Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
flunaibarra
Staff
Staff

Created on ‎09-22-2025 07:00 AM Edited on ‎12-30-2025 08:26 AM By Community Manager

Article Id 391430

Troubleshooting Tip: Linux Agent registered with Supervisor but not uploading events

Description

This article describes how to troubleshoot the Linux agent, which is registered with Supervisor but is not uploading events to a Collector.

Before proceeding, review the compatibility matrix to verify that the correct Linux Agent version is registered with a compatible Supervisor and Collector. FortiSIEM Version Compatibility.
Scope FortiSIEM v6.3.3 - 7.4.x, Linux Agent v6.3.x - v7.4.x.
Solution

Prerequisites:

CMDB-Template.png

 

Make sure the template association name appears in the CMDB > Agent Policy column, as shown in the image above. 

 

Troubleshooting

When the Linux agent is registered with Supervisor, the following outbound communication is created: 

 

https://<SupervisorIP/FQDN>:443/phoenix/rest/register/linuxAgent

 

And at the same time, the following UPDATE outbound: 

https://<SupervisorIP/FQDN>:443/phoenix/rest/linuxAgent/update

 

After the template is created and applied, the agent uses the following outbound HTTPS to the Collector to upload the events. 

 

https://<CollectorFQDNorIP>:443/linuxupload

 

Cause 1: Connection from Collector to Supervisor.

The Collector Health tab should show the Collector Status as Normal. If there is an issue with the Collector, see the article link below to troubleshoot Collector issues: 

Troubleshooting Tip: How to troubleshoot collector issues 

 

Cause 2: The Linux agent is not uploading the events to the assigned Collector.

When the template association is applied, the agent will use the Collector IP/FQDN that is shown in the GUI > Collector Health tab to upload the events: 

 

Association.png

 

Ensure the agent can connect to this IP/FQDN using 443 > Test with the command wget.

 

wget --no-check-certificate https://<Collector_IP>:443/

 

wget-test.png

 

Cause 3:  The Collector is configured with Private and Public IPs 

If the Collector is configured with the Supervisor using a Private IP, the Collector shows the private IP in the GUI.

The agent needs to use the Public IP instead. Use the Virtual Collector option in the agent template association, add the Public IP, and Apply. 

 

Virtual-IP.png

 

Cause 4: Network configuration is causing a connection issue from the Linux host to the Collector:

To confirm the agent is uploading events correctly, run the following command in the Collector, filtering the Linux host IP: 

 

tail -f /etc/httpd/logs/ssl_access_log | grep <HOST_IP>

 

If no log entries are showing in the tail command, remove the filter:  

 

tail -f /etc/httpd/logs/ssl_access_log

 

If there are no logs at all, the connection between the Agent and the Collector must be checked.  

Use tcpdump to filter for the host IP on port 443. example: 

 

tcpdump host <WIN-HOST-IP> and tcp port 443 -vvv

 

Cause 5: Only some events are uploaded, but not a specific one.

Ensure to review the two Agents' log files to find more information about any failed uploads or errors 


/opt/fortinet/fortisiem/linux-agent/log/fortisiem-linux-agent.log
/opt/fortinet/fortisiem/linux-agent/log/phoenix.log

 

Also, review the Linux Agent Installation Guide and Configuring Linux Agent guides to ensure all the permissions and the packages required are installed correctly in the Linux host.
165
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.