Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MoussaRms
New Contributor

Event status showed Critical in fortisiem

Hello Everyone,

 

plz could you help me to find out and fix the problem of the windows agent in fortisiem that is showed Critical in Event Status and what does it mean?

 

I've attached a screenshot of the problem 

IMG-20240428-WA0001.jpg

15 REPLIES 15
MoussaRms

yes it was working normaly, the event status was green and when I checked them the last time I've got them red with critical status

adem_netsys

Hi Guys @MoussaRms @Richie_C 

I have the same problem in a different environment, but I can't use wireshark or anything like that. Have you been able to solve this problem, is there any other step that needs to be done?

 

Richie_C

Hi @adem_netsys - The root cause of the event status being critical is that no incoming logs are seen. 

 

If agent status is running and active it means that the agent can contact the supervisor successfully to report its health. However, logs are uploaded to the collector specified in the agent template. 

 

The main things to check are:

  • A template has been assigned to the agent
  • The correct collector has been specified
  • The agent was installed using an administrator account
  • The relevant logs are available in the event viewer of the windows machine
  • The agent has network connectivity to the collector (assigned from template).

You mentioned that you cannot use wireshark, but maybe you could try using tcpdump from the collector to check for incoming connections from the agent. This can be run from the collector CLI.

 

 

I hope that helps.

Thanks

Richard 

 

 

 

Take a backup before making any changes
adem_netsys

Hi @Richie_C 

Firstly, thanks for your return, I have already reviewed these steps, there are 443 permission. While logs were taken on these machines before, there was an interruption afterwards, so there is no template change etc. The Windows machine is generating logs, this has also been confirmed. When I looked at the SSL_Access_Log, I saw 401 errors in some of them, I could not make sense of them. I reinstalled the agent in some environments, but this is not a desired method.

Richie_C

Thanks for the feedback @adem_netsys. Do I understand correctly that when you re-install the agent it will work again? Could any host software be blocking outbound connections?

Take a backup before making any changes
MoussaRms

I have checked the connexion between collector and supervisor and windows agent and collector, it is working normaly

Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors