Viewing Collector Health
If your FortiSIEM deployment includes Collectors, you can monitor the status of the Collectors in the ADMIN > Health > Collector Health page. You can also upgrade Collectors from this page. Select a Collector and click Show Processes to see the processes running on that Collector. Click Tunnels to open a Tunnels window to view any open tunnels. If you have upgraded or performed a fresh install of FortiSIEM 6.3.0, you will need to re-configure Tunnels to open them. See Open Tunnel Re-Configuration Required after 6.3.0 or later Upgrade/Fresh Install.
Refer to the 'FortiSIEM Back-End Processes' table below for information about the processes that run on Collectors.
The Action menu provides the operations you can perform on a Collector:
- Start - to start the Collector.
- Stop - to start the Collector.
- Download Image - to download a Collector image.
- Install Image - to install a Collector image.
- Download Update - to download a Collector image update.
- Install Update - to install a Collector image update.
From the Tunnels window (appears when Tunnels is selected), the following operations are available.
-
Close Tunnel - Select a tunnel, and click Close Tunnel to close the tunnel.
-
Close All - Click to close all open tunnels.
For information on the table, see Properties associated with Tunnels.
Properties Associated with Collector Health
Collector Property | Description |
---|---|
Organization | Name of the organization to which the Collector belongs. |
Name | Name of the Collector. |
IP Address | IP address of the Collector. |
Status | Status of the Collector as either Up or Down. |
Health | Health of the Collector based on the health of the modules running on it. If Health is Critical, it means that one of the modules is not running on the Collector. |
Up Time | Total time that the Collector has been up. |
Last Status Updated | The time when the collector last reported its status to the cloud. |
Last Event Time | The time when the collector last reported events to the cloud. |
Last File Received | The time when the collector last reported its performance status to the cloud. |
CPU | Overall CPU utilization of the Collector. |
Memory | Overall memory utilization of the Collector. |
Allocated EPS | The number of events per second (EPS) dynamically allocated by the system to this collector. |
Incoming EPS | The EPS that the Collector is currently seeing. |
Upgrade Version | If the Collector has been upgraded, the new version. |
Build Date | Date on which the version of FortiSIEM the Collector is running on was built. |
Install Status | If you upgrade the Collector, the status of the upgrade is shown here as either Success or Failed. |
Download Status | If an image was downloaded to the Collector, the status of the download is shown here as Success or Failed. |
Version | Version of FortiSIEM the Collector is running on. |
FortiSIEM Back-End Processes
Properties Associated with Tunnels
Collector Property | Description |
---|---|
Host IP | The Host IP address of the tunnel. |
Super Port | The supervisor port. |
Protocol | The protocol used by the tunnel. |
Protocol Port | The port used by the protocol. |
Collector | The collector with the open tunnel. |
PID | The Process ID. |
Opened Time | The amount of time the tunnel is open. |
Open Tunnel Re-Configuration Required after 6.3.0 or later Upgrade/Fresh Install
After upgrading or doing a fresh install of 6.3.0 and later, the feature - "Connect to" a CMDB device via 'Open Tunnel' will no longer work without a configuration change. When users connect via a tunnel, it will appear that the tunnel is opened. However, the displayed Supervisor's port on which the tunneled connection is running is actually not open so users will not be able to connect either via plugin or directly.
To re-enable this feature, take the following steps:
Edit sshd_config.tunneluser
on the Supervisor by changing the entry AllowTcpForwarding
to yes
.
AllowTcpForwarding yes
Reload the tunnel sshd configuration using the following command:
kill -HUP $(pgrep -f sshd_config.tunneluser)
If you have tunnels you had opened after the upgrade, but prior to making the above change, you will need to click on the Close All button from ADMIN > Health > Collector Health > Tunnels page.
This fix was done to address bug 602294: CVE-2004-1653 SSH port forwarding exposes unprotected internal services.