Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
flunaibarra
Staff
Staff

Created on ‎04-17-2024 07:30 AM Edited on ‎12-31-2024 01:02 AM By Community Manager

Article Id 310203

Troubleshooting Tip: Windows Agent registered with Supervisor but not uploading events

 Description

This guide describes troubleshooting steps to undertake when a Windows Agent is registered with a Supervisor but not uploading events to a Collector.

Before proceeding, review the compatibility matrix to verify that the correct Windows/Linux agent version is registered with a compatible Supervisor and Collector version.
Scope Windows Agent v4.4.x, v5.x, v7.x.x, v7.1.x, v7.2.x. Supervisor and Collector v6.x, v7.x, v7.1.x, v7.2.x.
Solution

Prerequisites:

  • The Agent registered successfully with the Supervisor - In CMDB, the host Status shows as Approved.


Registration.png

 


Monitor-Template.png

 


Association-Template.png
Make sure to press the 'Apply' button between the Delete and Up sections in the host template association section. Note: If the Apply button is not pressed, the changes are not sent to the agent.

 

Troubleshooting:

Understanding 3 connection communication flow:

  1. The Agent uses the ---> outbound HTTPS (443) to register with the Supervisor and send updates -  (Registration and Updates)
    https://<SupervisorIP/FQDN>:443/phoenix/rest/register/windowsAgent
    https://<SupervisorIP/FQDN>:443/phoenix/rest/windowsAgent/update
  2. After the template association is applied, the Agent uses ---> outbound HTTPS (443) to the Collector to upload the events - (Upload events)
    https://<CollectorIP/FQDN>:443/winupload_direct? <AgentID>
  3. Collector Upload events to Supervisor by HTTPS (443).


Cause 1: Issue with connection from Collector to Supervisor.

Make sure the Collector's Health Status shows as Normal and the Last File Received is updating.

 

Collector-Status.png

 

If there is an issue with Collector, see this article to review the common Collector's issue.

 

Cause 2: Agent not uploading the events to the assigned Collector.

When the template association is applied, the agent will use this Collector IP/FQDN to upload the events.

 

Collector-Template.png

 

As a result, the agent should be able to reach/connect to this Collector IP or FQDN using port 443.

 

  • Test the connection from the host to the Collector on port 443 with the following command in Powershell:

 

Test-NetConnection <Collector_IP> -port 443

 

test-connection.png

 

The result should show 'TcpTestSucceded = True'.
If the result is 'TcpTestSucceded = False', check the network configuration.

 

Cause 2.1: The Collector is configured with Private and Public IPs.

If the Collector IP in the Health tab is a Private IP and the agent needs to use the Public IP instead, use the Virtual Collector option from the Template Association configuration and enter the Public IP -> Save.

 

AssociationVCIP.png

 

Note:

Make sure to press the 'Apply' button.

 

Cause 3: Network configuration causing the connection issue.

 

Run the following command to confirm the host is reaching the Collector and verify the HTTP codes:

 

cat /etc/httpd/logs/ssl_access_log | grep <HOST_IP>

 

  • If there are no logs, remove the filter host's IP and check if agent traffic is reaching the Collector. The traffic might be sent with a different host IP, depending on the networking configuration.

 

cat /etc/httpd/logs/ssl_access_log

 

Cause 4: Super list causing IP conflict.

If a Supervisor IP or FQDN is configured under Admin -> Settings -> System -> Cluster Config -> Supervisors - This IP/FQDN will be sent to the Agent, creating an IP conflict.


Cluster_Config.png
To confirm this, in the Windows host, open RegEdit -> HKEY_LOCAL_MACHINE\Software\Fortinet\FortiSIEM.

 

RegEdit_IP.png

 

Solution 1:

  1. Remove the IP/FQDN from Admin -> Settings -> System -> Cluster Config -> Supervisors.
  2. In the RegEdit -> 'double-click' on the 'supers' register and remove the IP/FQDN.
  3. Restart the FSMLogAgent Process: Open Task Manager -> Processes -> Select FSMLogAgent -> End task. The process will start automatically.

 

Solution 2:

  1. If the Supervisor IP/FQDN is needed in the Cluster Config tab, then Uninstall the Agent by running the FSMLogAgent.exe and click Uninstall as the Agent Installation Guide indicates.
  2. Rerun the installation/registration and use the Supers Override Option from the Registration Window, entering the same Supervisor IP that is used for registration. For example:


Supers_Overide.png

 

Cause 5: No Agent traffic reaching the Collector.

 

If there is no traffic reaching the Collector, change the Agent log level to Debug mode and Review what IP the Agent is using to upload the events:

  1. Open a Notepad as an Administrator.
  2. Open the file C:/Program Files/Fortinet/FortiSIEM/log4net.config.
  3. Replace <LogLevel>ERROR</LogLevel> with <LogLevel>DEBUG</LogLevel> and Save.
  4. Wait for 5/10 minutes for the logs to be collected.
  5. Check the Agent Application log which is located in C:\ProgramData\FortiSIEM\Agent\Logs\Trace.log. Review errors or which IP/FQDN the Win Agent is using to upload the events. For example:

 

Successful_DEBUG_upload.png

 

Note:

Revert the changes in the log4net.config file to <LogLevel>ERROR</LogLevel>.
1509
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.