- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiSIEM Login Errors
All,
My MSP vendor who uses FortiSIEM rebuilt their collector due to a serious crash this week. One of my FortiGates is currently logging this error: Administrator "FortiSIEM" login failed from ssh(1.1.1.1) because of invalid ssh key; This alert fires off a "Failed Login" alert in my FAZ and is driving me crazy. The collector actually logs in and out just fine; I don't understand why I'm getting this alert.
The only difference between this FortiGate and my other FortiGates is that it's currently running 5.6.6, the rest are 5.6.3. Anyone else seeing this?
My failed login alerts have been disabled due to alert fatigue.
-TFWD
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DJ
Admin Network Security
RISQ
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Apologies for the delay. Unfortunately, the FortiSIEM is manged by a vendor of ours who was able to resolve the issue(s) with Fortinet Support. I wish I had some details to provide, but I do not.
-TFWD
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's a bit late, but in case anyone else finds this:
I'm willing to bet it's because you have an HA pair and Fortigate devices have the SSH key, not the cluster. So the software connecting to your pair saved the key when one of the devices was master and now the other one is master it's freaking out because of the key change.
If so, remove and save the line in your ~/.ssh/known_hosts for the device (search by its IP and/or hostname), reconnect and save the new key, then edit known_hosts and add the old key back in. Nnow you have two lines, one for each key, so it shouldn't care which is master.