When the issue occurs, follow these steps:

1. Validate firewall configurations.

Ensure no recent changes were made to firewall NAT policies or objects used for FortiSIEM traffic.

2. Check the ClickHouse connection.

• Navigate to GUI -> Admin -> Settings -> ClickHouse Config and run the Test option.
• If 'successful', but EPS is still 0, proceed to log checks.

3. Review Apache access logs on the Worker Data node:

</li

tail -f /var/log/httpd/ssl_access_log

Look for repeated 401 error codes in log entries, for example:

100.100.200.100 - 10131 [24/Aug/2025:13:26:11 +0700] "PUT //evthandler2?10131 HTTP/1.1" 401 381
60.10.100.100 - 10087 [24/Aug/2025:13:26:13 +0700] "PUT //fwdupload?10087 HTTP/1.1" 401 381

4. Review Apache error logs for authentication errors:

tail -f /var/log/httpd/ssl_error_log

Look for auth_basic:error messages such as:

AH01618: user 10131 not found: /fwdupload
AH01618: user 10087 not found: /evthandler2

5. Inspect /etc/httpd/accounts/passwds file.
   If the file contains unexpected data at the first line, authentication will fail.

Example:

<unexpected_data_here>
1:{SHA}FeSgn0J/...
10003:$6$XFV6G6...
10004:$6$7uICCe...

6. Fix the passwd file.

• Remove the unexpected data with the command:

vi /etc/httpd/accounts/passwds

• Save the corrected file:

  • Select 'ESC' on the keyboard.
  • Type: wq to save the file.

7. Verify logs again.

• Monitor /var/log/httpd/ssl_access_log.

• 401 errors should decrease and be replaced by 200 success codes.

• Example of normal entry:

60.10.100.100 - 10087 [25/Aug/2025:13:00:20 +0800] "PUT //evthandler2?10003 HTTP/1.1" 200 -

8. Confirm EPS recovery.

• Return to Cloud Health GUI.

• The Worker Data EPS should now return to normal levels, indicating that logs are being received correctly.

If Worker Data EPS suddenly shows 0 in Cloud Health and logs reveal repeated 401 errors, check the /etc/httpd/accounts/passwds file for unexpected modifications. Cleaning the file resolves the issue and restores normal EPS rates.