Troubleshooting Tip: Event Status Shows ‘Critical’ in Agent Health After Firmware Upgrade, Despite Normal Event Transmission

koolishami · ‎09-26-2024

Description

This article provides a step-by-step guide to resetting the Agent's Event Status from ‘Critical’ to ‘Normal,’ even when the Agent is sending events normally.

Scope

FortiSIEM v7.x+.

Solution

This issue typically arises after a FortiSIEM upgrade, during which the Agents temporarily lose connection with FortiSIEM for a few minutes.

Pre-requisites:

The Agent displays a Critical status under Admin -> Health- > Agent Health -> Event Status.
The Agent displays a Normal status under Admin -> Health -> Agent Health -> Monitor Status.
Selecting the Event Receive Status reveals two or more metrics.
The oldest 'Last Successful' status is marked Critical (highlighted red), while the latest is Normal (highlighted green).
An example of screenshot is seen below:

Steps to Resolve:

For FortiSIEM versions below 7.2.0:

Navigate to CMDB and select the affected device(s).
Select the Monitor tab.
In the Event Receive Status window, locate and click the small Delete button to remove the critical metric.

For FortiSIEM versions 7.2.0 and above:

Navigate to CMDB and select the affected device(s).
Select Actions -> Details -> Monitor.
Select the metric marked as Critical and delete it.

Troubleshooting Tip: Event Status Shows ‘Critical’ in Agent Health After Firmware Upgrade, Despite Normal Event Transmission

You are leaving our website