Viewing Collector Health

If your FortiSIEM deployment includes Collectors, you can monitor the status of the Collectors in the ADMIN > Health > Collector Health page. You can also upgrade Collectors from this page. Select a Collector and click Show Processes to see the processes running on that Collector. Click Tunnels to open a Tunnels window to view any open tunnels. If you have upgraded or performed a fresh install of FortiSIEM 6.3.0, you will need to re-configure Tunnels to open them. See Open Tunnel Re-Configuration Required after 6.3.0 or later Upgrade/Fresh Install.

Refer to the 'FortiSIEM Back-End Processes' table below for information about the processes that run on Collectors. 

The Action menu provides the operations you can perform on a Collector:

  • Start - to start the Collector.
  • Stop - to start the Collector.
  • Download Image - to download a Collector image.
  • Install Image - to install a Collector image.
  • Download Update - to download a Collector image update.
  • Install Update - to install a Collector image update.

From the Tunnels window (appears when Tunnels is selected), the following operations are available.

  • Close Tunnel - Select a tunnel, and click Close Tunnel to close the tunnel.

  • Close All - Click to close all open tunnels.

For information on the table, see Properties associated with Tunnels.

Properties Associated with Collector Health

Collector Property Description
Organization Name of the organization to which the Collector belongs.
Name Name of the Collector.
IP Address IP address of the Collector.
Status Status of the Collector as either Up or Down.
Health Health of the Collector based on the health of the modules running on it. If Health is Critical, it means that one of the modules is not running on the Collector. 
Up Time Total time that the Collector has been up.
Last Status Updated The time when the collector last reported its status to the cloud.
Last Event Time The time when the collector last reported events to the cloud.
Last File Received The time when the collector last reported its performance status to the cloud.
CPU Overall CPU utilization of the Collector.
Memory Overall memory utilization of the Collector.
Allocated EPS The number of events per second (EPS) dynamically allocated by the system to this collector.
Incoming EPS The EPS that the Collector is currently seeing.
Upgrade Version If the Collector has been upgraded, the new version.
Build Date Date on which the version of FortiSIEM the Collector is running on was built.
Install Status If you upgrade the Collector, the status of the upgrade is shown here as either Success or Failed.
Download Status If an image was downloaded to the Collector, the status of the download is shown here as Success or Failed.
Version Version of FortiSIEM the Collector is running on.

FortiSIEM Back-End Processes

Process Function Used by Supervisor Used by Worker Used by Collector
phAgentManager Execute event pulling job X X X
phCheckpoint Execute checkpoint monitoring X X X
phDiscover Pulling basic data from target X

X
phEventForwarder Responsible for forwarding events and incidents from FortiSIEM to external systems X X X
phEventPackage Uploading event/SVN file to Supervisor/Worker

X
phMonitorAgent Monitoring other processes X X X
phParser Parsing event to shared store (SS) X X X
phPerfMonitor Execute performance job X X X
rsyslogd Responsible for forwarding locally generated logs to FortiSIEM X X X

Properties Associated with Tunnels

 

Collector Property Description
Host IP The Host IP address of the tunnel.
Super Port The supervisor port.
Protocol The protocol used by the tunnel.
Protocol Port The port used by the protocol.
Collector The collector with the open tunnel.
PID The Process ID.
Opened Time The amount of time the tunnel is open.

Open Tunnel Re-Configuration Required after 6.3.0 or later Upgrade/Fresh Install

After upgrading or doing a fresh install of 6.3.0 and later, the feature - "Connect to" a CMDB device via 'Open Tunnel' will no longer work without a configuration change. When users connect via a tunnel, it will appear that the tunnel is opened. However, the displayed Supervisor's port on which the tunneled connection is running is actually not open so users will not be able to connect either via plugin or directly.

To re-enable this feature, take the following steps:

Edit sshd_config.tunneluser on the Supervisor by changing the entry AllowTcpForwarding to yes.

AllowTcpForwarding yes

Reload the tunnel sshd configuration using the following command:

kill -HUP $(pgrep -f sshd_config.tunneluser)

If you have tunnels you had opened after the upgrade, but prior to making the above change, you will need to click on the Close All button from ADMIN > Health > Collector Health > Tunnels page.

This fix was done to address bug 602294: CVE-2004-1653 SSH port forwarding exposes unprotected internal services.