Technical Tip: Manually change the collector_type value for the FortiSIEM Collector

mnovelli · ‎02-23-2024

Description

This article describes some situations where FortiSiem wrongly maps the Collector type value. Specifically, FortiSiem is recognizing a 500F hardware collector as a VM Collector type.

Unregistering/re-registering the collector does not solve the problem. Even if possessing a lot of 500F collectors, the issue can happen only for a few units. It is not a general anomaly.

Scope

FortiSIEM v7.x MSSP deployment.

Solution

Since the Collector Type value is used for description purposes only, it is possible to change the value manually from the PostgreSQL console. Access Supervisor CLI and run the following command:

Access to PostgreSQL console:

psql -U phoenix phoenixdb

Run the following command:

update ph_sys_collector set collector_type = '<value>' where name='<collector-name>';

Available values for collector_type are:

0 VM.
1 Hardware.
2 Docker.

The collector-name can be retrieved from GUI from Admin -> Health Check -> Collector Health tab.

A command example would be then:

update ph_sys_collector set collector_type = '1' where name='collector1';

A UPDATE=1 message should be displayed after sending the command.

Verify if the Collector Type has changed. So, access again to GUI and then to Admin -> Health Check -> Collector Health tab.