user account:
    • For Enterprise: Go to CMDB -> Users -> FortiSIEM Users -> New -> Add User Name, Select the pencil icon beside System Admin, checkmark Agent Admin, add password, and Save.
    • For Service Provider: Go to Global View -> Admin -> Setup -> Organization -> Select the Organization -> Edit -> Agent User: Enter a username, Agent Password: Enter a password -> Save.
      • Collect the Organization's information from Admin -> Setup -> Organization (Organization Name and Organization ID).

  • From Linux Host: 


wget_SP.png

 

    • Run the Installation script:

bash fortisiem-linux-agent-installer-7.x.xxxxxxsh -s <SUPER_IP> -i <ORG_ID> -o <ORG_NAME> -u <AGENT_USER> -p <AGENT_PWD> -n <HOST_NAME>

    • If all the Prerequisites are correct, the script will register the agent successfully.


Linux_bash_successful.png
If the script finds an issue, it will prompt an error message indicating the cause of the failure.


linux_bash_fail.png


Troubleshooting:

 

There are 3 main reasons for the registration to fail:

  1. Package requirements are not installed in the host or the OS version is not supported.
  2. Registration information is incorrect. This includes Supervisor IP/FDQN, username, password, Orgname, and OrgID.
  3. Connection issues include network configuration/communication on port 443, NAT, SSL inspection, external firewall rules blocking, and certificate configuration. Etc.

 

  • Review the Debugging information available in two log files:

/opt/fortinet/fortisiem/linux-agent/log/fortisiem-linux-agent.log
/opt/fortinet/fortisiem/linux-agent/log/phoenix.log

If error codes 401 and 403 are found, review registration information, such as the ORG name, ORG ID, agent username, and password. If necessary, create a new agent user account.

 

  • Check supervisor logs to verify the host connection. SSH to Supervisor:

cat /etc/httpd/logs/ssl_access_log | grep <host_IP>


httpd_registration.png

 

Review the HTTP status code.

  • Leave the tail command running in Supervisor and run the installation in the host:

tail -f /opt/glas*/dom*/dom*/logs/phoenix.log     <- Registration log entries will be received.

 

For example:

 

Super_Registration-logs.png

 

If no registration logs are showing in the phoenix.log, the host is not reaching the Supervisor on port 443. Check network configuration.
1192
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.