1. The Collector's Health Status should show as Normal:

If the collector has an issue, use the following KB article to review common collector issues: 

Troubleshooting Tip: How to troubleshoot collector issues.

2. The agent-proxy.conf file should already be created in the Collector. Ensure there are no typos:

   • For Windows Agent, review the proxy configuration: FortiSIEM Windows Agent 7.2.x.
   • For Linux Agent, review the proxy configuration: FortiSIEM Linux Agent.
   • Ensure the httpd service has been restarted.

    

3. Run the agent installation using the Collector IP as Supervisor. For example:

   • For Linux Agent installation:

    

   

    

    

   • For Windows Agent installation:
                                                                

Note:

If an IP is configured in Admin -> Settings -> System -> Cluster Config tab -> Supervisors.

Or, if the agent installation is performed in a locked-down or private network, use the Supervisor Override option by entering the same Collector IP.

The Supervisor Override option is available from Windows Agent v7.1.7 or later.

For Linux Agent from v7.3.0.

Troubleshooting:
Understand the Communication flow:

The agent will register with the Collector using -> Outbound HTTPS (443), which will be the only connection for this setup. The agent will use this outbound connection to register, send updates, and upload events.

1. Test the connection from the host to the Collector IP on port 443:

• From the Linux host, use the command wget:

wget --no-check-certificate https://<Collector_IP>:443

• From Windows host with the following command in PowerShell:

Test-NetConnection <Collector_IP> -port 443

2. Confirm the host is reaching the Collector and verify the HTTP codes:

• Run the following command on the Collector:

   

cat /etc/httpd/logs/ssl_access_log | grep <HOST_>

• If no logs filter the host's IP, check if agent traffic reaches the Collector without filtering. Depending on the networking configuration, the traffic might be sent with a different host IP.

cat /etc/httpd/logs/ssl_access_log

3. Change log-level to DEBUG:

For a Linux host:

Change the Log-level to Debug mode:

cat /opt/fortinet/fortisiem/linux-agent/config/linux-agent-config.txt

Change ACE_LOG_LEVEL=INFO to ACE_LOG_LEVEL=DEBUG.

Review the debugging information in the 2 log files:

• The Application log: /opt/fortinet/fortisiem/linux-agent/log/phoenix.log.
• The Service log: /opt/fortinet/fortisiem/linux-agent/log/fortisiem-linux-agent.log.

For Windows Agent:

Following the steps from the Agent Installation Guide -> Troubleshooting: FortiSIEM Windows Agent 7.2.x.

The Debug should show the following log if the uploading is to the correct Collector IP/FQDN:

DEBUG FortiSIEM.Webproxy.CollectorManager - SendData to server : 10.5.8.122

If the Collector is configured with public and private IPs, the debug logs will show the private IP/FQDN, and the Agent received this IP/FQDN, as shown in the Collector Health tab.

To fix this, add the Public Collector IP in Host to Template Associations -> Virtual Collectors -> Save -> Apply.

Example: