Windows Agent updates health status to Supervisor every minute and events are sent via collector.

There are scenarios where 'Event Receive Status' could be normal with logs being received in real-time and still Agent status displayed as 'Disconnected. The supervisor is not receiving health status from Agents. 

To begin with, enquire if Windows Agent updates health status directly to the supervisor or via HTTPS collector.Possible reasons for Disconnected status could be:

1. Supervisor (Or Collector HTTPS proxy) not receiving traffic from Windows Agent. 

FortiSIEM Node should receive agent health status in HTTPD Logs as below:

# cat /var/log/httpd/ssl_access_log

If Agent status is Active then the status code would be 200 as below:

10.1.34.2 - - [11/Feb/2025:01:44:39 +0800] "PUT /phoenix/rest/windowsAgent/update HTTP/1.0" 200 258
10.1.33.99 - - [11/Feb/2025:01:43:53 +0800] "PUT /phoenix/rest/windowsAgent/update HTTP/1.0" 200 258

In this log, check for error codes or traffic not reaching the supervisor.

2. Collector HTTPS proxy traffic not accepted by supervisor.

This could be due to an incorrect configuration of agent-proxy.conf in collector httpd conf or unauthorized agent user. The traffic status would be 401 in this case. 

Refer to Agent Installation Documentation Section: Setup the Collector as an HTTPS Proxy 

Sample error on collector if there is the issue in forwarding health status to supervisor:

# cat /var/log/httpd/ssl_access_log

10.11.18.1 - - [20/Jan/2025:12:41:29 +0400] "PUT /phoenix/rest/windowsAgent/update HTTP/1.0" 401 998
10.110.18.50 - - [20/Jan/2025:12:42:09 +0400] "PUT /phoenix/rest/windowsAgent/update HTTP/1.0" 401 998

3. Windows Agent trying to send status but it fails due to network connectivity or rejected as unauthorized from supervisor.

Review the below debug logs from the Windows server:

• Agent Service logs are located in C:\ProgramData\FortiSIEM\Agent\Logs\FSMLogAgent.log
• Agent Application logs are located in C:\ProgramData\FortiSIEM\Agent\Logs\Trace.log

Sample error on failure due to network connectivity:

2025-02-13 03:23:41,014 [1] ERROR FortiSIEM.Webproxy.AOWebService - NotifyStatusV2 exception
System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 10.11.19.3:443

Sample error on agent logs failing due to credentials or collector incorrect HTTPS proxy:

2025-01-06 16:39:18,862 [1] ERROR FortiSIEM.Webproxy.AOWebService - NotifyStatusV2 exception
System.Net.WebException: The remote server returned an error: (403) Forbidden.

For any 401 errors try to deploy an agent with a new agent user from FortiSIEM and test with different special characters in the password.

If the issue persists, contact Fortinet Support along with the above details and screenshots. 

Related articles:

Troubleshooting Tip: Windows Agent registered with Supervisor but not uploading events

Technical Tip: Windows Agent Registration with Supervisor Troubleshooting