Installation Procedure: 

1. The Collector's Health Status should show as Normal:

If the collector has an issue, use the following KB article to review common collector issues: 

Troubleshooting Tip: How to troubleshoot collector issues.

2. The agent-proxy.conf file should already be created in the Collector. Ensure there are no typos:

• For Windows Agent, review the proxy configuration: FortiSIEM Windows Agent 7.2.x.
• For Linux Agent, review the proxy configuration: FortiSIEM Linux Agent.
• Ensure the httpd service has been restarted.

2. Run the agent installation using the Collector IP as the Supervisor. For example:

• For Linux Agent installation:

• For Windows Agent installation:
                                                             

Note: If an IP is configured in Admin -> Settings -> System -> Cluster Config tab -> Supervisors.

Or, if the agent installation is performed in a locked-down or private network, use the Supervisor Override option by entering the same Collector IP.

The Supervisor Override option is available from Windows Agent v7.1.7 or later.

For Linux Agent from v7.3.0.

Troubleshooting steps: 

Understand the Communication flow:

The agent will register with the Collector using -> Outbound HTTPS (443), which will be the only connection for this setup. The agent will use this outbound connection to register, send updates, and upload events.

Issue 1: Agent failed to register. Test the connection from the host to the Collector IP on port 443:

• From the Linux host, use the command wget:

wget --no-check-certificate https://<Collector_IP>:443

• From a Windows host with the following command in PowerShell:

Test-NetConnection <Collector_IP> -port 443

Issue 2: Agent registered successfully, but is not uploading events.

Confirm that the Super Override option was used during the registration.

For Linux Agent:
Review the log: /opt/fortinet/fortisiem/linux-agent/log/phoenix.log.

For Windows Agent:
 Go to the RegEdit -> Registry Folder: 

HKEY_LOCAL_MACHINE\Software\Fortinet\FortiSIEM

Solution: If the Supers field contains the Supervisor IP or FQDN, it is causing the issue with the upload events.

Uninstall the agent using the same file installer as the Configuration Guide indicates: Uninstalling Windows Agent.

Reinstall the agent using the option Super Override -> Add the same Collector IP.

1. Confirm the host reaches Collector correctly by verifying the HTTP codes in the Collector log:

• Run the following command on the Collector:

cat /etc/httpd/logs/ssl_access_log | grep <HOST_>

• If no logs filter the host's IP, check if agent traffic reaches the Collector without filtering any IP. The traffic might be sent with a different host IP depending on the networking configuration.

cat /etc/httpd/logs/ssl_access_log

2. Change log-level to 'DEBUG':

For a Linux host:

cat /opt/fortinet/fortisiem/linux-agent/config/linux-agent-config.txt

Change ACE_LOG_LEVEL=INFO ->  ACE_LOG_LEVEL=DEBUG.

Review the debugging information in the 2 log files:

• The Application log: /opt/fortinet/fortisiem/linux-agent/log/phoenix.log.
• The Service log: /opt/fortinet/fortisiem/linux-agent/log/fortisiem-linux-agent.log.

For Windows Agent:

Following the steps from the Agent Installation Guide -> Troubleshooting: FortiSIEM Windows Agent 7.2.x.

The Debug should show the following log if the uploading is to the correct Collector IP/FQDN:

DEBUG FortiSIEM.Webproxy.CollectorManager - SendData to server : 10.5.8.122

Note: If the Collector is configured with public and private IPs, the debug logs will show the private Collector IP/FQDN. The Agent received this IP/FQDN, as shown in the Collector Health tab.

To fix this, add the Public Collector IP in Host to Template Associations -> Virtual Collectors -> Save -> Apply.

Example: